European financial institutions face compliance pressure as deadlines for the Digital Operational Resilience Act (DORA) Register of Information (RoI) submissions arrive this month, exposing widespread unpreparedness. Fourteen months after DORA took effect on January 17, 2025, only a fraction of the sector has achieved full readiness, with the RoI emerging as the biggest hurdle. Banks, payment providers, and insurers across the EU now face fines up to 2% of annual global turnover if they fail to deliver accurate inventories of their ICT third-party contracts.
The pressure is immediate and national variations are sharpening the urgency. In the Netherlands, the submission deadline is March 20, while Germany's falls between March 9 and 30. These dates mark the second annual RoI filing under Article 28 of DORA, requiring every in-scope entity to catalog all contractual arrangements with ICT vendors as of December 31, 2025. National competent authorities then aggregate these into reports for the European Supervisory Authorities (ESAs) by March 31. For firms juggling hundreds or thousands of vendor relationships, manual compilation remains a nightmare, as highlighted in Deloitte's research where 46% of institutions flagged the RoI as their toughest challenge.
DORA'S BROAD REACH
DORA targets over 22,000 financial entities including banks, insurers, payment institutions, e-money providers, crypto-asset service providers, and investment firms—plus their critical ICT suppliers. The regulation demands a paradigm shift in digital risk management, mandating resilience against ICT disruptions through rigorous incident reporting, risk assessments, third-party oversight, ICT risk management, digital operational resilience testing, and information sharing. The ESAs have already designated 19 providers as "critical," granting powers for annual audits, on-site inspections, and joint examination teams with national regulators.
Survey data underscores the gap. A McKinsey survey of major European banks found just one-third confident of meeting the original January 2025 deadline. Deloitte's findings are starker: only 50% expected full compliance by end-2025, with 38% delaying into 2026. "Nearly half (46%) identified the Register of Information... as the single most challenging requirement," the firm noted, reflecting the complexity of multi-jurisdictional vendor mapping.
ENFORCEMENT TIGHTENS
2025 served as a transition year for framework reviews, but 2026 marks the shift toward active enforcement. Regulators are pivoting from paperwork checks to demanding live proof of resilience: automated reporting, real-time controls, and ICT risk mastery. Fines aren't the only threat.
National regulators like Germany's BaFin signal no leniency. While BaFin has issued fines for unrelated breaches, the stage is set for DORA-specific actions.
THIRD-PARTY RISKS EXPOSED
At DORA's core lies third-party risk management (TPRM), a domain where firms falter. The regulation requires vendor due diligence integrated into operational resilience. Boards must now treat cyber resilience as a valuation lever, quantifying tail risks.
Firms consolidating vendors for efficiency have unwittingly accrued exposure, trading short-term savings for systemic risk.
PATH FORWARD
DORA evolves dynamically. ESAs plan annual updates to critical provider lists, with the next due later this year. Additional technical standards on incident reporting and subcontracting arrangements are still being finalised. The inaugural full RoI cycle will soon yield a pan-EU view of ICT concentration risks, arming supervisors with unprecedented oversight.
For Europe's banks and fintechs, the lesson from DORA's first 14 months is unequivocal: compliance is perpetual, not a one-off project. Laggards risk not just penalties but the disruptions DORA was built to preempt—outages, data breaches, and contagion. Proactive firms investing in automated TPRM tools and integrated governance will thrive, turning regulatory burden into competitive edge. As deadlines pass this month, the divide between resilient leaders and fined laggards sharpens, reshaping EU finance's digital underbelly.