On 7 May 2026, KPMG and OneTrust hosted a roundtable session on the Digital Operational Resilience Act (DORA), focused on the evolving supervisory expectations around digital operational resilience, with a particular emphasis on the Register of Information (RoI) and third‑party risk management.
Third-party resilience, exit planning, and AI risks
While many institutions have made solid progress in implementing DORA requirements, the discussion clearly showed that the focus is now shifting. Supervisors increasingly expect organizations not only to comply on paper, but to demonstrate operational readiness, high-quality data, and effective governance in practice.
At the same time, AI is emerging as an increasing area of focus. Organizations must consider AI risk into resilience and third‑party risk management frameworks, ensuring not only internal AI risks are managed, but also those arising from vendors and service providers using AI in critical processes.
Register of Information: data management and governance as key challenges
Another key takeaway is that the RoI submission should not be treated as a one-off reporting exercise. Supervisory authorities are increasingly using the RoI as a starting point for deeper analysis and follow‑up questions. As such, they may start:
- Requesting detailed clarifications beyond the standard template; and
- Asking for supporting evidence such as contracts, exit strategies, or dependency mappings.
Despite progress, many organizations continue to face challenges in maintaining the RoI in a sustainable way. Common issues include:
- Fragmented data across systems;
- Inconsistent definitions of services, providers, and critical functions; and
- Diverging interpretations of scope across entities and affiliates.
Poor data quality not only increases operational effort, but it also creates supervisory exposure when inconsistencies are identified.
As a result, financial institutions must be able to:
- Clearly explain how their RoI was compiled;
- Demonstrate data consistency and traceability; and
- Show that the register reflects the actual operational landscape.
Regulatory developments
The discussion also touched on complementary regulatory developments that reinforce these expectations, such as:
- Updated EBA draft guidelines, signaling a broadening of third‑party risk management expectations beyond traditional ICT outsourcing towards a more integrated lifecycle approach
- Designation of critical ICT third‑party providers under DORA, increasing supervisory attention and reinforcing expectations around oversight, resilience, and credible exit planning
Lessons from practice
OneTrust presented several case studies showing how organizations are moving towards a more sustainable approach by embedding “compliance by design”.
Key success factors include:
- Working with a single, integrated platform, allowing to capture risk and third-party information from various data points;
- Establishing a common risk language across teams; and
- Enabling continuous, real-time third-party risk assessments, rather than point-in-time reviews.
This approach helps reduce fragmentation, improve visibility, and strengthen resilience over time.
For more information on DORA and OneTrust, download this datasheet.
Compliance with the Digital Operational Resilience Act (DORA)
How KPMG and OneTrust can support you
KPMG and OneTrust combine advisory expertise with a leading technology platform to help financial institutions operationalize DORA in a sustainable way, notably to:
- Build and maintain a robust, scalable Register of Information
- Transition to continuous, data-driven third-party risk management
- Enhance governance and data quality across the organization
- Extend resilience frameworks to address emerging risks such as AI
