The DORA Register of Information deadline
How often do you file, and by when? The real answer sits in three dates: the data reference date, the European deadline, and your national filing deadline. Here's how they fit together.
In short — The DORA Register of Information is filed once a year. The data reference date is 31 December of the previous year. National authorities must transmit their consolidated registers to the ESAs by 31 March at the latest; in France, the ACPR sets an earlier submission deadline for entities via OneGate — check the exact date for the current cycle.
An annual obligation
Keeping and filing the DORA Register of Information isn't a one-off exercise: it's an annual obligation for financial entities in scope of DORA. Each year, the register is updated, validated and submitted to the competent authority.
It also isn't a static document you complete once and forget. ICT arrangements start and end, providers change, functions get reclassified — so each year's register can look meaningfully different from the last one. Treat the deadline as the finish line of a data-quality process that runs all year, not a form to fill in during the final week.
The data reference date
The register reflects your situation as at 31 December of the previous calendar year. In practice, the register filed in 2026 describes your ICT arrangements as at 31 December 2025. Anything that took effect after that date belongs to the following cycle.
That reference date applies to the data, not to when you compile it. Nothing stops you from preparing and validating the register well in advance of the deadline, as soon as the year-end data is settled — in fact, that's exactly what avoids the last-minute rush described below.
The European filing calendar
The gap between your national deadline and 31 March exists because your authority needs time to receive, check and consolidate every supervised entity's register into a single national submission before forwarding it to the ESAs. The earlier its own cut-off, the more entities — or the more complex registers — it typically has to process.
The date that concerns you isn't the ESAs' — it's the earlier deadline set by your own national authority.
In France: the ACPR deadline
Because national authorities must transmit to the ESAs by 31 March, they set entities an earlier submission deadline to leave time for collection and consolidation. In France, filing goes through the ACPR's OneGate portal. The exact deadline for the current cycle should be confirmed with the ACPR.
Operating in more than one country
Entities that operate in several EU member states, or whose group includes subsidiaries supervised by different authorities, are effectively working to more than one deadline: each national competent authority can set its own submission window ahead of the 31 March ESAs cut-off. A calendar built around one entity's ACPR filing won't necessarily match the deadline a subsidiary faces with its own home regulator. Build the group's internal timeline around the earliest deadline across all jurisdictions involved, not an average of them.
Not to be confused with other DORA deadlines
DORA sets several distinct obligations, each on its own timing — mixing them up is a common source of confusion. The Register of Information follows the annual calendar described above. It is separate from major ICT-related incident reporting, which follows an initial/intermediate/final notification timeline triggered by the incident itself rather than a fixed date, and from threat-led penetration testing (TLPT), which runs on a multi-year cycle set by the authority for the entities in its scope. If you're checking a "DORA deadline," make sure it's the one for the obligation you actually mean.
Why you should start early
The deadline itself is rarely the problem — gathering the data is. Tracking down every ICT arrangement, valid LEIs, the criticality of each function and the subcontracting chain takes weeks; technical validation is fast once the data is in hand. A realistic way to work backwards from the deadline:
- Months ahead: inventory every ICT contractual arrangement and assign each one a unique reference.
- Weeks ahead: verify every provider's LEI on GLEIF and confirm none has lapsed.
- Before your internal cut-off: classify which functions are critical or important and consolidate the subcontracting chain.
- Just before submission: check cross-template consistency and generate the xBRL-CSV package — the fast part, once the data is ready.
Start from a checklist of what to gather, then follow the step-by-step method to build the register itself.
Meeting the deadline with a file that gets bounced isn't meeting the deadline. Before you submit, check why registers get rejected — most rejections are avoidable technical issues, not late filings.
Be ready before the deadline, not the day before
DoraReady checks your register against the EBA's 116 validation rules, flags line by line what would cause a rejection, and generates the xBRL-CSV package — so you're ready without a last-minute rush. Everything runs in your browser: your data never leaves your machine.
Run the free diagnostic