Regulatory Timeline
Key DORA and NIS2 deadlines and milestones
Complete Timeline
DORA Published in Official Journal
Regulation (EU) 2022/2554 officially published.
DORA Entry into Force
DORA regulation entered into force, starting the 24-month implementation period.
First RTS/ITS Batch Published
First batch of regulatory and implementing technical standards published by ESAs.
Second RTS/ITS Batch Published
Second batch including ICT third-party risk management standards.
NIS2 National Transposition Deadline
Deadline for EU member states to transpose NIS2 into national law.
DORA Full Application
DORA becomes fully applicable. All financial entities must comply.
Learn moreRegister of ICT Third-Party Providers
Deadline for submitting information to the register of ICT third-party service providers.
First TLPT Reports Due
First Threat-Led Penetration Testing reports due for significant entities.
Legacy Contract Review Deadline
Deadline for reviewing and updating existing ICT third-party contracts.
First Annual DORA Compliance Report
First annual report on ICT risk management framework to competent authorities.
Critical ICT Provider Designation
ESAs to designate critical ICT third-party service providers subject to oversight.
DORA Review Report
European Commission to submit report on DORA implementation and potential amendments.