DORA Digest March

In essence, the RoI requires financial institutions to disclose information about their third-party ICT providers, including: 

• Types of Services: Identifying which critical ICT services (e.g., cloud computing, cybersecurity, data storage) are being outsourced to external providers. 
• The importance of ICT services to the business: Analysis across the different ICT services showing the extent of reliance the business places on the service. 
• Financial details: Including the extent of spend across the individual third-party contracts. 
• Operational details: Including the details of where data processing and data storage take place.  

This information is essential for regulatory bodies across Europe to gauge the level of systemic risk within the financial services ecosystem, particularly in the event of ICT-related disruptions. Therefore, the accuracy and completeness of the RoI are of paramount importance. 

Why is the RoI Reporting Critical for Your Institution? 

As the deadline approaches, there is little room for error. Failure to submit an accurate RoI by April 15, 2025 can result in severe penalties, ranging from financial fines to reputational damage. However, the consequences of non-compliance go beyond just regulatory sanctions: 

1. Operational Risk Exposure: Without an accurate RoI, regulators will be unable to fully assess the risks that outsourcing to third-party providers may present. Inaccurate or incomplete data could obscure vulnerabilities that might otherwise be addressed proactively. 
2. Strategic Resilience Planning: A well-structured RoI helps institutions identify weaknesses in their third-party dependencies. By understanding where the most significant risks lie, institutions can take steps to mitigate those risks, ensuring a stronger, more resilient operational framework. 
3. Regulatory Oversight and Transparency: DORA places a high emphasis on regulatory transparency, and the RoI is the primary tool through which institutions demonstrate their resilience strategies. The more comprehensive and transparent the information provided, the easier it is for regulators to assess institutional risk profiles. 

The Challenges of RoI Compliance: A Deeper Dive 

While the need for a well-prepared RoI is clear, the process of gathering and submitting the necessary data is far from straightforward. Several challenges make compliance more complicated than it might initially seem: 

• Varying Standards Across Jurisdictions: Financial institutions often operate across multiple jurisdictions, each with its own regulatory nuances. Understanding these varied standards and ensuring that your submission meets all local requirements can be a daunting task. The DORA RoI aims for EU-wide consistency, but each jurisdiction may have unique expectations for what constitutes a “complete” report. The RoI voluntary dry run by the European Supervisory Authorities in 2024 resulted in 93.5% of applications failed due to data quality issues.  
• Complexity of Third-Party Relationships: Many financial institutions have a broad and complex web of third-party ICT providers, ranging from cloud services to data storage and cybersecurity firms. Understanding the full scope of these relationships and ensuring they are accurately documented can be time-consuming and resource intensive. 
• Data Gaps: Financial institutions may lack up-to-date, comprehensive records of all third-party engagements. Legacy contracts and outdated supplier information can hinder the creation of a complete RoI. Institutions must ensure that every relevant contract, service level agreement, and risk assessment is included in the report. 

The Role of Thomas Murray in Streamlining Compliance 

As the clock ticks down to the final deadline, it is crucial for financial institutions to leverage expert solutions to streamline their compliance efforts. Thomas Murray’s DORA RoI service is designed specifically to help institutions navigate the complexities of third-party ICT provider reporting, ensuring that all submissions are accurate, complete, and timely. 

Here’s how Thomas Murray can assist you in preparing for the DORA RoI deadline: 

1. Centralised Data Repository: Our platform consolidates all your third-party ICT provider data in one place, making it easier to track, update, and manage information. This ensures that your reporting is thorough and free from errors. 
2. Automated Risk Assessments: Our tools automatically evaluate the risks associated with each third-party provider, helping you assess potential vulnerabilities that could impact operational continuity. This proactive approach allows you to address risks before they become liabilities. 
3. Standardised Reporting Across Jurisdictions: Thomas Murray’s tools help ensure that your data is presented in a format that meets the regulatory requirements of all relevant jurisdictions. This standardisation reduces the burden of understanding and meeting diverse local reporting standards. 
4. Expert Compliance Guidance: Our team of compliance specialists offers guidance and support throughout the entire process. Whether you need help reviewing third-party contracts or understanding jurisdiction-specific requirements, we are here to provide the expertise you need. 
5. Fast and Efficient Data Collection: Our advanced technology makes it faster and easier to extract the required metadata from existing contracts and service agreements. This reduces the manual effort involved and mitigates the risk of human error. 

Steps to Take Now: Preparing for the Final Countdown 

With the deadline now a matter of weeks away, it is essential that your institution takes immediate action to ensure a seamless RoI submission. Here are the critical steps you should take now: 

1. Conduct a Full Review of Contracts and Service Agreements: Begin by reviewing all third-party ICT service contracts to ensure they are up-to-date and that all necessary information is included in your RoI. 
2. Identify and Fill Data Gaps: Assess your current data repositories and identify any missing or incomplete information that could delay your submission. Fill in these gaps immediately to avoid last-minute scrambling. 
3. Leverage Automated Tools: Implement tools designed to streamline the process of data extraction and reporting. This will save you time and ensure that the data you submit is accurate and compliant. 
4. Engage with Experts: Given the complexity of DORA compliance, it’s crucial to have access to expert support. Engage with compliance specialists who can offer strategic advice and ensure your institution’s submission meets all regulatory expectations. 

The April 15, 2025 deadline for DORA RoI compliance is fast approaching, and the time to act is now. Financial institutions must complete their RoI submissions to meet regulatory requirements and avoid penalties. The challenges are significant, but with the right tools and expertise, compliance can be streamlined. Thomas Murray offers the comprehensive support your institution needs to meet this critical deadline and ensure your submission is timely, accurate, and complete.