Anaelle Guez
Co-founder & CEO, Compliance
DORA Compliance Deadline Tracker: Key Dates and Action Items for 2026
DORA became fully applicable on January 17, 2025. But 2026 is the year enforcement bites, with critical deadlines for ICT risk registers, penetration testing, and third-party oversight hitting throughout the year.
Who does DORA apply to?
DORA applies to virtually all financial entities in the EU: banks, insurers, investment firms, payment institutions, crypto-asset service providers, central counterparties, and trade repositories. It also applies to ICT third-party service providers deemed critical, meaning cloud providers, SaaS companies, and IT firms serving financial institutions are directly in scope.
22,000+
Entities in scope
5
Pillars
€10M+
Max penalties
2026
Full enforcement
ICT third-party risk register submission
Financial entities must complete and submit their ICT third-party risk registers to competent authorities. This includes mapping all critical ICT service providers, assessing concentration risks, and documenting contractual arrangements that meet DORA requirements.
Advanced penetration testing (TLPT)
Systemically important financial entities must conduct their first round of threat-led penetration testing (TLPT) as mandated by DORA Article 26. Tests must be performed by qualified external testers and results shared with competent authorities.
Critical ICT provider register publication
The European Supervisory Authorities (ESAs) are expected to publish the register of critical ICT third-party service providers, triggering direct oversight powers and potential penalties for deficiencies.
Annual ICT risk management review
First annual review cycle completion for ICT risk management frameworks. Entities must document lessons learned, update risk assessments, review business continuity plans, and demonstrate continuous improvement.
The five pillars of DORA
ICT risk management framework: governance, policies, and procedures
ICT incident reporting: classification, notification, and post-incident analysis
Digital operational resilience testing: basic and advanced (TLPT)
ICT third-party risk management: due diligence, contractual safeguards, concentration risk
Information sharing: voluntary cyber threat intelligence exchanges
How Cleo helps with DORA compliance
Cleo monitors all DORA-related regulatory developments in real time, from ESA technical standards to national competent authority guidance. When new requirements are published or deadlines shift, Cleo generates contextual alerts with risk scores, affected obligations, and recommended actions specific to your entity type.
Frequently asked questions
What is DORA and when is it applicable?
DORA (Digital Operational Resilience Act, Regulation EU 2022/2554) became fully applicable on January 17, 2025. It requires all financial entities in the EU, including banks, insurers, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers, to implement comprehensive ICT risk management frameworks, incident reporting mechanisms, resilience testing programs, and third-party risk oversight.
What are the key DORA deadlines in 2026?
Key DORA deadlines in 2026 include: (Q1) completion of ICT third-party risk register and submission to competent authorities, (Q2) first round of advanced penetration testing (TLPT) for systemically important entities, (Q3) publication of the critical ICT third-party provider register by the ESAs, (Q4) first annual ICT risk management review cycle completion. Financial entities should also prepare for potential on-site inspections by competent authorities.
Related resources
Guides
DORA Compliance GuideTry Cleo: free regulatory risk scan
See your regulatory landscape mapped in minutes. No signup, no credit card.
