Key Steps for ROI Submissions and Compliance

DORA’s Register of Information (ROI) submissions for 2025 are now long past, but the next annual submission is expected in early 2026. Now is the time to prepare for DORA ROI deadlines and acquire the tools you need to stay ahead in operational resilience.

The good news? There aren’t many new changes from last year’s DORA requirements. The bad news? You still have to grapple with the Register of Information. According to Deloitte’s Wave 3 survey on DORA operational resilience, 46% of financial institutions cite the ROI as the most challenging part of compliance. (Spoiler: Panorays can simplify this tedious step. See how Panorays automates DORA compliance.)

  • January 2025: DORA enforcement begins
  • April 30, 2025: First ROI deadline
  • Late 2025: Current preparation phase
  • Early 2026: Next ROI submission deadline

What is DORA? Understanding the Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is the EU’s comprehensive regulation designed to bolster the operational resilience of financial entities against ICT-related disruptions. It mandates robust frameworks for managing ICT risks, reporting incidents, testing resilience, overseeing third-party providers, and sharing threat intelligence. With DORA enforcement already underway since January 17, 2025, financial institutions face increasing scrutiny, including potential fines for non-compliance. 

Adding to the urgency, new regulations are emerging to extend oversight to non-ICT third-party providers, ensuring a holistic approach to third-party risk management under DORA.

What’s New for 2026 DORA ROI Submissions? Updates and Preparation Tips

As stated, there aren’t many changes from last year’s DORA requirements, but preparation remains critical to avoid compliance gaps in 2026 ROI submissions. Key milestones include the annual Register of Information (ROI) submission deadline in early 2026, building on the initial 2025 process.

Regulators will expect more mature submissions, with detailed documentation of ICT third-party arrangements, including subcontractors, and evidence of ongoing risk mitigation. The European Supervisory Authorities (ESAs) strongly discourage spreadsheets for official reporting.

The leading digital insurance provider, Lemonade, switched from spreadsheets to automation with ease. Read the Lemonade DORA case study for real-world insights.

The European Banking Authority (EBA) launched a consultation in July 2025 to introduce draft guidelines for managing third-party risks related to non-ICT services. These guidelines align with DORA’s proportionality principle, ensuring risk management is tailored to an institution’s size and complexity. They emphasize the importance of risk assessment, due diligence, and maintaining a unified register for both ICT and non-ICT arrangements.

While the guidelines introduce a two-year transitional period for reviewing existing arrangements, underscoring the need for integrated risk strategies, the consultation period ends October 8, 2025.

Preparing now also avoids last-minute risks, such as incomplete mappings or overlooked concentration vulnerabilities, which could lead to regulatory penalties under DORA.

What are DORA’s Five Pillars? A Breakdown for Financial Institutions

DORA’s framework is built on five core pillars that collectively enhance digital resilience for financial institutions. Understanding these can help in optimizing your DORA strategy for 2026:

  1. ICT Risk Management: Establish structured processes to identify, assess, and mitigate ICT risks, including asset mapping and continuous monitoring to integrate security into business operations.
  2. Incident Reporting: Adhere to strict timelines for classifying and reporting ICT incidents, ensuring detailed documentation and corrective actions to minimize disruptions.
  3. Operational Resilience Testing: Conduct regular tests, such as penetration testing and business continuity drills, to validate system robustness against cyber threats and operational failures.
  4. Managing Third-Party Risk: Perform due diligence on ICT providers, monitor the full subcontracting chain, and develop contingency plans to address supply chain vulnerabilities.
  5. ICT Incident and Threat Management: Implement detection, response, and recovery frameworks with clear procedures for handling threats, including intelligence sharing to strengthen industry-wide defenses.

Each pillar directly impacts financial institutions by requiring proactive measures, particularly in third-party and ICT risk management, where dependencies on external providers can amplify systemic risks.

Common Challenges Financial Institutions Face with DORA Compliance

Financial institutions continue being challenged DORA’s demands, as highlighted in recent surveys. Complex reporting requirements for the ROI top the list. 

As stated above, 46% of entities identify the Register of Information as the most challenging aspect of DORA. This is followed by 17% citing due diligence and risk assessments on ICT third-party providers. Testing ICT business continuity plans, especially scenarios involving provider insolvency or political risks, poses difficulties for 25%, while 12% struggle with segregating and segmenting ICT systems based on criticality and risk profiles.

DORA Compliance by Pillar

DORA Compliance by Pillar
Credit: Deloitte’s Digital Operational Resilience Act Survey for Financial Services Entities – Wave 3

Managing third-party and vendor risks across the supply chain remains a persistent challenge for financial institutions under DORA. Limited visibility into subcontractors often exacerbates concentration risks, making it difficult to assess the full scope of dependencies. Gaining operational visibility and maintaining comprehensive documentation is another significant pain point.

According to Deloitte, 96% of institutions have estimated compliance costs, with most falling between 2-5 million euros. However, only 50% of these institutions expect to achieve full compliance by the end of 2025, while 38% are targeting 2026. Scaling operations while ensuring resilience adds further complexity to the process.

39% of entities dedicate 5-7 full-time equivalents (FTEs) to compliance efforts. Meanwhile, 8% of institutions have not yet estimated the number of FTEs required for DORA compliance.

How to Get Ready and Build a Strong DORA Strategy for 2026

Start DORA compliance preparation early. Don’t wait for 2026 deadlines. (That’s worth repeating, but I won’t.)

Here are the essential steps to take now for building a DORA strategy:

  1. Conduct a Gap Analysis: Evaluate your current practices against DORA’s five pillars, prioritizing ICT risk mapping and third-party assessments to identify compliance gaps early.
  2. Implement Continuous Monitoring: Integrate real-time third-party monitoring to track vendor performance, cybersecurity posture, and subcontracting chains, using automated tools to detect changes in risk levels.
  3. Centralize Reporting and Documentation: Adopt a dedicated platform instead of spreadsheets to streamline reporting and documentation for regulators, reducing errors and ensuring scalability for ROI submissions.
  4. Automate Assessments and Evidence Gathering: Use AI-driven questionnaires and audits to streamline due diligence, saving time and ensuring comprehensive evidence collection.
  5. Develop Robust Incident Response Plans: Create plans with clear roles, vendor communication protocols, and regular testing to ensure resilience during crises.
  6. Foster Collaborative Strategies: Engage in joint risk assessments with providers to build a resilient ecosystem, aligning with DORA’s emphasis on proportionality and ongoing oversight.

How Panorays Supports DORA Readiness and Third-Party Risk Management

Panorays simplifies compliance with DORA’s five pillars by embedding third-party cyber risk management into your processes. Our platform prepares ROI submission files with ease, capturing essential details like provider criticality, data sensitivity, and subcontracting arrangements in a format that aligns with regulatory templates.

Financial institutions gain full visibility into third-party risks through supply chain discovery. This enables them to identify fourth- and fifth-party dependencies to assess concentration risks and prioritize vendors dynamically.

Streamline reporting and documentation for regulators with automated monitoring that flags threat signals, compliance changes, and vulnerabilities in real time. Our AI-driven automation reduces assessment time, supports customized incident response plans, and ensures contractual provisions enforce DORA-required security controls, making compliance efficient and proactive.

Explore Panorays for DORA compliance to see how it can transform your strategy.

Final Thoughts: Preparing Today for 2026 DORA Submissions and Beyond

2026 is coming, and with it, the annual ROI submissions and evolving guidelines demanding action now. When companies see DORA compliance as a long-term investment in resilience, they turn regulatory requirements into a competitive edge by minimizing disruptions and building trust. Contact us today to explore how Panorays can support your DORA readiness.