DORApp Blog
DORA Fundamentals

DORA Submission Step-by-Step Guide (2026)

M
By Matevž RostaherLast updated: June 11, 2026
dora-submission-step-by-step-guide-with-compliance-workspace-structured-reportin.jpg

You have your third-party data scattered across spreadsheets, contract folders, procurement notes, and emails. Someone on your team asks a simple question, “Are we actually ready to submit?” and the room goes quiet. That moment is familiar for many compliance officers, risk managers, and IT leaders working through DORA. The challenge is rarely just understanding the rule itself. It is turning messy operational data into a clean, defensible, technically valid submission.

That is why a practical guide to dora submission matters. By 2026, many institutions are no longer dealing with first-time interpretation only. Regulators increasingly expect proof that your Register of Information process works in practice, not just on paper. Under what is dora, reporting and third-party oversight sit inside a wider operational resilience framework, and submission quality now says a lot about your internal control maturity.

DORApp was built to simplify DORA compliance for EU financial institutions through a modular approach, turning complex regulatory requirements into structured, manageable workflows with guaranteed technical report acceptance. In this article, you will see what a solid dora filing process looks like, where teams usually struggle, and how to move from data collection to actual submission with fewer surprises.

  • What a DORA submission actually includes
  • Who needs to submit under DORA (and what “submission” means for groups)
  • Before you file, get the foundation right
  • Step by step, how the DORA submission process works
  • Common supervisory expectations: what regulators may look for beyond a valid XBRL file
  • Where teams usually get stuck
  • Third-party risk inputs that strengthen your Register of Information (templates, questionnaires, and assessments)
  • How tools can support the process without replacing judgment
  • What changes in 2026
  • Frequently Asked Questions
  • Key Takeaways
  • Conclusion

    • What a DORA submission actually includes

    A dora submission is not just a file export. In practice, it is the end result of multiple governance, data, and validation activities coming together in a form your competent authority can accept.

    For many firms, the most visible element is the Register of Information, which records ICT third-party service arrangements. If you need a broader foundation first, it helps to review dora regulation explained and the wider digital operational resilience act dora context.

    Under DORA, the Register of Information is mandatory, and EU-level submissions are based on XBRL using the DORA XBRL Data Point Model. The first Register of Information submission deadline was 30 April 2025, which means 2026 is less about first exposure and more about repeatable execution. From a practical standpoint, that shifts the conversation from “what fields do we need?” to “can we produce defensible, technically valid output on time?”

    What usually sits inside the submission workflow

  • Collection of entity, branch, provider, service, contract, and dependency data
  • Mapping of records into the DORA Register of Information structure
  • Validation against ESA taxonomy and technical rules
  • Generation of the XBRL output for submission
  • Retention of evidence showing what was submitted, when, and on what data basis

    • Think of it this way: the final file matters, but the real compliance signal is the operating model behind it.

    Who needs to submit under DORA (and what “submission” means for groups)

    Scope is where a lot of DORA submission stress begins. Not because teams ignore it, but because real organizations have groups, subsidiaries, branches, shared services, and layered outsourcing. You can end up with a technically valid Register of Information file that still raises questions internally like, “Are we reporting for the right entities?” or “Are we double-counting the same provider across the group?”

    From a high-level perspective, DORA applies to many types of EU-regulated financial entities. The exact list and boundary conditions depend on your authorization status and how you operate, so this is not legal advice. Still, in most cases, if you are a regulated financial institution with EU presence and you rely on ICT third-party services to run critical business processes, you are in the world where DORA reporting and oversight expectations matter.

    Here is the part that often surprises non-regulated vendors: ICT third-party providers are typically impacted indirectly even if they are not the ones submitting. Their financial-entity clients may require more structured information, more visibility into subcontractors, and more consistent contract and service descriptions so the institution can maintain a complete register and meet oversight expectations.

    What “submission” can mean in a group context

    In practice, “submission” is rarely just one person uploading one file. For groups, it often means coordinating entity-level records while still being able to explain the consolidated picture. Common friction points include:

  • Entity-level registers versus group views: a subsidiary may need its own accountable register, even if the group wants a consolidated operational view for oversight and internal control.
  • Shared providers and shared services: the same ICT provider may serve multiple entities, but the service arrangement, contractual counterparty, and criticality may differ by legal entity.
  • Accountability and sign-off: someone needs to sign off on what is submitted, and that usually maps to entity governance, not only central procurement or a group IT function.
  • Consistency versus local reality: groups often try to standardize vendor naming and classification, but local teams may have valid reasons for differences that need to be documented and defensible.

    • The difference often comes down to clarity on ownership: who is responsible for the accuracy of entity records, who controls the shared taxonomy and value sets, and who can explain why the register changed from the prior reporting cycle.

    If you are not sure you are in-scope, do a quick scope check

    If there is uncertainty, a short internal checklist can help you frame the conversation before you escalate it to legal or compliance leadership:

  • Entity type: are you a regulated financial entity, or part of a group that includes regulated entities?
  • EU presence: do you operate in the EU through an authorized entity or branch structure that may trigger DORA obligations?
  • Regulated activity: do you provide regulated services where operational resilience requirements are typically expected?
  • Outsourcing footprint: do you rely on third-party ICT services for important processes, customer-facing services, or core infrastructure?

    • If you answer “yes” or “not sure” to any of these, it is usually worth confirming your scope and reporting approach with your internal legal and compliance teams. That small step often prevents group-level misalignment that only becomes visible during the final dora report submission review.

    Before you file, get the foundation right

    The reality is that most dora report submission problems begin long before the submission date. They start with poor ownership, inconsistent source data, and unclear definitions across legal, procurement, IT, and risk teams.

    If your team is still working out the structure of the register itself, it is worth reviewing the difference between a dora register of information and the broader dora register concept. Many institutions use the terms loosely, which may create confusion during data collection and internal review.

    Start with data ownership, not templates

    A template can help, but it will not solve accountability gaps. Before anything else, define who owns each data area. Legal may own contract references. Procurement may own vendor records. IT may own service relationships. Compliance or risk may own the control framework and final review.

    What many people overlook is that DORA expects institutions to understand their third-party arrangements as part of broader what is digital resilience capability. That means your submission quality depends on whether your institution can connect services, providers, business functions, and legal entities in a coherent way.

    Check reporting date logic carefully

    One operational point often missed is the reporting date itself. In DORApp documentation, the report date is not simply the day you press export. It reflects the date to which the Register of Information data is valid. That distinction matters for auditability and reporting discipline.

    In practice, this means you should align your internal cut-off process, approval sequence, and data freeze window before anyone talks about generating a final file.

    dora-report-submission-workflow-showing-fragmented-compliance-data-organized-int.jpg

    Step by step, how the DORA submission process works

    Here is a practical dora submission sequence that many institutions can adapt. The exact workflow may vary by entity type, group structure, and national supervisory expectations, but the core logic is broadly similar.

    1. Gather and normalize source data

    Start by collecting all relevant third-party arrangement data from procurement systems, contract repositories, vendor lists, spreadsheets, and local business owners. Your goal is not just completeness. It is consistency.

    You need standardized provider names, entity identifiers, service descriptions, country data, and relationship mapping. If different teams describe the same provider in three different ways, validation later becomes much harder.

    2. Structure the Register of Information

    Next, organize the data into the required DORA structure. This is where many firms discover missing links between services, providers, functions, and supply chain records. A technically correct file still depends on structurally correct source records.

    Platforms like DORApp streamline the creation and maintenance of the Register of Information process through a 5-step approach: importing existing data, managing it through an intuitive interface, auto-enriching from public sources, validating against ESA rules, and generating compliant reports with one click.

    3. Validate data before export

    This is the stage you should take seriously. Check mandatory fields, closed value sets, identifier formats, duplicate records, broken relationships, and logical inconsistencies. You are not only looking for blanks. You are looking for data that may pass an internal spreadsheet review but fail technical or supervisory scrutiny.

    From a regulatory standpoint, this is also where institutions build confidence that their controls are real. Validation is not administrative cleanup. It is part of demonstrating operational resilience.

    4. Generate the XBRL submission file

    Once the register is complete and validated, generate the XBRL output in the required format. Under DORA, this is the file that supports EU-level submission expectations. The technical layer matters here, especially for teams that are strong on compliance but not staffed with data engineers.

    If you want more context on the technical reporting format, the XBRL category is a useful place to continue reading.

    5. Review the submission package and evidence

    Before filing, confirm not only that the export completed successfully, but also that the submission package can be evidenced later. Save logs, approvals, report dates, and validation outcomes. If regulators ask how a record was determined, you want a clear answer.

    With features like automated workflows, non-blocking validation, a streamlined data model that auto-converts to XBRL, and full-text search across all records, DORApp allows compliance teams to start working immediately rather than waiting for perfect data.

    6. Submit through the competent authority channel

    The last step is the actual filing. Depending on your jurisdiction and submission setup, this may involve national authority processes layered on top of EU standards. Always confirm the latest local instructions, technical gateways, and procedural requirements.

    This is why your dora filing playbook should include both EU-wide DORA requirements and country-specific operational steps.

    Common supervisory expectations: what regulators may look for beyond a valid XBRL file

    A valid XBRL file is necessary, but it is not always sufficient. In 2026, many institutions are planning for a world where supervisors may not only accept a submission, but also ask you to explain it. That is where “defensible submission” becomes a useful mindset.

    Supervisory approaches vary by jurisdiction and entity type, so the goal here is not to prescribe rules. It is to highlight practical review angles that often show up once reporting becomes routine.

    Governance and accountability behind the data

    One common question is not “did you submit,” but “who owns this?” Regulators may look for evidence that the Register of Information is produced under a controlled process with clear accountability. That typically includes:

  • Named owners for key data domains, such as provider master data, service mapping, and contract references
  • A defined approval route for the reporting date cut-off and the final export
  • A clear explanation of how exceptions are handled when required data is missing or disputed

    • Think of it this way: if you cannot explain ownership, it becomes harder to explain quality.

    How “critical” and important arrangements are classified and justified

    Classification is where teams often feel exposed, because it involves judgment. Supervisors may expect that criticality, materiality, or importance tags are not arbitrary. In most cases, a defensible approach includes a consistent method, documentation of the rationale, and the ability to show that the method is applied across the organization, including subsidiaries and branches where relevant.

    From a practical standpoint, you want to be able to explain why a service is considered critical or not, what assumptions you used, and what changed since last cycle if the classification shifted.

    What a defensible submission often includes besides the file

    When teams prepare only the final XBRL, they often miss the supporting artifacts that make the submission explainable later. Depending on how your supervisory interactions work, it can help to maintain a lightweight evidence pack that typically includes:

  • An approval trail: who reviewed, who signed off, and on what date
  • Data lineage notes: where the key fields came from, and which systems or owners are considered authoritative
  • Reconciliations: high-level checks that the register aligns with procurement vendor lists, outsourcing inventories, or contract repositories, where applicable
  • Exception handling: what you did when a subcontractor detail was unknown, when identifiers were missing, or when local teams could not agree on a service mapping
  • Change explanation: your ability to explain major deltas from the previous reporting cycle, not only that the file “passed”

    • Reporting readiness signals that reduce stress

    For most small business owners and entrepreneurs, “readiness” is a vague term. For DORA reporting teams, it is more concrete. A few signals often indicate that your process is maturing:

  • A repeatable cadence: the register is updated continuously, not only in the month before submission
  • A documented data freeze: you know exactly when data stops changing for a given reporting date
  • Incident-proof ownership: if a key person is unavailable, the process still runs because responsibilities and steps are documented
  • A clear story: you can explain what changed, why it changed, and how you know the data is credible

    • That is also the operational resilience link. The submission is one output, but the underlying discipline often reflects whether third-party risk oversight is truly embedded in business-as-usual operations.

    Where teams usually get stuck

    Most submission delays are not caused by the final export button. They come from issues that sit quietly in the background until the deadline gets close.

    Fragmented third-party data

    One business line may have a contract spreadsheet. Another may rely on procurement records. IT may track services separately. None of those sources are necessarily wrong, but they often do not agree. That creates reconciliation work at the worst possible time.

    Unclear provider hierarchies and supply chains

    Consider this: your institution may know the direct ICT provider, but not the subcontracting chain that supports the service. That matters more in 2026 because Delegated Regulation (EU) 2025/532 introduced deeper subcontracting risk requirements. Teams that only capture first-level vendor data may find their records are not mature enough for ongoing oversight.

    Last-minute technical validation failures

    This is one of the most frustrating issues. The data may look fine in Excel, but the XBRL output fails because a field is invalid, a relationship is missing, or a closed list value is wrong. These are avoidable problems, but only if validation happens early enough.

    Treating submission as a one-time project

    By now, that approach is wearing thin. In 2026, regulators increasingly care about proof of compliance as ongoing operations. They may use automated tools to cross-reference ICT registers across the EU, which means repeatability and data discipline matter more than a heroic end-of-quarter cleanup effort.

    If you want a wider framework view, the Register of Information category and the article DORA Pillars Explained: Complete Breakdown (2026) can help connect submission work to the other DORA pillars.

    dora-filing-preparation-with-governance-controls-evidence-folders-and-submission.jpg

    Third-party risk inputs that strengthen your Register of Information (templates, questionnaires, and assessments)

    Here is the thing: the Register of Information is a reporting output, but the data quality you can achieve is often determined upstream. If onboarding asks vendors the wrong questions, or does not ask about subcontractors at all, the register becomes an exercise in chasing missing information later.

    This is where structured third-party risk inputs can help. Not because a questionnaire magically produces correct RoI records, but because it can standardize what you collect and when you collect it.

    How templates and questionnaires can improve RoI completeness

    Many institutions use vendor onboarding questionnaires, contract intake forms, and periodic assessments to capture details that later map into register fields. Done well, these inputs may help you:

  • Reduce back-and-forth by collecting key service and dependency details at the start
  • Improve subcontractor visibility by asking for supply chain information in a consistent format
  • Make classification decisions more defensible by recording context and rationale early

    • Still, you typically need an internal mapping step. A questionnaire response is not the same as a clean record structure, especially when different teams interpret the same service differently.

    What to capture for critical vendors in a structured way

    Requirements and supervisory expectations can differ by jurisdiction and by entity type, so your internal approach should be validated with your compliance and legal teams. In practice, many teams try to make sure they can capture, in a consistent way, at least the following for critical or important services:

  • Service dependencies: what business process or function relies on the service, and what happens if it is unavailable
  • Subcontractors and fourth parties: who supports delivery, and where that information is maintained and updated
  • Locations: where services are delivered and where relevant data processing or operational activity occurs, based on what is applicable to your setup
  • Continuity expectations: high-level continuity, recovery, and support commitments that are reflected in contracts or operational documentation

    • From a practical standpoint, you are aiming for traceability. If an internal stakeholder asks, “Why is this provider in the register and why is it flagged as important?” you should be able to answer without reconstructing the story from emails.

    How to operationalize this without spreadsheet chaos

    The biggest improvement is often not a better spreadsheet. It is a better cadence and clearer triggers for updates. A workable model usually includes:

  • Ownership: one accountable owner per data domain, with clear escalation paths for disputes
  • Cadence: a recurring review cycle, plus event-driven updates when contracts change, services move, or providers introduce subcontractors
  • Procurement alignment: onboarding and offboarding steps that feed the register, so your RoI does not drift away from operational reality

    • If you can connect onboarding, assessments, and contract changes to RoI updates, your dora submission becomes a reporting moment, not a data rescue mission.

    How tools can support the process without replacing judgment

    Software can make the process faster and cleaner, but it does not replace institutional judgment. You still need people to decide whether a service is correctly classified, whether a dependency is material, and whether local regulatory expectations add extra reporting steps.

    That said, the right system may reduce the amount of manual friction. DORApp includes modules, functions, help resources, demo booking, and a 14-day free trial path, and its documented workflows support structured import, validation, report creation, and compliant export processes. Based on available product information and documentation, it is one platform worth evaluating if your team wants a DORA-focused operating model rather than a collection of disconnected files.

    What good support looks like

  • Import paths from existing Excel or CSV records
  • Validation against DORA reporting expectations before final export
  • Audit trail and report logs that support defensibility
  • Clear role-based workflows so ownership is visible
  • Help resources that reduce dependence on informal team knowledge

    • Now, when it comes to evaluating any platform, ask a practical question: will this help your team maintain submission readiness month after month, or will it only help you generate one file under pressure?

    What changes in 2026

    The big shift is maturity. Early DORA discussions focused on understanding scope and getting through the first filing cycle. In 2026, many institutions are moving into evidence-based supervision.

    ESAs designated Critical Third-Party Providers in November 2025, and that has raised the profile of third-party oversight across the sector. The European Commission review of DORA scope under Article 58 is also underway, which means some boundary questions may keep evolving. Based on current guidance, you should expect increasing scrutiny of data quality, governance, subcontracting visibility, and operational traceability.

    From a practical standpoint, this means your dora report submission process should be treated as part of business-as-usual control operations. It should not live only in a project plan or a consultant handover folder.

    If you want more historical context on how the framework developed, see DORA European Commission Timeline and History (2026). And if you are exploring support options, you can book a demo or try DORApp through its Free Trial – 14 Days path to see how a structured submission workflow may fit your institution.

    Disclaimer: The information in this article is intended for general informational and educational purposes only. It does not constitute professional technical, legal, financial, or regulatory advice. Website performance outcomes, platform capabilities, and business results will vary depending on your specific circumstances, goals, and implementation. Always evaluate tools and platforms based on your own needs and, where relevant, seek professional guidance.

    Regulatory note: This article is for informational purposes only and does not constitute financial, legal, or regulatory advice. DORA compliance requirements may vary based on your institution type, size, and national regulatory framework. Content referencing regulated industries is provided for general context only and should not be interpreted as legal, regulatory, compliance, or financial advice. If you operate in a regulated sector, always consult qualified financial, legal, and compliance professionals for guidance specific to your situation.

    dora-submission-validation-scene-with-structured-data-review-xbrl-style-checks-a.jpg

    Frequently Asked Questions

    What is a DORA submission in simple terms?

    A dora submission is the formal reporting output your institution prepares under the Digital Operational Resilience Act, especially for the Register of Information covering ICT third-party service arrangements. In plain language, it is the point where your internal third-party data, governance checks, and technical formatting come together in a file your regulator can review. It is not only about sending data. It also reflects whether your institution has a controlled process for collecting, validating, and maintaining that data over time.

    What does DORA stand for?

    DORA stands for the Digital Operational Resilience Act. It is an EU regulatory framework focused on helping financial entities manage ICT risk and operational resilience in a more consistent, evidence-driven way. The Register of Information submission is one of the most visible reporting outputs because it forces institutions to organize third-party ICT arrangements into a structured format.

    Who needs to comply with DORA?

    DORA generally applies to many EU-regulated financial entities. Whether a specific organization is in-scope depends on factors like authorization status, regulated activities, and how it operates in the EU, so you should confirm with qualified legal and compliance professionals. ICT third-party providers are often impacted indirectly because their regulated clients may request more structured service, subcontractor, and contract information to support RoI reporting and ongoing oversight.

    What are the requirements for DORA reporting?

    DORA reporting requirements can include multiple components depending on your entity type and supervisory setup. For many institutions, a major structured reporting item is the Register of Information for ICT third-party service arrangements, submitted in XBRL aligned with the relevant taxonomy and technical rules. Beyond the file itself, institutions often maintain supporting governance evidence, such as ownership, approvals, validation outputs, and the ability to explain changes between reporting cycles.

    What are the 5 principles of DORA?

    DORA is commonly described through five core pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing. The exact implementation details can vary by institution and jurisdiction, but the idea is that operational resilience is not only a technology concern. It is a governance and control discipline that spans people, processes, and third parties.

    Is DORA filing only about the Register of Information?

    No. The Register of Information is a major part of DORA reporting, but DORA as a regulation is broader. It covers five pillars, including ICT risk management, incident reporting, resilience testing, third-party oversight, and information sharing. Still, for many compliance teams, the Register of Information is the most visible structured submission challenge because it requires detailed third-party data in a technically valid reporting format. That is why institutions often use it as the first real test of their overall DORA operating model.

    What format is used for DORA report submission?

    For EU-level submissions related to the Register of Information, the reporting format is XBRL, based on the DORA XBRL Data Point Model. This matters because technically correct output is just as important as having the right source data. A spreadsheet that looks complete to your internal team may still fail if the exported file does not align with taxonomy rules, identifiers, value sets, or structural relationships. That is why many institutions build a specific validation and export process rather than relying on manual formatting alone.

    What is the biggest risk in the DORA submission process?

    In many cases, the biggest risk is not the final filing step. It is poor source data quality earlier in the process. Missing provider identifiers, duplicate vendors, inconsistent service naming, and broken links between contracts and business functions often cause the real delays. Teams sometimes discover these issues only when they attempt validation or XBRL generation. A calmer approach is to treat data ownership and validation as continuous work, not as a last-week exercise before a deadline. That usually reduces pressure and improves defensibility.

    How often should we review our Register of Information?

    Your institution should review it often enough to keep it decision-useful and submission-ready, not just technically populated. The right cadence depends on your operating model, vendor change frequency, and regulatory expectations in your jurisdiction. For many institutions, quarterly review cycles plus event-driven updates work better than a once-a-year scramble. The key idea is that the Register of Information should reflect current operational reality. If a critical contract changes and the register lags for months, your submission quality and governance posture may both weaken.

    Can a software platform make us DORA compliant?

    No responsible platform should claim that. Software may support your compliance process by helping with data collection, validation, workflow management, evidence retention, and report generation. But compliance still depends on your institution’s governance, policies, judgments, controls, and regulatory interpretation. DORApp, for example, can support structured DORA workflows and technically compliant reporting based on its documented modules and reporting capabilities, but your team still needs legal, compliance, and operational ownership to make the process reliable and appropriate for your circumstances.

    What changed after the first 2025 Register of Information deadline?

    The first filing cycle was about getting institutions into the reporting framework. By 2026, the focus is shifting toward proof that your submission process is sustainable and controlled. Regulators are expected to look more closely at consistency, repeatability, and the quality of third-party data behind the report. The designation of Critical Third-Party Providers and newer subcontracting expectations have also increased attention on supply chain visibility. So the conversation is moving from “can you submit once?” to “can you show an operationally sound process every cycle?”

    Who should be involved in preparing a DORA filing?

    It usually takes more than compliance alone. Risk, IT, procurement, legal, outsourcing teams, and business owners often all hold pieces of the necessary data. Compliance may coordinate the process, but it rarely owns every source record. A good setup defines clear ownership by data domain and an approval route for final submission. This avoids a common problem where everyone assumes someone else has confirmed the details. The better your ownership model, the more efficient and defensible your dora filing process tends to become.

    How do we know if our data is ready for submission?

    You know it is closer to ready when three things are true. First, the data is complete enough to cover the required scope. Second, the records are internally consistent across entities, providers, services, and dependencies. Third, the output passes technical validation in the required reporting format. Readiness is not just a feeling that the spreadsheet looks tidy. It should be supported by documented checks, review gates, and ideally a reproducible export process. If any of those pieces are missing, you may still be in preparation mode.

    Key Takeaways

  • DORA submission is not just a file export, it is the outcome of governance, data quality, validation, and evidence management.
  • The Register of Information should be maintained as an ongoing operational control, not a one-time reporting project.
  • XBRL filing adds a technical layer, so early validation is essential to avoid last-minute failures.
  • 2026 puts more emphasis on proof of compliance, subcontracting visibility, and repeatable reporting discipline.
  • Tools can support speed and consistency, but they do not replace legal, compliance, and business judgment.

    • Conclusion

    A strong dora submission process is less about last-minute effort and more about steady control over your data, ownership, and reporting workflow. If your institution can trace how third-party records are collected, validated, approved, and turned into a technically acceptable filing, you are in a much better position than a team relying on deadline-driven spreadsheet reconciliation.

    Here’s the thing: most of the stress around dora report submission comes from preventable gaps that sit upstream, especially unclear ownership and inconsistent source data. Once those are addressed, filing becomes far more manageable. That is also why process design matters just as much as regulatory interpretation.

    If you are reviewing how to make your Register of Information process more structured, DORApp is worth exploring. You can see how DORApp approaches imports, validation, workflows, and compliant reporting at dorapp.eu, or continue learning through the Dorapp blog and related DORA resources.

    M

    About the Author

    Matevž Rostaher is Co-Founder and Product Owner of DORApp. He brings deep experience in building secure and compliant ICT solutions for the financial sector and is positioned by DORApp as an expert trusted by financial institutions on complex regulatory and operational challenges. DORApp’s own webinar materials list him as CEO and Co-Founder of Skupina Novum d.o.o. and CEO and Co-Founder of FJA OdaTeam d.o.o. His articles should carry the voice of someone who understands not just compliance requirements, but the systems and delivery realities behind them.