Post-Deadline Reflections: Tackling RoI Reporting Challenges with Confidence
At Thomas Murray, we've guided clients through DORA's RoI reporting requirements. Post-deadline, we're reviewing insights gained and how our approach ensured accurate, timely, and confident compliance.
While submission was mandatory, compliance in practice proved far from straightforward.
The European Banking Authority (EBA) has released its April 2025 observations, identifying several recurring problems across submissions. These included:
- Structural data issues
- Incomplete templates
- Failures in meeting XBRL-CSV validation checks.


Background: What Is the RoI and Why Does It Matter?
The Register of Information (RoI) is a cornerstone of DORA’s operational resilience framework, and must include technical metadata, criticality assessments, exit strategies, and more. It requires financial entities to maintain and report detailed records of all third-party ICT service providers, contracts, and associated business functions.
Far from being a simple spreadsheet exercise, the RoI combines
- data governance
- risk classification
- business and operations understanding
- contracting approach
- regulatory interpretation.
This multilayered approach explains why so many organisations encountered difficulties during both the dry run and final submission phases.
Common Issues Raised by the EBA
The EBA’s report from April 2025 outlines the most common pitfalls during the dry run phase. These challenges, while predictable, revealed just how difficult it is to operationalise the RoI within legacy systems and fragmented data environments.
EBA Observation | How Thomas Murray Helped |
1. Incomplete RoI templates Many submissions lacked core fields such as contract terms, business function data, or ICT service attributes. | We worked with client-supplied data (not originally formatted to RoI requirements). Through discovery sessions, we identified and completed missing fields such as: – Contract type, start date, currency – RTO/RPO, LEI, impact status – Legal capacity, data storage, exit plans |
2. Poor linkage across datasets Fields were disconnected—for example, contracts were not linked to the correct supplier or ICT system. | We configured our platform to establish correct relationships: – Contract ↔ Supplier – Contract ↔ ICT System – Business Function ↔ Contract We highlighted missing mappings and iteratively filled these with the client. |
3. Blank mandatory fields Mandatory fields were left empty, often due to data gaps or misinterpretation of requirements. | We provided a field-by-field gap analysis, listing missing data and explaining how each field should be populated. We shared this in spreadsheet format and walked the client through it over collaborative sessions. |
4. Incorrect classification of ICT providers Some providers were labelled incorrectly or omitted entirely. | We held dedicated sessions to help define third-party ICT providers, especially where services were subcontracted. We advised on legal capacity and supplier structure, including foreign providers. |
5. Misalignment between business functions and ICT dependencies | Our team ensured each business function had a traceable link to ICT services and contracts, and that the criticality assessment (RTO/RPO) matched DORA expectations. |
6. Failure to pass XBRL-CSV validation checks Even seemingly complete reports failed the final technical check. | We produced draft outputs in .xlsx, .csv, and XBRL-CSV. Using the official RoI Validator, we pre-validated the data and iterated with the client until all validation errors were resolved. |
7. Lack of clarity in interpreting the template | Clients found the regulatory language difficult to apply to real internal records. We translated DORA requirements into practical, operational language and advised on: – Entity setup – Contract types – System mapping – Risk tiering logic |
Our Process in Practice
Here’s how we guided one of our clients through RoI reporting from start to finish:
- Initial Data Review - We ingested internal data on ICT providers, contracts, and business functions. Instead of providing an RoI template we mapped the raw data and reviewed the client’s partially completed dry run file.
- Clarification and Contract Structuring - We organised workshops to understand ICT arrangements and advised on entity setup, contract typology, and the appropriate level of ICT Rank, etc
- Technology Configuration - We configured our platform to align incoming data with RoI schema and pre-fill known fields.
- Gap Identification - We created a customised checklist of missing or mis-linked fields across suppliers, contracts, systems, and services.
- Iterative Completion - We collaborated closely via calls and email to gather required data. With each iteration, we filled another piece of the puzzle.
- Validation and Final Output - Generated and validated .xlsx, .csv, and XBRL-CSV files. Final output passed all EBA technical checks.
Outcome: On-Time, Error-Free RoI Submission
Thanks to our structured process, the client was able to submit a complete and validated RoI—meeting both the spirit and the letter of the regulation. Even after the deadline, we remain actively engaged in helping firms improve their submissions or prepare for next year’s iteration.
Key Takeaways
- Start with what you have – perfect data is rare; the key is knowing how to make it usable.
- RoI is not just a form – it's a reflection of how your organisation views ICT risk and operational dependency.
- Validation is not optional – many firms submitted files that failed EBA validation tools.
- Partnership is essential – we deliver clarity, not just compliance.
Ready for the next stage of DORA?
Whether you need support with:
- implementing a DORA compliance roadmap
- testing digital operational resilience
- preparing for incident reporting
- revalidating or managing RoI
- performing ICT third party assessments
- conducting risk assessments,
Thomas Murray is your trusted partner.
Schedule your RoI discussion with our DORA expert
Whether you decide to proceed with a one-off package or an annual subscription, we’ll provide a fully managed service to ensure you meet the new RoI reporting requirement on time, in the format required.

Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

DORA Digest Newsletter
Subscribe to DORA Digest and stay up to date
with the key issues and developments now that DORA is in effect.