Navigating the Digital Operational Resilience Act’s Register of Information: Insights from Alpha FMC’s Regulatory Roundtable

On January 23rd, Alpha FMC hosted a regulatory roundtable focused on the Digital Operational Resilience Act’s (DORA) Register of Information (RoI). Attended by over 20 firms from the asset and wealth management space (and representing a combined AUM of ~$50trn, the session provided valuable insights into industry-wide challenges and progress. With DORA having come into effect on January 17th, firms are now shifting their focus towards meeting the first RoI submission deadline in March/April 2025 (which varies by jurisdiction).

Key Takeaways from the Roundtable, informed by both peer discussion and the anonymous survey run during the sessions included:

The general sentiment from firms is that while progress has been made, no firm has yet reached a fully complete register. Many have partial registers in place that require significant updates. This is unsurprising given the late publication of European Supervisory Authorities’ (ESAs) amendments and the number of questions raised during recent dry-run exercises

A major challenge highlighted was defining the scope of ICT third-party providers. Some firms are taking a risk-based approach, prioritizing vendors tied to Critical or Important Functions (CIFs). However, vendor complexity remains an issue, as one firm noted that a single vendor often provides multiple services under different contracts, exponentially increasing the number of register entries.

Firms acknowledged that mapping the ICT supply chain is a layered process. 86% have focused on identifying Rank 1 (direct) and Rank 2 (subcontracted) providers. 14% of firms have delved into Rank 3 where complex intra-group structures exist, but obtaining information from non-intragroup subcontractors remains a major challenge due to confidentiality concerns.

Anonymized survey results from the roundtable indicated that firms have adopted principle based approaches to supply chain depth. Notably, the level of depth targeted is not necessarily informed by progress made to date. Instead, firms are making independent determinations of reasonable depth based on proportionality.

A key observation from the discussion was the lack of a standout technological solution for RoI completion. Regardless of the system or tool used, firms noted that “bad inputs create bad outputs.” The underlying challenge is not necessarily the system but rather how firms structure and standardize their data.

Given this, firms may wish to consider governance, risk, and compliance (GRC) tools to better organize their data inputs. A well-structured approach to data governance can enhance automation, making RoI population more efficient and reducing validation errors.

As firms progress through RoI preparation, the nature of their challenges is shifting:

• Early-stage challenges: Gathering core contractual data and agreeing on subjective classifications.
• Mid-stage challenges: Managing intra-group complexity and finalizing the scope of ICT supply chains.
• Later-stage challenges: Organizing data into the required reporting templates while ensuring accuracy and completeness.

The recent dry-run exercise hosted by the European Supervisory Authorities underscored the importance of data accuracy. Only 8% of participants initially passed the first validation round, though over 50% passed subsequent data checks after adjustments. A key lesson was the necessity of ensuring accurate Legal Entity Identifiers (LEIs) and proper CSV formatting.

Many firms are still refining their approaches, particularly around vendor identification and cost apportionment.

A significant discussion point was the need for governance structures that ensure quality assessments before submission. Given the varying submission deadlines across National Competent Authorities (NCAs), firms must balance timeliness with thorough validation.

As firms approach the first RoI submission deadline, now is the time to take stock of progress and pivot towards quality assurance. Some immediate next steps include:

• Conducting targeted quality assessments of RoI completeness and accuracy.
• Refining ICT supply chain mapping methodologies to improve data granularity.
• Exploring technology solutions that can facilitate better data management and automation.

Alpha FMC can support firms with both short-term RoI testing and broader RoI development efforts. Whether through targeted quality assurance reviews or end-to-end RoI population support, Alpha provides expertise to help firms meet regulatory expectations.

With the deadline fast approaching, firms should proactively address these challenges to ensure smooth and compliant RoI submissions in 2025 and beyond.

Get in touch with our team today to discuss how Alpha FMC can support your RoI submission efforts. Contact us at enquiries@alphafmc.com