You submitted your first Register of Information in April 2025. It was painful. It took months of coordination, involved dozens of people across procurement, IT, risk, and legal. But you got it done.
Now it’s 2026 and you’re facing the next submission. You assume it will be easier because you already have last year’s data.
Then reality hits: this time, supervisors are no longer just checking format. They are checking accuracy. You now have to face:
- Half the providers have changed
- Contracts have been renewed with different terms
- New critical services have been onboarded
- The person who coordinated everything has moved to a different role
- Nobody knows who should be updating what
Most organizations treated 2025 as a one-time reporting project: gather data, fill templates, submit, move on. But the Register of Information was designed as an operational database, not a periodic report. Organizations that maintain it continuously avoid the pre-deadline scramble and gain a single source of truth for third-party supply chain oversight.
Without solving three fundamental governance failures, every submission will be just as painful as the first, with increasing risk of regulatory rejection.
I have written previously about why the RoI is fundamentally a data problem and where RoI submissions fail regulatory validation. This post examines the three governance failures that will break RoI sustainability, and why organizations must shift from project thinking to process thinking.
Failure 1: The Ownership Vacuum
In most organizations, responsibility for the 2025 RoI submission fell on whoever was available or willing to coordinate: compliance, risk, IT governance, or a dedicated project manager.
That person became the RoI coordinator. They chased procurement for provider lists, IT for technical details, business units for criticality assessments, and legal for contract information.
But the coordinator did not own the underlying data. They could not, because the data lives in different systems, controlled by different teams, used for different purposes.
The coordinator owned the process of extraction and assembly. Nothing more.
The invisible stakeholders
The people who actually own the operational relationships rarely realize they are stakeholders in the RoI:
- Procurement teams manage provider relationships and own provider master data
- IT and engineering teams architect systems and own service dependency information
- Business unit leaders define what is critical and own criticality assessments, with second-line challenge from risk or resilience functions.
- Legal teams manage contracts and own legal entity information
Each group performs their work daily. The RoI is simply a structured representation of decisions they already make and relationships they already manage. But they do not see it that way.
The consequence
The data becomes stale immediately after submission. Procurement onboards new providers without updating the RoI. Contracts are renewed without informing the coordinator. Services migrate between providers without triggering dependency updates.
Updates depend on the coordinator remembering to ask, having time to chase, and successfully extracting information from people who see it as low priority.
When the coordinator leaves or moves roles, knowledge disappears. Each submission effectively starts from scratch.
This failure will be explored in detail in an upcoming deep dive.
Failure 2: The Procurement Disconnect
Business operations move continuously: providers are onboarded, contracts renewed, services modified. The Register of Information is meant to reflect this operational reality.
But in most organizations, RoI updates happen periodically: an annual scramble a few months before the submission deadline.
By the time the data is submitted, it is already outdated.
Where the disconnect happens
Normal business changes create immediate RoI staleness:
Providers are onboarded, contracts negotiated, services go live. Weeks later someone remembers: “Should this be in the RoI?” By then, nobody is certain when services went live or who classified them as critical.
Contracts are renewed with changed terms, but the RoI still shows old dates. Services migrate between providers, but the RoI lists old providers as active. Providers exit the market, but termination dates are never recorded.
These mismatches are discovered during submission review or, worse, during supervisory validation.
The integration imperative
Bolt-on processes fail: “Please update the RoI spreadsheet when you onboard a provider.” People forget. It is seen as extra work, separate from the “real” process.
Effective RoI governance embeds updates into workflows that already exist: procurement approvals, contract renewals, change management processes, vendor reviews.
Continuous maintenance distributes effort across the year within existing workflows. Annual scrambles concentrate that same work into crisis periods where context is stale and coordination overhead dominates.
This failure will be explored in detail in an upcoming deep dive.
Failure 3: The Accuracy Gap
The first round of RoI submissions in April 2025 established a baseline.
Supervisors now have data from every financial entity under DORA. They have systems to process and analyze that data at scale. They can cross-validate submissions, identify inconsistencies, and detect patterns.
The validation requirements are documented. The ESAs’ FAQ and technical standards state that LEIs will be validated against GLEIF and EUIDs against BRIS. Strict enforcement did not occur in 2025. Organizations cannot assume the same leniency will continue. Once the submission cycle opens and deadlines are set, there is limited time to fix data gaps.
What is required
LEI and EUID verification is mandatory. The ESAs’ technical standards require validation against authoritative sources: LEIs against the GLEIF database, EUIDs against the Business Registers Interconnection System (BRIS). This requirement wasn’t properly enforced in the last submission but it was confirmed in the latest ESA FAQ update.
What we see coming
Ultimate parent relationships are the logical next target. Supervisors have data from hundreds of institutions using the same providers. Cross-checking is straightforward: “Institution A says Provider X’s ultimate parent is Entity Y. Institution B says it’s Entity Z.” While not yet disclosed as formal validation rule, the technical capability exists and the data quality imperative is clear.
The manual breaking point
When regulators validate data programmatically at scale, errors that remained hidden under manual checks become systematic and visible.
Manual processes cannot keep pace. Compliance teams cannot verify 200 LEIs against GLEIF. Coordinators cannot cross-reference ultimate parent structures for multinational providers.
Validation requirements are outpacing manual capability.
Without clear data ownership (the ownership vacuum described in Failure 1), supervisory questions about data quality trigger internal confusion and finger-pointing.
This failure will be explored in detail in an upcoming deep dive.
The Path Forward
The three governance failures described in this post share a common pattern: treating the Register of Information as a compliance deliverable rather than operational infrastructure.
The ownership vacuum exists because the RoI is seen as a reporting requirement, not a structured representation of relationships teams already manage.
The procurement disconnect persists because updates are treated as compliance tasks, not extensions of existing operational workflows.
The accuracy gap widens because data quality is validated once a year during submission review, not continuously as part of normal operations.
Organizations that solve these governance failures turn the RoI from recurring crisis into operational asset. Those that do not will face the same scramble every submission cycle, with increasing complexity as regulatory validation requirements evolve.
The question is not whether governance must improve, but when organizations will build it: proactively, or after multiple painful submission cycles.
Free DORA RoI Health Check
Validate your Register of Information for issues before submission. Browser-based, private, instant results.