For the last two years the conversation around the Digital Operational Resilience Act DORA compliance has been theoretical. We have attended the webinars we have drafted the policies and we have mapped our Critical or Important Functions CIFs on whiteboards.

But as of 16 March 2026 the honeymoon period is over. We have entered the era of the Register of Information RoI and the regulators are bringing a microscope not a checklist.

The March Deadline A Systemic Stress Test

Right now thousands of financial entities across the EU are in the final sprint of the March 2 to 31 2026 reporting window. For the first time firms are required to submit their full registers of ICT third party arrangements in the highly technical xBRL CSV format.

This is not just a census of your vendors. It is a digital map of the entire European financial ecosystem. The European Banking Authority EBA and National Competent Authorities NCAs are using these submissions to identify Critical Third Party Providers CTPPs the giants like AWS Azure and Google Cloud but also the specialised fintech node providers that if they failed could trigger a systemic collapse.

The EBAs New Weapon Forensic Data Quality DQ Checks

The biggest news of the week is not just the deadline it is the EBAs announcement regarding automated validation.

Starting in April 2026 the EBA will deploy a suite of over 100 automated Data Quality DQ checks on every register submitted. If you thought you could slide through with Best Effort data think again. The regulators have signalled that the following will trigger immediate rejections and mandatory resubmissions

1. The NA Trap Using generic values like Not Applicable or TBD in mandatory fields especially regarding the names of ICT service providers or their parent companies is an automatic red flag.
2. LEI Integrity Legal Entity Identifiers LEIs are now binary. If an LEI is expired incorrectly formatted or does not match the global GLEIF database your entire file is kicked back.
3. The Interdependency Gap Regulators are looking for the linkage between a third party service and your internal CIFs. If you claim a function is Critical but fail to link it to the underlying ICT service supporting it the data is considered logically inconsistent.

Why This Changes TPRM Forever

This shift marks the death of static Third Party Risk Management TPRM. You can no longer manage risk via an annual PDF questionnaire.

In the 2026 regulatory landscape TPRM and GRC must be data integrated. Your Register of Information must be a living document. When a contract changes in your CLM Contract Lifecycle Management system or a vendor changes a sub processor Nth party that data must flow into your Register automatically.

If your source of truth is still a spreadsheet you are essentially waiting for a Notice of Non Compliance.

The Road Ahead April and Beyond

Once the EBA cleans the data in April the next phase begins The Oversight Framework. The cleanest data will be used to designate the first official Class of 2026 Critical Third Party Providers who will then be subject to direct intrusive oversight by the ESAs.

For the rest of us the message is simple Automate or Evaporate. The volume of data required by DORA combined with the forensic level of scrutiny from the EBA makes manual compliance a physical impossibility.

The Question for your Risk Committee Are we submitting a Register of Information or are we just submitting a list of data gaps that the EBA is about to find?