On 10 February, Thomas Murray hosted an exclusive DORA webinar session, where we shared 2025 take-homes, plus the outlook and must-haves for 2026 − including regulatory timelines, reporting requirements, and procedures.
The presentation can be accessed here, and you can also watch the recording.
Main discussion points:
What were the major DORA challenges in 2025 (key milestones and take-homes)?
Last year, RoI was the primary challenge: Under DORA Article 28, financial entities must maintain and submit, each year, a comprehensive Register of Information (RoI) documenting all contractual arrangements with ICT third-party service providers. This register, covering entity, sub-consolidated, and consolidated levels, identifies service provider details, contract scope, and critical functions. The deadline for the first full, mandatory reporting cycle is March 2026.
We've noticed that this is a very detail-orientated piece of regulation. The regulators are taking a comprehensive look at the RoI structure, which is so strictly governed that it's becoming a challenge for lots of different organisations.
We’ve seen a lot of challenges with missing or invalid identifiers, file structure issues, and referential integrity issues – and that is purely down to how complicated the linking structure is and what the data requirements are. To address this, we recommend leveraging technology and, in particular, centralised RoI management. Best practice is to keep this document up to date and “live” (we do, however, appreciate that sometimes there can be a last-minute rush to complete such activities). We've been able to support clients, helping them to report RoI in less than ten days, even when they’ve come to us very late, near the reporting deadline.
Renegotiating contracts with third parties: In 2025, we saw a number of regulators organising direct sessions with ICT third parties, where they shared their DORA expectations. The goal has been to bring all financial entities, third parties, and regulators together, in the same room, and make the renegotiation conversation a little less stressful. There are various industry bodies organising these (Thomas Murray experts were part of at least four sessions last year).
NB: Added complications emerge when organisations use sister companies to deliver critical IT services.
ICT Risk Management Framework review report
- An often overlooked component of reporting is the specific requirement for an ICT Risk Management Framework review. This should detail any incidents that have taken place; any decisions on operationalising the testing conducted; vulnerability assessments; and any internal audit reviews that have been undertaken. All such sources of information should feed into the Risk Management Framework review report and need to be formally documented. This necessitates collaboration across multiple stakeholders within an organisation, which requires considerable effort - and it has to be approved by the management body, not the board. If you haven’t already included it in your planning, you must include it now.
Regulatory outlook and supervisory priorities for 2026
- We advocate that organisations take a risk-based approach to TPRM; not all third parties are equal - and there are different ways of monitoring and managing their risk. Ongoing attack acceptance management tools, and dark web monitoring, are becoming increasingly more important for critical third parties. Getting early insights and notifications of potential compromise or poor cybersecurity performance will continue to be vital. Attack surface management for third party monitoring is a necessity not a luxury. Firms should also review audits and anything that could be triggered off the back of contractual changes.
- There are various ways of monitoring third parties, and some organisations are currently more compliant than others. It differs by the level of awareness at board level; the engagement that DORA program managers have got from organisations; and the risk appetite of a firm.
With the first DORA reporting deadline fast approaching (in Q1 2026), now is the time for financial institutions to shift their focus toward ongoing risk management and oversight – particularly around third parties.
Read our TPRM checklist to find out about the 10 essential areas you should consider in 2026.
Want to continue the conversation?
If you’d like to review your compliance status, discuss RoI readiness, or explore how we can support your ongoing requirements, please schedule a complimentary consultation.
