DORA Timeline: Key Dates & Deadlines
DORA entered into force on 16 January 2023 and has applied since 17 January 2025. Between those dates the European Supervisory Authorities developed the regulatory and implementing technical standards that give the regulation operational detail. The table below tracks the key legislative milestones and the recurring deadlines, register of information reporting and TLPT cycles, that continue after application.
Key dates
| Date | Milestone |
|---|---|
| 28 November 2022 | DORA adopted by the European Parliament and Council as Regulation (EU) 2022/2554. |
| 27 December 2022 | DORA published in the Official Journal of the EU. |
| 16 January 2023 | DORA enters into force, starting the two-year implementation period. |
| 2023–2024 | The ESAs (EBA, ESMA, EIOPA) develop and consult on the first and second batches of regulatory technical standards (RTS) and implementing technical standards (ITS). |
| 17 January 2025 | DORA begins to apply in full across all EU member states. All mandatory pillars are now legally binding. |
| Q1–Q2 2025 | First submissions of the register of information on ICT third-party arrangements to competent authorities, on ESA-defined timelines. |
| 2025 onward | Ongoing designation of critical ICT third-party providers and the start of the pan-EU oversight framework. |
| 2025–2027 | First post-application threat-led penetration testing (TLPT) cycles for significant entities (at least once every three years). |
Recurring obligations
Why the two-year gap mattered
The period between force (2023) and application (2025) existed so the ESAs could draft the technical standards and so financial entities could build the frameworks, registers, and testing programmes DORA requires. Entities that treated it as preparation time entered 2025 with a working programme; those that waited are now closing gaps against a live legal deadline. To benchmark where you stand, take the DORA Readiness Score or review the full requirements.
What comes next
With the core regulation in force, attention shifts to the maturing of the oversight framework for critical ICT third-party providers, further ESA guidance and Q&As, and the first full cycles of resilience testing and incident-reporting practice. We track material developments on this page and in our news coverage; see What is DORA? for the broader context.
Frequently asked questions
When did DORA come into force and when did it apply?
DORA entered into force on 16 January 2023 and has applied since 17 January 2025, following a two-year implementation period.
Is there a grace period after 17 January 2025?
No. DORA is a regulation, so its obligations became directly applicable in full on 17 January 2025, there is no formal transition or grace period. Supervisors have signalled a focus on demonstrable progress, but the legal deadline has passed. See DORA penalties for the enforcement position.
When are registers of information due?
Financial entities began compiling their register of information on ICT third-party arrangements from the January 2025 application date, with the first structured reporting exercises to competent authorities taking place during 2025 on timelines set by the ESAs.
How often must TLPT be performed?
Threat-led penetration testing must be carried out at least every three years by entities identified as significant, so the first cycles after application run through 2025–2027. See resilience testing.