DORA Compliance: The Clock Is Ticking β€” Are You Ready? Register of Information (RoI) Window β€” 2 to 31 March 2026

DORA is now in force and regulators across the EU are moving quickly from expectation to enforcement. With critical deadlines approaching for the Register of Information and ongoing TLPT engagement, firms must ensure their reporting, governance, and third-party oversight are operationally ready β€” not just documented.

Key Facts
Applicable since
17 January 2025
RoI submission window
2–31 March 2026
Regulation
EU 2022/2554

The Digital Operational Resilience Act is in force across the EU and regulators are moving from talk to action. DORA's aim is clear: financial entities must be able to withstand, respond to, and recover from ICT disruptions, cyber-attacks, and technology failures. Supervisory authorities are actively expecting firms to demonstrate operational resilience β€” every day.

Key Deadlines

Deadline passed β€” immediate priority
Register of Information
All in-scope financial entities must submit their RoI for contractual arrangements with ICT third-party providers, covering data as of 31 December 2025.
Submission window: 2 to 31 March 2026
Ongoing 2026
Threat-Led Penetration Testing
Firms identified as in scope will be engaged by the regulator for advanced TLPT. Readiness is now a practical priority, not an optional exercise.
At least every three years for significant institutions

Implications of Not Reporting

Supervisors have broad enforcement powers
Failing to meet RoI requirements β€” or submitting incomplete or poor-quality data β€” is not acceptable. Early submission is strongly recommended to allow time to identify and fix errors before the deadline closes.

The Reality for European SMEs

Across the EU, many smaller and mid-sized financial entities are reaching out because these requirements are material and immediate. DORA's expectations are operational β€” not theoretical β€” and the time to act is now.

Still finalising your governance framework?
Regulators are already using DORA's standards as the baseline for supervision. If your ICT risk framework, third-party inventory, or incident reporting procedures are not fully documented, that gap is visible to your regulator now.
Where does your organisation stand on DORA?
Morclear's DORA Gap Assessment covers all obligations across Articles 5 to 44 β€” delivering a scored report with RAG ratings and a prioritised remediation roadmap in two weeks for a fixed fee of 999 euro.
Book Free Scoping Call View DORA Playbook
TAKE ACTION

The August 2026 deadline is 4 months away.

Run your free assessment and download the playbook β€” both free, both ready now.

Run Free Assessment β†’ Download Playbook
← Back to Morclear Brief