Deadline

DORA has applied to financial entities since 17 January 2025

Deadline17 Jan 2025✓ verified 4 Jul 2026

What changed

Regulation (EU) 2022/2554 (DORA) has applied since 17 January 2025. It sets uniform requirements for the digital operational resilience of financial entities and their critical ICT third-party providers: ICT risk management, incident classification and reporting, resilience testing, and third-party risk oversight including the register of information.

Why it matters

DORA is live law: supervisors can already ask financial entities for evidence — the register of information, incident reports, testing results. This is an ongoing evidence obligation, not a one-off project.

Who is affected

Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers and other financial entities in the EU — plus the ICT providers that serve them.

What to check next

Confirm your register of information is current, your incident classification and reporting flow matches the technical standards now in the Official Journal, and your resilience-testing programme is documented.

Key dates

  • 2022-12-27Published in the Official Journal
  • 2025-01-17DORA applies
Source. EUR-Lex — Regulation (EU) 2022/2554 (DORA) ↗
Document: Regulation (EU) 2022/2554 — CELEX 32022R2554
Verified by Trusq against this source on 4 Jul 2026. Trusq publishes only what it can trace to an official source; the source text prevails. Not legal advice.
Relates to DORA
← All updates