Why 93.5% of Firms Failed the DORA Dry Run (And How to Pass)

In December 2024, the European Supervisory Authorities released a sobering report: 93.5% of financial entities failed to meet all data quality requirements during the DORA Register of Information dry run exercise.

If you're a compliance officer at a payment institution, e-money institution, or small investment firm, that statistic should get your attention. The official DORA reporting deadline has already passed (January 17, 2025), and firms are now submitting their first real registers.

The good news? The ESAs also noted that "meeting the required standards for DORA compliance remains achievable." This article breaks down exactly what went wrong in the dry run and what you can do to avoid the same mistakes.

What Was the DORA Dry Run?

From April to August 2024, the European Supervisory Authorities (EBA, EIOPA, and ESMA) conducted a voluntary dry run exercise to test financial entities' readiness for DORA reporting.

Key participation stats:

• 1,139 entities initially expressed interest
• 1,039 entities submitted registers by the August deadline
• 947 registers passed initial technical integration checks
• 27 EU Member States and 40 competent authorities participated

The exercise tested two things:

1. Technical integration — correct file formats, naming conventions, submission processes
2. Data quality — validation against 116 predefined data quality rules

The 93.5% Failure Rate: What Actually Went Wrong?

Let's be clear about what "failure" means here: 93.5% of submissions (886 out of 947) contained at least one data quality error. That doesn't mean these registers were completely rejected—but it does mean they would have required correction and resubmission in a real reporting scenario.

Here's the breakdown of what went wrong:

1. Missing Mandatory Information (86% of All Errors)

The single biggest issue was incomplete data. Financial entities simply didn't fill in all required fields.

Common gaps included:

• Missing contract start and end dates (22% of submissions)
• Incomplete service level agreement (SLA) information (27% of submissions)
• Missing data on ICT third-party service providers

2. Invalid Legal Entity Identifiers (32% of Submissions)

The Legal Entity Identifier (LEI) is mandatory for identifying financial entities in the register. Nearly a third of submissions had problems with LEIs:

• Incorrect LEI format
• Expired or lapsed LEIs
• Missing LEIs for subsidiaries
• LEIs that didn't match the entity submitting

3. Formatting Errors (41% of Rejections)

Technical formatting issues caused 41% of files to be rejected outright:

• Wrong file format (not xBRL-CSV or proper Excel structure)
• Incorrect naming conventions
• Invalid date formats
• Character encoding issues

4. ICT Service Misclassification (18% of Submissions)

Financial entities struggled to correctly categorize their ICT services according to the DORA framework:

• Cloud services miscategorized
• Critical vs. non-critical function misidentification
• Subcontractor relationships not properly captured

5. Incorrect Location Codes (13% of Submissions)

Data processing and storage locations must use proper ISO country codes. Many submissions used inconsistent or incorrect location identifiers.

How Different Sectors Performed

Not all financial entities struggled equally. The ESAs reported error rates relative to data points submitted:

Credit institutions performed best—likely because they have more mature compliance infrastructure and dedicated teams. Smaller firms without these resources faced steeper challenges.

What the ESAs Learned (And What It Means for You)

The dry run wasn't just about testing firms—it was about testing the regulatory process itself. The ESAs identified several issues:

Legacy system integration: 42% of participant queries related to difficulties integrating legacy systems with the new reporting requirements.

Third-party data collection: 33% of queries involved challenges gathering required data from ICT providers—who sometimes weren't cooperative or didn't understand what was needed.

Reporting format confusion: 25% of queries related to understanding and implementing the correct reporting format.

The Good News: Preparation Works

Early submitters (June) averaged 2.3 resubmissions to pass validation, while August submitters (after guidance updates were published) achieved an average of just 1.5 resubmissions.

This tells us something important: understanding the validation rules before you start dramatically improves your success rate.

The 116 Validation Rules: What the ESAs Actually Check

The ESAs published their complete list of validation rules in November 2024. These rules fall into several categories:

Technical Validation

• File format compliance (xBRL-CSV structure)
• Naming conventions
• Character encoding (UTF-8)
• Date format consistency (ISO 8601)

Entity Identification

• Valid LEIs for all financial entities
• Consistent entity identification across templates
• Proper subsidiary/parent relationships

Data Completeness

• All mandatory fields populated
• Required cross-references between templates
• Complete contract coverage

Data Consistency

• Dates are logical (end dates after start dates)
• Financial values are plausible
• Cross-template references resolve correctly

Relationship Validation

• ICT service provider relationships properly linked
• Function-to-service mappings complete
• Subcontractor chains documented

2025 Compliance Targets

Based on the dry run findings, the ESAs have set clear expectations for real submissions:

These are high bars. Achieving them requires systematic preparation, not last-minute Excel scrambling.

How to Avoid the 93.5%: Practical Steps

Based on the dry run findings, here's what actually works:

1. Start with Your ICT Inventory

Before you touch a template, create a complete inventory of all ICT services supporting critical or important functions:

• Cloud providers
• Software vendors
• Payment processors
• Data storage services
• Telecommunications providers

Include subcontractors. DORA requires visibility into your entire ICT supply chain.

2. Verify All Identifiers Now

• Check every LEI at gleif.org
• Ensure LEIs are current (not lapsed)
• Obtain LEIs for any entities that don't have them
• Document EUID and other identifiers for providers

3. Gather Contract Data Systematically

For each ICT service provider, you'll need:

• Contract start and end dates
• Service descriptions
• SLA terms
• Data processing locations
• Subcontractor information
• Exit provisions

Create a checklist and work through it provider by provider.

4. Understand the 15 Templates

DORA's Register of Information comprises 15 interconnected templates. Understanding how they link together prevents consistency errors:

• B_01: Entity information
• B_02: Contractual arrangements
• B_03: ICT third-party service providers
• B_04: ICT services
• B_05: Functions
• (And 10 more...)

5. Validate Before You Submit

Don't wait for the regulator to find your errors. Run validation checks yourself:

• Use the ESA's published validation rules as a checklist
• Check cross-references between templates
• Verify all mandatory fields are populated
• Test your export format with validation tools

6. Consider Purpose-Built Tools

The dry run proved that Excel is problematic for DORA compliance. 93.5% of firms had errors—and many used manual spreadsheet processes.

Dedicated tools offer:

• Built-in validation against all 116 rules
• Automatic format compliance
• Cross-template consistency checks
• LEI verification integration
• Clean xBRL-CSV export

If you're a smaller firm without a dedicated compliance team, the right tool can be the difference between first-time success and multiple resubmissions.

The Cost of Getting It Wrong

Beyond the compliance risk, failed submissions have real costs:

• Time: Each resubmission cycle takes days or weeks
• Resources: Compliance staff pulled from other work
• Stress: Regulatory uncertainty during correction periods
• Reputation: Your competent authority sees your error rate

For smaller payment institutions and e-money institutions, these costs are proportionally larger. You can't afford to throw enterprise-level resources at the problem—you need to get it right the first time.

Conclusion: Passing Is Achievable

The 93.5% failure rate sounds alarming, but context matters. Half of the firms with errors failed fewer than 5 of the 116 checks. The ESAs concluded that compliance is "achievable" with proper preparation.

The firms that succeeded shared common traits:

• They started early
• They attended guidance sessions
• They verified their data before submission
• They used structured validation processes

The January 2025 deadline has passed, but DORA reporting is ongoing. If your first submission had issues—or you haven't submitted yet—now is the time to get your process right.