DORACompliance Hub

EU Digital Operational Resilience Act Decision Flow + Timeline

Use the decision flow to confirm DORA scope and proportionality, then turn requirements into an execution plan: ICT risk management controls, major incident reporting, resilience testing and TLPT, and third-party risk contracts plus register of information.

This is a practical implementation hub, not legal advice. Your obligations depend on entity type, national supervision, how critical or important functions and ICT dependencies are assessed under DORA, and whether current RTS and ITS for reporting, register templates, TLPT identification, and subcontracting already apply.

Start with the DORA checklist
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
What you can decide faster
Scope
Check Article 2 coverage and exclusions.
Track
Choose the right path: financial entity, ICT provider, or CTPP.
Workstreams
Plan ICT risk, incident reporting, testing, and third party controls.
By Sorena AIUpdated Mar 2026No signup required
Quick scan
DORA
Applicability
Confirm your scope and exclusions.
Obligations
Translate requirements into controls.
Evidence
Plan owners, artifacts, reporting templates, and review cadence.
Use the decision flow for scope and track decisions, then use topic guides to ship controls and evidence.
2022
Regulation
EU
Market
ICT
Focus
Resilience
Outcome
Incident reporting
Register of information
TLPT readiness
DORA Timeline

Key dates for operational resilience planning

Track DORA milestones that affect application timing, Level 2 deliverables, and operational implementation across risk, security, testing and vendor management.

Loading timeline...
DORA Decision Flow

How does DORA apply to your entity

Use the decision flow to map scope, proportionality and simplified frameworks, incident reporting expectations, testing/TLPT approach, and ICT third-party risk controls.

Loading decision map...

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
Read Guide
2
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
Read Guide
3
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
Read Guide
4
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
Read Guide
5
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
Read Guide
6
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
Read Guide
7
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
Read Guide
8
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
Read Guide
9
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
Read Guide
10
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
Read Guide
11
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
Read Guide
12
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
Read Guide
13
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
Read Guide
14
EU DORA Deadlines & Compliance Calendar | Key Dates, RTS/ITS and Cadence
A DORA compliance calendar for Regulation (EU) 2022/2554: publication, entry into force, application date, key RTS and ITS including 2024/2956, 2025/301.
Read Guide
15
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
Read Guide
16
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.
Read Guide
Next step

Turn EU Digital Operational Resilience Act Decision Flow + Timeline into an operational assessment workflow

EU Digital Operational Resilience Act Decision Flow + Timeline should be the shared entry point for your team. Route execution into Assessment Autopilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis.

What this unlocks
  • Start from EU Digital Operational Resilience Act Decision Flow + Timeline and route the work by entity, product, team, or control owner.
  • Use Assessment Autopilot to turn the guidance into owned tasks, evidence requests, and review checkpoints.
  • Use SSOT to keep documents, evidence, and control records in one governed system.
  • Move from artifact reading to accountable execution without rebuilding the guidance in separate files.
Recommended route
Open Assessment Autopilot
Turn the guidance into owned tasks, evidence requests, and review checkpoints for EU Digital Operational Resilience Act Decision Flow + Timeline.
Supporting route
Open SSOT
Keep documents, evidence, and control records in one governed system from the same artifact.
Talk to Sorena
Talk through EU Digital Operational Resilience Act Decision Flow + Timeline
Review your current process, evidence model, and next steps for EU Digital Operational Resilience Act Decision Flow + Timeline.
Discuss your setup
EU DORA artifact preview
Share it internally
Download the artifact exports to align legal, product, engineering, and commercial teams.