DORA Timeline: Key Dates and Milestones
Understanding the DORA timeline is essential for compliance planning. The Digital Operational Resilience Act became fully applicable on January 17, 2025, but important milestones continue through 2026 and beyond.
This guide covers the key dates for DORA 2025 compliance, from the regulation's adoption through ongoing obligations.
Key Takeaways
| Point | Summary |
|---|---|
| Applicable since January 2025 | DORA became fully applicable on January 17, 2025 |
| Register of Information | First submission due in early 2026 |
| TLPT deadlines | Designated entities must complete first TLPT cycle by 2027 |
| Ongoing obligations | Annual reviews, testing, and reporting continue indefinitely |
| Technical standards | ESA technical standards continue to be adopted |
Quick Answer: DORA was adopted in December 2022, entered into force in January 2023, and became fully applicable on January 17, 2025. Financial entities should now have their ICT risk management frameworks, incident reporting processes, and third-party risk management arrangements in place. Key upcoming deadlines include the first Register of Information submission in early 2026 and the completion of first TLPT cycles for designated entities.
Historical Timeline
Adoption and Entry into Force
| Date | Milestone |
|---|---|
| September 2020 | European Commission publishes DORA proposal |
| November 2022 | European Parliament and Council reach agreement |
| December 14, 2022 | DORA formally adopted |
| December 27, 2022 | Published in Official Journal |
| January 16, 2023 | DORA enters into force |
| January 17, 2023 | Two-year implementation period begins |
Technical Standards Development
| Date | Milestone |
|---|---|
| January 2024 | First batch of ESA technical standards published |
| July 2024 | Second batch of technical standards published |
| November 2024 | Additional implementing regulations adopted |
| 2025-2026 | Continued technical standards development |
Application Date: January 17, 2025
What Became Applicable
From January 17, 2025, financial entities must have in place:
| Requirement | Status |
|---|---|
| ICT risk management framework | Operational |
| Governance arrangements | Management body accountability established |
| Incident classification | Criteria and processes defined |
| Incident reporting | Capability to report within timelines |
| Third-party risk management | Policies and processes operational |
| Testing program | Program established (proportionate) |
Transition Considerations
Regulators have indicated 2025 is a transition year:
- Focus on demonstrating good faith compliance efforts
- Significant non-compliance may attract early enforcement
- Full enforcement expected to increase over time
DORA 2025: Upcoming Milestones
Register of Information
| Date | Milestone |
|---|---|
| Throughout 2025 | Financial entities maintain and update RoI |
| Q1 2026 | First submission window (February 16 - March 13, 2026 approximately) |
| March 31, 2026 | Competent authorities submit to ESAs |
TLPT for Designated Entities
| Date | Milestone |
|---|---|
| 2025 | Competent authorities designate entities for TLPT |
| 2025-2027 | Designated entities plan and execute first TLPT |
| By 2028 | First TLPT cycle completion for initially designated entities |
| Ongoing | TLPT every 3 years thereafter |
Technical Standards Implementation
| Date | Milestone |
|---|---|
| 2025 | Continued adoption of remaining technical standards |
| 2025-2026 | Implementation of detailed requirements |
| Ongoing | Updates as standards evolve |
Ongoing Compliance Obligations
Annual Requirements
| Obligation | Frequency |
|---|---|
| Framework review | At least annually |
| Policy review | At least annually |
| Risk assessment | At least annually |
| Testing program | Annual coverage of critical systems |
| Third-party review | Regular monitoring, annual full review |
| Training | Ongoing staff and management training |
Periodic Requirements
| Obligation | Frequency |
|---|---|
| TLPT | Every 3 years (designated entities) |
| Business continuity testing | Regularly |
| Backup testing | Regularly |
| Exit strategy review | Periodically |
Event-Driven Requirements
| Trigger | Obligation |
|---|---|
| Major incident | Report within timeline, post-incident review |
| Significant change | Framework update, risk reassessment |
| New third-party arrangement | Due diligence, contract review, RoI update |
| Provider incident | Assess impact, update arrangements |
Planning Your Timeline
If Starting Now
| Phase | Timeline | Activities |
|---|---|---|
| Immediate | Now | Governance, incident reporting, core documentation |
| Short-term | Q1-Q2 2025 | Complete ICT risk framework, third-party contracts |
| Medium-term | Q3-Q4 2025 | Testing program, RoI preparation |
| 2026 | Q1 2026 | RoI submission, ongoing compliance |
Prioritization Guidance
| Priority | Rationale |
|---|---|
| Incident reporting | Obligations apply immediately; failures are visible |
| Governance | Foundation for other requirements |
| Third-party risk | RoI submission deadline approaching |
| ICT risk framework | Core requirement; enables other activities |
| Testing | Build on established framework |
Regulatory Developments to Watch
Technical Standards
Monitor for:
- Additional ESA technical standards
- Amendments to existing standards
- Guidance and Q&A publications
- National authority interpretations
CTPP Designation
Watch for:
- Designation criteria finalization
- First designations of Critical ICT Third-Party Providers
- Oversight framework operationalization
Enforcement Trends
Track:
- Early enforcement actions
- Supervisory priorities
- Common findings from examinations
Common Questions
When does DORA become mandatory?
DORA became mandatory on January 17, 2025 for all in-scope financial entities. From this date, organizations must have their ICT risk management frameworks, incident reporting processes, and third-party risk arrangements in place. While regulators have indicated 2025 is a transition year, entities significantly short of compliance may face early enforcement.
We are not fully compliant yet. What should we do?
Prioritize highest-risk gaps. Focus on incident reporting (immediate consequences for failure), governance (enables other activities), and third-party risk (RoI deadline approaching). Document your remediation plan and demonstrate progress.
When is the Register of Information due?
First submissions are expected in early 2026 (February-March window). Exact dates are announced by competent authorities. You should be building and maintaining the register now.
How do we know if we will be designated for TLPT?
Competent authorities designate entities based on systemic importance, risk profile, and potential financial stability impact. If you believe you may be designated, engage proactively with your supervisor.
What happens if we miss a deadline?
Non-compliance may result in supervisory action, including remediation orders, enhanced scrutiny, and potentially penalties. Early identification of issues and proactive communication with authorities is advisable.
Will requirements change?
DORA requirements may evolve through technical standards updates, regulatory guidance, and potential amendments. Maintain awareness of regulatory developments and build flexibility into your compliance approach.
How Bastion Helps
Bastion supports financial entities in meeting DORA timelines:
- Current state assessment: Evaluate compliance status against deadlines
- Roadmap development: Prioritized implementation plan aligned with milestones
- Implementation support: Hands-on assistance meeting deadlines
- Ongoing compliance: Continuous support for evolving requirements
- Regulatory monitoring: Track developments affecting your compliance
Ready to align your compliance with DORA timelines? Talk to our team
Sources
- DORA Official Journal Publication - Regulation text including application dates
- ESA DORA Timeline - Technical standards and implementation dates
- EIOPA DORA Information - Supervisory timelines and guidance