Artifact GuideEU

EU DORA Deadlines & Compliance Calendar

Key dates and cadences you can plug into your governance calendar.

Includes DORA application date, Level 2 RTS/ITS milestones, and recurring operating cycles.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

DORA compliance is both a deadline-driven rollout and a recurring operating model. This page lists the most important dates and the cadences teams should implement: incident reporting readiness, testing and TLPT cycles, and continuous third-party governance and register-of-information maintenance.

Section 1

Baseline dates: publication, entry into force, and application

The DORA Regulation was adopted in December 2022 and published in the Official Journal shortly after.

It enters into force 20 days after publication and applies from 17 January 2025.

  • Official Journal publication: OJ L 333, 27 December 2022.
  • Entry into force: twentieth day following publication (Article 64).
  • Application date: 17 January 2025 (Article 64).
  • Program implication: build your core workflows (incident reporting, register of information, testing cadence) as "run-ready" before the application date.
Section 2

Level 2 deliverables: what RTS/ITS change for implementation

DORA is implemented through Level 2 technical standards and delegated regulations that specify detailed requirements and templates.

Treat Level 2 as implementation spec: it affects forms, time limits, contract clause details, and control baselines.

  • Incident classification and materiality thresholds: Delegated Regulation (EU) 2024/1772 (RTS).
  • Contract clauses for critical/important ICT services: Delegated Regulation (EU) 2024/1773 (RTS).
  • ICT risk management tools and simplified framework: Delegated Regulation (EU) 2024/1774 (RTS).
  • Incident report content and time limits: Delegated Regulation (EU) 2025/301 (RTS).
  • Critical ICT provider designation criteria: Delegated Regulation (EU) 2024/1502.
  • Critical ICT provider oversight fees: Delegated Regulation (EU) 2024/1505.
  • Register of information templates: Implementing Regulation (EU) 2024/2956 (ITS), published on 29 November 2024.
  • Standard forms, templates, and procedures for major ICT incident reporting: Implementing Regulation (EU) 2025/302 (ITS).
  • Subcontracting assessment for ICT services supporting critical or important functions: Delegated Regulation (EU) 2025/532.
  • Criteria for identifying entities required to perform TLPT: Delegated Regulation (EU) 2025/1190.
Section 3

Post-application supervisory milestones that now matter in practice

Once DORA applied on 17 January 2025, the focus shifted from legal readiness to supervisor-ready artifacts, templates, and oversight structures.

The most important current milestones are the RoI template ITS, the incident-reporting ITS, and the first critical ICT provider designations.

  • Register of information ITS: Implementing Regulation (EU) 2024/2956, published on 29 November 2024, gives the standard B_01 to B_07 templates used for supervisory submissions.
  • Incident reporting ITS: Implementing Regulation (EU) 2025/302 sets the standard forms, templates, and procedures for major ICT incident reporting.
  • Critical ICT third-party provider designations: the ESAs published the first designated CTPP list on 18 November 2025.
  • Practical implication: firms now need export-ready RoI data, template-ready incident reporting, and vendor-governance playbooks that reflect whether a key provider has been designated as critical.
Recommended next step

Turn EU DORA Deadlines & Compliance Calendar into an operational assessment

Assessment Autopilot can take EU DORA Deadlines & Compliance Calendar from planning deadlines, owners, and milestones from this page to a reusable workflow inside Sorena. Teams working on EU DORA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU DORA Deadlines & Compliance Calendar

Start from EU DORA Deadlines & Compliance Calendar and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU DORA

Review your current process, evidence gaps, and next steps for EU DORA Deadlines & Compliance Calendar.

Explore next step
Section 4

Recurring cadence: incident reporting readiness (always-on)

Major incident reporting is not "file a report when something happens". It requires a prepared workflow and data model so you can report while systems are degraded.

Build a recurring readiness cadence and run periodic drills.

  • Quarterly reporting drill: simulate a major incident and produce initial/intermediate/final report drafts using your actual data sources.
  • Metric QA: validate classification thresholds and cross-border impact logic (RTS 2024/1772) and ensure time limits workflows are realistic (RTS 2025/301).
  • Evidence retention: keep copies of reports, timestamps, and root-cause analysis artifacts.
Section 5

Recurring cadence: testing program and TLPT cycle

DORA requires a testing program for ICT tools, systems and processes. For certain entities, TLPT must occur at least every three years.

Treat testing as a product-quality loop: tests generate remediation backlog and evidence.

  • Annual testing plan: define scope, independence, and coverage of critical or important functions; include retesting of remediated issues.
  • TLPT program (where applicable): plan scoping, authority interactions, supplier selection, and production-safe controls well in advance.
  • Calendar management: reserve time for remediation and validation before audit or supervisory reviews.
Section 6

Recurring cadence: third-party governance and register of information

Third-party governance is continuous: contracts change, services change, and subcontracting chains evolve.

The register of information should be updated as part of procurement, not as an annual scramble.

  • Monthly/quarterly updates: reconcile new/changed vendor contracts, criticality flags, subcontractors, and service locations into the register.
  • Contract reviews: ensure DORA RTS clauses remain present in renewals and change orders (RTS 2024/1773).
  • Exit strategy reviews: periodically test portability, backups, and transition plans for critical/important services.
  • Supervisory export readiness: ensure you can export the full register or requested sections quickly (Article 28).
Section 7

Suggested rollout plan (fast but defensible)

If you need a practical rollout plan, run DORA in four tracks with a shared evidence model.

This sequencing tends to minimize rework and "late surprises".

  • Track 1: scope memo + proportionality + requirements matrix.
  • Track 2: incident management + reporting pipeline (templates, classification, time limits, drills).
  • Track 3: ICT risk management baseline controls + continuity + monitoring.
  • Track 4: third-party governance + contract clauses + register-of-information build + exit strategies.
  • Parallel: testing plan + TLPT readiness program for applicable entities.
Primary sources

References and citations

Related guides

Explore more topics

DORA Applicability Test | Is EU DORA Applicable to Your Entity?
A step-by-step EU DORA applicability test (Regulation (EU) 2022/2554): determine if you are a covered financial entity under Article 2.
DORA FAQ (EU) - Scope, Deadlines, Reporting, TLPT, RoI, and Third-Party Risk
High-signal answers to the most searched DORA questions: who is in scope, when DORA applies (17 Jan 2025), what "critical or important functions" means.
DORA ICT Risk Management Control Baseline | Chapter II + RTS 2024/1774
A deep DORA ICT risk management baseline: how to implement Chapter II of Regulation (EU) 2022/2554 as controls with acceptance criteria and evidence.
DORA ICT Third-Party Risk Management + Contract Clauses | Article 28-30 + RTS 2024/1773 + RTS 2025/532
A deep guide to DORA ICT third-party risk: build the third-party risk strategy (Article 28), implement due diligence + ongoing monitoring.
DORA Major ICT Incident Reporting | Articles 17-20 + RTS 2024/1772 + 2025/301
A practical DORA major incident reporting guide: build the Article 17 and 19 workflow, apply RTS 2024/1772 classification and RTS 2025/301 timing rules.
DORA Penalties, Fines, and Enforcement | Articles 50-55 + Oversight Penalty Payments
A practical DORA enforcement guide: how competent authorities' supervisory/investigatory/sanctioning powers work (Article 50).
DORA Register of Information (RoI) - How to Build It | Article 28 + ITS 2024/2956
Build an audit-ready DORA Register of Information (RoI): define scope and relational keys.
DORA Register of Information (RoI) Template Guide | ITS 2024/2956 Annex Templates (B_01-B_07)
A practical guide to the DORA Register of Information templates: understand the ITS schema (Implementing Regulation (EU) 2024/2956).
DORA Testing & TLPT Readiness | Chapter IV + TIBER-EU Execution Guide
A deep DORA testing and TLPT readiness guide: build the Chapter IV testing program, prepare remediation and validation.
DORA vs ISO/IEC 27001:2022 | Mapping Controls, Evidence, and Audit Readiness
A deep DORA vs ISO 27001 comparison: where ISO/IEC 27001:2022 helps satisfy DORA ICT risk management and evidence expectations.
DORA vs NIS2 (EU) | Scope, Reporting, Controls, and Overlap for Financial Entities
A deep comparison of DORA and NIS2: who is in scope, what "security measures" mean, incident reporting differences, governance and enforcement posture.
EU DORA Checklist | DORA Compliance Checklist (Audit-Ready)
An audit-ready EU DORA checklist (Regulation (EU) 2022/2554): scope memo and proportionality, ICT risk management control baseline.
EU DORA Compliance Guide | DORA Implementation Playbook
A practical EU DORA compliance guide (Regulation (EU) 2022/2554): how to set up a DORA program, build an ICT risk management control baseline.
EU DORA Requirements | Obligations by Workstream (ICT Risk, Incidents, TLPT, Third Parties)
A practical breakdown of EU DORA (Regulation (EU) 2022/2554) requirements: ICT risk management framework (Chapter II).
EU DORA Scope & Covered Entities | Who Is In Scope (Article 2)
A practical scoping guide for EU DORA (Regulation (EU) 2022/2554): covered financial entities (Article 2), proportionality and simplified frameworks.