DORA implementation timeline: what financial firms should have done by now

DORA implementation timeline: what financial firms should have done by now

A retrospective and forward looking timeline of DORA's implementation, from entry into force through the 2026 shift into active supervision, with a self assessment prompt at every milestone so compliance teams can check their own progress against the regulatory clock.

10 min read

This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.

A timeline is only useful if it tells you where you stand

Most DORA timelines list dates. This one is built around a different question: at each milestone, what should a compliance team have already done, and what does the milestone itself reveal about where the rest of the sector stands.

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has been fully applicable since 17 January 2025. The regulation itself is settled. What has changed since then, and what continues to change through 2026 and beyond, is the supervisory posture around it: how closely national competent authorities are looking, what evidence they expect on demand, and what the European Supervisory Authorities (ESAs) have done with the oversight powers DORA gave them over critical ICT third-party providers.

For a full breakdown of DORA’s five compliance pillars, see the DORA compliance checklist for financial entities. For the third-party register and contractual requirements specifically, see DORA and ICT third-party risk. This article focuses purely on sequencing: what happened, in what order, and what each step implies for a firm’s own self-assessment.

Before application: the two-year run-up

DORA entered into force in January 2023, two years before it began to apply. That interval was deliberate. It gave the ESAs time to draft the regulatory and implementing technical standards that fill in the operational detail DORA’s own text leaves open, and it gave financial entities time to build the frameworks those standards would require.

The first batch of final draft technical standards, covering ICT risk management tools and the criteria for incident classification, was delivered by the Joint Committee of the ESAs in January 2024. A second batch, including the technical standards on subcontracting and on the conditions for ESA oversight activities, followed through mid-2024. Firms that began building their ICT risk frameworks only after the regulation’s application date were, in effect, building against standards that had already been public for the better part of a year.

Self-assessment prompt: if your firm’s DORA programme started after January 2025, has anyone gone back and checked it against the RTS and ITS that were already final by then, or was it built against the headline regulation alone.

17 January 2025: full application

DORA became binding across the EU on this date. All five pillars, ICT risk management, incident classification and reporting, resilience testing, third-party risk management, and information sharing, applied simultaneously to the full population of in-scope entities: banks, investment firms, payment and e-money institutions, insurers, pension funds, crypto-asset service providers, and more.

National competent authorities have generally described 2025 as a period focused on assessing readiness and identifying gaps rather than issuing formal sanctions. That description matters less than what it implies: firms that treated 2025 as a grace period, rather than as the first year of active supervision, are now working from a weaker starting position than firms that treated the application date as the real deadline it was.

Self-assessment prompt: can your firm produce, today, a board-approved ICT risk management framework that was reviewed within the last twelve months, or would producing one require new work rather than retrieval.

30 April 2025: registers of information submitted

Financial entities were required to compile a register of information detailing their ICT third-party contractual arrangements, and competent authorities were required to submit those registers, in the harmonised format set out in the implementing technical standards, to the ESAs by this date.

This was the first point at which the scale of the third-party risk landscape became visible at EU level rather than only within individual firms. It also exposed the quality of firms’ own data. Supervisors in several member states have noted that a meaningful share of submitted registers were incomplete, particularly on subcontracting chains and on the geographic location of data processing, two fields that are genuinely difficult to populate without supplier cooperation.

Self-assessment prompt: if your firm had to resubmit its register of information today, would it be more complete than the version submitted in April 2025, or would the same gaps reappear.

July 2025: critical provider notifications

Using the data gathered through the registers of information, the ESAs carried out the criticality assessment mandated by DORA and began notifying ICT third-party providers that they were being considered for designation as critical ICT third-party providers (CTPPs). Providers given this notice had a six-week window to respond with a reasoned statement contesting the assessment. In parallel, the ESAs published their supervisory approach to CTPP oversight, setting out how the lead overseer model and joint examination teams would operate once designations were finalised.

This step is easy for financial entities to overlook, since it concerns the providers rather than the firms that use them. It matters because it set the clock running on a designation that, once made, changes the regulatory status of specific vendor relationships in a firm’s own third-party register.

Self-assessment prompt: does your firm’s vendor register flag which providers were under criticality assessment during this window, or did this step pass without anyone connecting it to your own contract list.

18 November 2025: the first CTPP list

The ESAs designated the first cohort of critical ICT third-party providers under DORA: nineteen providers, spanning hyperscale cloud infrastructure, data centre operations, network and connectivity providers, and financial services-specific technology vendors. Each designated provider was assigned a lead overseer, drawn from EBA, ESMA, or EIOPA depending on the sector it primarily serves, and each must now maintain an EU coordination point and pay annual oversight fees to its lead overseer.

For financial entities, designation does not reduce their own obligations. A firm using a designated CTPP still owns its contractual due diligence, its own risk assessment of the relationship, and its own exit plan. What changes is that the provider’s risk management and governance framework is now subject to direct ESA oversight, and providers found persistently non-compliant face periodic penalty payments of up to one percent of average daily worldwide turnover for each day of continued breach, for up to six months. The ESAs have confirmed the list will be reviewed and republished annually, so the population of designated providers is not fixed.

Self-assessment prompt: does your firm’s ICT third-party register identify which of your providers appear on the current CTPP list, and has anyone checked whether your contracts with those providers already include the cooperation obligations the oversight framework expects.

17 December 2025: the auditor scope question answered, for now

Article 58(3) of DORA required the European Commission, after consulting the ESAs and the Committee of European Auditing Oversight Bodies, to report by 17 January 2026 on whether statutory auditors and audit firms should be brought within DORA’s scope. The Joint Committee of the ESAs delivered its input on 17 December 2025, concluding that the costs of extending DORA to auditors, given the digital resilience provisions auditors already operate under through existing audit oversight legislation, outweighed the benefits, and that inclusion was not warranted at this stage.

This is a scope question rather than a compliance deadline, but it is worth tracking for two reasons. First, it confirms that DORA’s perimeter is not permanently fixed; the regulation contains built-in review clauses that can expand its reach. Second, audit firms that had begun preparing for potential inclusion now have a clearer, though not permanent, basis for sequencing that work behind other priorities.

Self-assessment prompt: if your firm relies on external auditors handling sensitive financial data, has this scope decision changed how you assess the digital resilience of that relationship, or did it go unnoticed.

2026: the year supervision changed character

Multiple national competent authorities, and the European Central Bank in its supervision of significant credit institutions, have described 2026 as the year DORA supervision moved from documentation review toward demonstrable, evidenced compliance. The European Banking Authority’s February 2026 follow-up to its earlier peer review of ICT risk assessment within the Supervisory Review and Evaluation Process noted material advances in supervisory capacity and more consistent application of supervisory tools across competent authorities, attributing much of that progress directly to DORA’s application since January 2025. The ECB has formally folded ICT risk into the SREP cycle for the banks it supervises directly.

Several compliance advisory firms tracking supervisory activity report that formal enforcement actions, where they come, are expected to begin landing in the second half of 2026, following baseline assessment work conducted through 2025 and early 2026. That timing is not yet confirmed by any single official source, and firms should treat it as a working assumption rather than a fixed date. What is consistent across supervisory commentary is the direction of travel: examinations are becoming more frequent, more automated in their cross-checking of register data, and less tolerant of frameworks that exist on paper but are not operationally embedded.

Self-assessment prompt: if a competent authority requested, with one week’s notice, evidence that your incident classification methodology has actually been used to classify a real event, could you produce it, or would the methodology only exist as a policy document.

What to watch from here

The CTPP list is reviewed annually, so a second designation round, potentially adding or removing providers, is expected in late 2026. Firms should not treat the November 2025 list as final.

Threat-led penetration testing (TLPT) operates on a three-year cycle for entities designated for it by their national competent authority. Firms identified for TLPT in the early implementation period should be planning their next cycle now rather than waiting for a reminder from their supervisor.

Article 58(1) of DORA requires the European Commission to carry out a broader review of the regulation as a whole and report to the European Parliament and the Council by 17 January 2028. Unlike the narrower auditor scope question, this review covers DORA’s overall functioning and could prompt amendments. It is far enough out that it should inform planning rather than urgency, but it is the next structural checkpoint after the current implementation phase.

How to use this timeline

The value of a retrospective timeline is diagnostic, not decorative. For each milestone above, the honest answer to the self-assessment prompt tells you something specific: whether your framework was built to the standards that existed at the time, whether your data quality has improved since your first submission, whether your vendor register tracks regulatory designations in real time, and whether your documented processes have actually been exercised.

A firm that can answer all of these prompts with confidence is in a materially different position from one that can only point to policy documents. Given that 2026 supervisory activity is explicitly oriented toward evidence rather than paperwork, that distinction is the one competent authorities are now testing for.

For the broader EU regulatory calendar beyond DORA, see EU financial regulation calendar: key deadlines for 2025 and 2026. For how DORA’s requirements interact with NIS2’s overlapping cybersecurity obligations, see DORA vs NIS2: understanding the overlap for financial firms.

Frequently asked questions

When did DORA become fully applicable?

DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), became fully applicable across the EU on 17 January 2025. All five compliance pillars applied simultaneously from that date to the full population of in-scope financial entities.

How many critical ICT third-party providers has DORA designated so far?

The European Supervisory Authorities designated the first list of critical ICT third-party providers (CTPPs) on 18 November 2025, comprising nineteen providers across cloud infrastructure, data centres, network services, and financial technology. The list is reviewed and republished annually, so the population of designated providers can change.

What happens to a financial entity if its ICT provider is designated as a CTPP?

Designation does not reduce the financial entity’s own obligations. The firm remains responsible for its own due diligence, contractual provisions, monitoring, and exit planning for that relationship. What changes is that the provider itself becomes subject to direct oversight by a lead overseer drawn from EBA, ESMA, or EIOPA, with powers to issue recommendations and, in cases of persistent non-compliance, periodic penalty payments.

Will statutory auditors be brought within DORA’s scope?

As of the Joint Committee of the ESAs’ report in December 2025, responding to a review required under Article 58(3) of DORA, the ESAs concluded that including statutory auditors and audit firms within DORA’s scope was not warranted at this stage. This conclusion is tied to a specific review clause and is not necessarily permanent.

When is the next major DORA review?

Article 58(1) of DORA requires the European Commission to carry out a broader review of the regulation and report to the European Parliament and the Council by 17 January 2028. This is separate from the narrower, already-completed review of auditor scope under Article 58(3).

Forseti monitors EU financial regulation continuously, delivering personalised alerts and source-anchored answers matched to your firm’s regulatory profile. Start for free.

Stay in the know!

Subscribe for news updates.

CSRD does not apply directly to most Vietnamese manufacturers. But if your factory supplies a large EU brand, retailer, or buying house, their CSRD obligations create real data requests and compliance requirements that land on you. This article walks through exactly what those requests look like and what you need to be able to answer.