Regulatory Calendar

DORA Timeline

Every milestone from the initial proposal to full enforcement. Track legislation, technical standards, compliance deadlines, and supervisory actions on a single visual timeline.

Legislation

RTS / ITS

Deadline

Enforcement

Guidance

2020

2022

2023

2024

2025

2026

Current

2028

Key takeaway

DORA became fully applicable on 17 January 2025. Financial entities must now have operational ICT risk management frameworks, incident reporting capabilities, and third-party registers in place. The first supervisory assessments are underway, with enforcement actions expected from early 2026. TLPT-designated entities must complete their first testing cycle by January 2028.

DORA Timeline

European Commission publishes Digital Finance Package

Council and Parliament reach provisional agreement on DORA

DORA formally adopted — Regulation (EU) 2022/2554

DORA enters into force

ESAs publish first batch of consultation papers

ESAs publish second batch of consultation papers

Final RTS on ICT risk management framework published

Commission adopts first batch RTS as Delegated Regulations

Final RTS on TLPT and incident reporting delivered

Guidelines on ICT risk management costs estimation

ESAs publish guidance on proportionality for smaller entities

DORA becomes fully applicable

ICT risk management frameworks must be operational

Incident reporting obligations become effective

First submission deadline for register of ICT third-party providers

ESAs assess registers and begin critical provider designation

First supervisory assessments and peer reviews

First TLPT cycle initiation for designated entities

First enforcement actions and penalties expected

Annual register of information update deadline

ESA report on digital operational resilience across the financial sector

First TLPT cycle completion deadline

Key takeaway