Compliance CalendarEU

EU DORA deadlines and compliance calendar

Use this page to calendar source-linked DORA dates and recurring evidence work for financial entities: application, incident reporting, register of information, annual reporting, TLPT, and critical ICT third-party oversight.

The dates below are grounded in DORA, delegated and implementing regulations, and ESA publications. They are not a substitute for the competent authority calendar that applies to a specific financial entity.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA calendar work should separate fixed legal dates from event-triggered clocks. The fixed anchor is 17 January 2025, when Regulation (EU) 2022/2554 applies. After that, most useful calendar entries are recurring or trigger-based: major ICT incident reporting clocks, register-of-information updates and annual reporting, TLPT cycles for identified entities, and oversight milestones for critical ICT third-party providers.

Section 1

Fixed DORA dates to put on the compliance calendar

Start the calendar with the legal application date and the implementation instruments that change how teams report or maintain evidence. DORA was published in the Official Journal on 27 December 2022, entered into force on 16 January 2023, and applies from 17 January 2025.

For evidence planning, keep separate calendar rows for the 2024 register templates, the 2025 major incident reporting RTS and ITS, the 2025 TLPT criteria RTS, and the ESA publication of the first list of designated critical ICT third-party providers. These milestones do not replace entity-specific supervisory submissions, but they explain which template, clock, or oversight framework the entity should be using.

  • 27 December 2022: DORA was published in the Official Journal.
  • 16 January 2023: DORA entered into force.
  • 2 December 2024: Implementing Regulation (EU) 2024/2956 on register-of-information templates was published in the Official Journal.
  • 17 January 2025: DORA applies.
  • 20 February 2025: Delegated Regulation (EU) 2025/301 on major incident notification and report time limits, and Implementing Regulation (EU) 2025/302 on reporting forms, templates, and procedures, were published in the Official Journal.
  • 13 February 2025: Delegated Regulation (EU) 2025/1190 set TLPT identification criteria and TLPT process requirements.
  • 18 November 2025: the ESAs published the first list of designated critical ICT third-party providers under DORA.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the DORA publication, entry-into-force, and 17 January 2025 application anchors.
Implementing Regulation (EU) 2024/2956 on register templates
Supports the 2 December 2024 register-of-information template milestone and the standard template basis for register evidence.
Delegated Regulation (EU) 2025/301 on incident report time limits
Supports the 20 February 2025 incident-reporting RTS milestone and the reporting clocks used later on this page.
Section 2

Event-triggered major ICT incident reporting clocks

Do not calendar major incident reporting as a single annual date. Calendar it as a playbook clock that starts when an ICT-related incident is detected, assessed, and classified as major under the DORA incident-classification rules.

Delegated Regulation (EU) 2025/301 sets the time limits. The initial notification is due as early as possible, within four hours from classification as major, and no later than 24 hours from when the financial entity became aware of the incident. If the entity classifies the incident as major only after the first 24 hours, the initial notification is due within four hours from that later classification. The intermediate report is due within 72 hours from the initial notification. The final report is due no later than one month after the intermediate report, or after the latest updated intermediate report.

  • Calendar trigger: incident detected, awareness time recorded, classification assessment opened, and major-incident classification time recorded.
  • Initial notification evidence: detection time, classification time, classification criteria, affected entity information, contact points, description, and available impact data.
  • Intermediate report evidence: updated incident status, impact, mitigation and recovery actions, and any change since the initial notification.
  • Final report evidence: resolution dates and times, root cause, costs and losses where applicable, resolution information, and recurring-incident information where applicable.
  • Dependency to track: Implementing Regulation (EU) 2025/302 supplies the reporting templates and allows combined submissions only where recovery or root-cause analysis is complete and the Delegated Regulation (EU) 2025/301 time limits are still met.
  • Exception handling: if a deadline cannot be met, record the notice to the competent authority, the reason for delay, and whether a weekend or bank-holiday rule is available for that entity type.
Sources for this answer
Delegated Regulation (EU) 2025/301 on incident report time limits
Supports the four-hour, 24-hour, 72-hour, and one-month reporting clocks for major ICT-related incidents.
Implementing Regulation (EU) 2025/302 on incident reporting templates
Supports the use of standard forms, templates, secure electronic channels, outsourcing notices, reclassification notices, and combined submissions for DORA incident reporting.
Delegated Regulation (EU) 2024/1772 on ICT incident classification
Supports the incident-classification dependency before the major-incident reporting clocks can be applied.
Section 3

Register-of-information and third-party risk calendar

The register calendar has two layers: an always-current operational register and the reporting rhythm required by DORA. DORA requires financial entities to maintain and update, at entity level and at sub-consolidated and consolidated levels, a register of information for all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

DORA also requires at least yearly reporting to competent authorities on new ICT service arrangements, provider categories, contractual arrangement types, and the ICT services and functions provided. The register should therefore be updated when a contract starts, changes, ends, a supporting function becomes critical or important, or a subcontracting chain changes, and reviewed before the annual reporting cycle.

  • Standing owner: ICT third-party risk or outsourcing owner maintains the register, with legal, procurement, technology, and business-service inputs.
  • Calendar triggers: new ICT service contract, contract amendment, exit or termination, supplier change, intra-group ICT service change, subcontractor change, or a function becoming critical or important.
  • Annual reporting evidence: count of new arrangements, ICT third-party service provider categories, contractual arrangement types, ICT services, and supported functions.
  • Template evidence: contractual arrangement reference number, financial entity LEI and country, date of last update, date of integration, start date of contractual arrangement, ICT service type, and critical-or-important function indicators where required by the template.
  • Authority-request evidence: the full register, specified sections of the register, and supporting information needed for effective supervision.
  • Template maintenance: track the 19 September 2025 corrigendum to Implementing Regulation (EU) 2024/2956 when validating register template fields.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the obligation to maintain and update the register and report at least yearly to competent authorities.
Implementing Regulation (EU) 2024/2956 on register templates
Supports the standard register template fields and relational structure used for DORA register evidence.
Corrigendum to Implementing Regulation (EU) 2024/2956
Supports the September 2025 register-template corrigendum milestone for template maintenance checks.
Section 4

TLPT and resilience testing cadence

DORA creates both general resilience-testing cadence and advanced TLPT cadence. Financial entities other than microenterprises must ensure, at least yearly, appropriate tests on all ICT systems and applications supporting critical or important functions. Identified financial entities must also carry out advanced testing by means of TLPT at least every three years, unless the competent authority changes the frequency based on risk profile and operational circumstances.

For TLPT, the compliance calendar should start when the TLPT authority notifies the financial entity that a TLPT is to be carried out. Delegated Regulation (EU) 2025/1190 then creates planning and closure dependencies: initiation information within three months of notification, scope specification within six months of notification, active red team testing lasting at least 12 weeks, red team report within four weeks after active testing ends, blue team report and replay/purple teaming no later than 10 weeks after active testing ends, and the summary report and remediation documentation within eight weeks of the relevant TLPT authority notification.

  • Annual testing row: test ICT systems and applications supporting critical or important functions, log findings, remediation ownership, validation evidence, and management review.
  • Three-year TLPT row for identified entities: maintain the next TLPT due date, competent-authority frequency changes, and whether the prior test used internal or external testers.
  • Authority notification trigger: open TLPT initiation tasks, project charter, control team, tester and threat-intelligence provider procurement, communication channels, and code name.
  • Scope dependency: include several or all critical or important functions and live production systems supporting those functions; competent authorities validate the TLPT scope.
  • Closure evidence: red team report, blue team report, replay and purple teaming outcomes, summary findings report, remediation plan, and TLPT attestation records.
  • Tester dependency: DORA requires external testers at least every three tests when the entity uses internal testers.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the yearly testing requirement for critical or important functions and the at-least-every-three-years TLPT cadence.
Delegated Regulation (EU) 2025/1190 on TLPT
Supports TLPT identification criteria, notification-triggered initiation, scope, testing phase, closure, remediation, and authority-validation milestones.
Section 5

Practical evidence calendar fields

A useful DORA calendar should not be a list of dates alone. Each row should show which legal source created the obligation, what event starts the clock, who owns the response, what evidence must exist, and what authority or template dependency applies.

Use separate row types for fixed milestones, event-triggered clocks, recurring reviews, authority-request items, and template-maintenance changes. That separation prevents teams from treating incident reports, register updates, and TLPT cycles as the same kind of deadline.

  • Date or trigger: fixed calendar date, annual review month, authority notification, incident awareness time, major classification time, contract start or change, or template corrigendum.
  • DORA area: ICT risk management, incident reporting, register of information, ICT third-party risk, TLPT, or CTPP oversight.
  • Affected cohort: all in-scope financial entities, entities other than microenterprises, identified TLPT entities, entities with ICT third-party arrangements, or designated CTPPs.
  • Clock rule: fixed date, at least yearly, at least every three years, within four hours, no later than 24 hours, within 72 hours, one month, three months, six months, 12-week minimum, four weeks, 10 weeks, or eight weeks.
  • Evidence required: source citation, owner, approval record, template version, submission copy, authority correspondence, register extract, test report, remediation plan, or attestation.
  • Reopen trigger: incident reclassification, missed reporting deadline, competent-authority request, contract change, function-criticality change, template corrigendum, TLPT authority notification, or CTPP designation update.
Sources for this answer
Regulation (EU) 2022/2554 (DORA)
Supports the calendar categories covering ICT risk management, testing, incident reporting, and ICT third-party risk obligations.
ESAs designate critical ICT third-party providers under DORA
Supports the 18 November 2025 milestone for the first published list of designated critical ICT third-party providers.
Recommended next step

Build a DORA calendar that tracks clocks, templates, owners, and proof

Sorena can help convert DORA incident, register, TLPT, and third-party-risk milestones into source-linked calendar rows with owners, evidence fields, and review triggers.

Research workflow
Open Research Copilot for EU DORA

Ask source-linked questions about DORA dates, incident reporting clocks, register evidence, TLPT cadence, and cited sources.

Explore next step
Talk to Sorena
Talk through implementation

Review your DORA compliance calendar, evidence gaps, and authority-specific dependencies with Sorena.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2025/1190 on TLPT
eur-lex.europa.eu
Referenced sections
  • Supports TLPT identification criteria, notification-triggered initiation, scope, testing phase, closure, remediation, and authority-validation milestones.
"initiate a TLPT following a notification"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Supports the calendar categories covering ICT risk management, testing, incident reporting, and ICT third-party risk obligations.
"digital operational resilience for the financial sector"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How does proportionality work under EU DORA?
A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.