Skip to main content
DORA Auditor

DORA Timeline: Key Dates & Deadlines

Last updated: 3 authoritative sourcesDORA Auditor Editorial Team

DORA entered into force on 16 January 2023 and has applied since 17 January 2025. Between those dates the European Supervisory Authorities developed the regulatory and implementing technical standards that give the regulation operational detail. The table below tracks the key legislative milestones and the recurring deadlines, register of information reporting and TLPT cycles, that continue after application.

Key dates

DateMilestone
28 November 2022DORA adopted by the European Parliament and Council as Regulation (EU) 2022/2554.
27 December 2022DORA published in the Official Journal of the EU.
16 January 2023DORA enters into force, starting the two-year implementation period.
2023–2024The ESAs (EBA, ESMA, EIOPA) develop and consult on the first and second batches of regulatory technical standards (RTS) and implementing technical standards (ITS).
17 January 2025DORA begins to apply in full across all EU member states. All mandatory pillars are now legally binding.
Q1–Q2 2025First submissions of the register of information on ICT third-party arrangements to competent authorities, on ESA-defined timelines.
2025 onwardOngoing designation of critical ICT third-party providers and the start of the pan-EU oversight framework.
2025–2027First post-application threat-led penetration testing (TLPT) cycles for significant entities (at least once every three years).

Recurring obligations

Several DORA obligations are not one-off. The register of information is maintained continuously and reported periodically; the ICT risk-management framework is reviewed at least yearly; and TLPT recurs at least every three years for significant entities. Treat the January 2025 date as the start of an ongoing programme, not a finish line.

Why the two-year gap mattered

The period between force (2023) and application (2025) existed so the ESAs could draft the technical standards and so financial entities could build the frameworks, registers, and testing programmes DORA requires. Entities that treated it as preparation time entered 2025 with a working programme; those that waited are now closing gaps against a live legal deadline. To benchmark where you stand, take the DORA Readiness Score or review the full requirements.

What comes next

With the core regulation in force, attention shifts to the maturing of the oversight framework for critical ICT third-party providers, further ESA guidance and Q&As, and the first full cycles of resilience testing and incident-reporting practice. We track material developments on this page and in our news coverage; see What is DORA? for the broader context.

Frequently asked questions

When did DORA come into force and when did it apply?
Is there a grace period after 17 January 2025?
When are registers of information due?
How often must TLPT be performed?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)
  3. European Banking Authority, DORA