DORA Digest: May 2025

Post-Deadline Reflections: Tackling RoI Reporting Challenges with Confidence

At Thomas Murray, we've guided clients through DORA's RoI reporting requirements. Post-deadline, we're reviewing insights gained and how our approach ensured accurate, timely, and confident compliance.

While submission was mandatory, compliance in practice proved far from straightforward.

The European Banking Authority (EBA) has released its April 2025 observations, identifying several recurring problems across submissions. These included:

Structural data issues

Incomplete templates

Failures in meeting XBRL-CSV validation checks.

Your contacts

Edward Starkie

Director, GRC | Cyber Risk

estarkie@thomasmurray.com

Shreeji Doshi

Director, GRC | Cyber Risk

sdoshi@thomasmurray.com

Background: What Is the RoI and Why Does It Matter?

The Register of Information (RoI) is a cornerstone of DORA’s operational resilience framework, and must include technical metadata, criticality assessments, exit strategies, and more. It requires financial entities to maintain and report detailed records of all third-party ICT service providers, contracts, and associated business functions.

Far from being a simple spreadsheet exercise, the RoI combines

data governance

risk classification

business and operations understanding

contracting approach

regulatory interpretation.

This multilayered approach explains why so many organisations encountered difficulties during both the dry run and final submission phases.

Common Issues Raised by the EBA

The EBA’s report from April 2025 outlines the most common pitfalls during the dry run phase. These challenges, while predictable, revealed just how difficult it is to operationalise the RoI within legacy systems and fragmented data environments.

EBA Observation	How Thomas Murray Helped
1. Incomplete RoI templates Many submissions lacked core fields such as contract terms, business function data, or ICT service attributes.	We worked with client-supplied data (not originally formatted to RoI requirements). Through discovery sessions, we identified and completed missing fields such as: – Contract type, start date, currency – RTO/RPO, LEI, impact status – Legal capacity, data storage, exit plans
2. Poor linkage across datasets Fields were disconnected—for example, contracts were not linked to the correct supplier or ICT system.	We configured our platform to establish correct relationships: – Contract ↔ Supplier – Contract ↔ ICT System – Business Function ↔ Contract We highlighted missing mappings and iteratively filled these with the client.
3. Blank mandatory fields Mandatory fields were left empty, often due to data gaps or misinterpretation of requirements.	We provided a field-by-field gap analysis, listing missing data and explaining how each field should be populated. We shared this in spreadsheet format and walked the client through it over collaborative sessions.
4. Incorrect classification of ICT providers Some providers were labelled incorrectly or omitted entirely.	We held dedicated sessions to help define third-party ICT providers, especially where services were subcontracted. We advised on legal capacity and supplier structure, including foreign providers.
5. Misalignment between business functions and ICT dependencies	Our team ensured each business function had a traceable link to ICT services and contracts, and that the criticality assessment (RTO/RPO) matched DORA expectations.
6. Failure to pass XBRL-CSV validation checks Even seemingly complete reports failed the final technical check.	We produced draft outputs in .xlsx, .csv, and XBRL-CSV. Using the official RoI Validator, we pre-validated the data and iterated with the client until all validation errors were resolved.
7. Lack of clarity in interpreting the template	Clients found the regulatory language difficult to apply to real internal records. We translated DORA requirements into practical, operational language and advised on: – Entity setup – Contract types – System mapping – Risk tiering logic

Our Process in Practice

Here’s how we guided one of our clients through RoI reporting from start to finish:

Initial Data Review - We ingested internal data on ICT providers, contracts, and business functions. Instead of providing an RoI template we mapped the raw data and reviewed the client’s partially completed dry run file.

Clarification and Contract Structuring - We organised workshops to understand ICT arrangements and advised on entity setup, contract typology, and the appropriate level of ICT Rank, etc

Technology Configuration - We configured our platform to align incoming data with RoI schema and pre-fill known fields.

Gap Identification - We created a customised checklist of missing or mis-linked fields across suppliers, contracts, systems, and services.

Iterative Completion - We collaborated closely via calls and email to gather required data. With each iteration, we filled another piece of the puzzle.

Validation and Final Output - Generated and validated .xlsx, .csv, and XBRL-CSV files. Final output passed all EBA technical checks.

Outcome: On-Time, Error-Free RoI Submission

Thanks to our structured process, the client was able to submit a complete and validated RoI—meeting both the spirit and the letter of the regulation. Even after the deadline, we remain actively engaged in helping firms improve their submissions or prepare for next year’s iteration.