HomeRegister of Information › Register deadline
DORA · Deadline & filing calendar

The DORA Register of Information deadline

How often do you file, and by when? The real answer sits in three dates: the data reference date, the European deadline, and your national filing deadline. Here's how they fit together.

In short — The DORA Register of Information is filed once a year. The data reference date is 31 December of the previous year. National authorities must transmit their consolidated registers to the ESAs by 31 March at the latest; in France, the ACPR sets an earlier submission deadline for entities via OneGate — check the exact date for the current cycle.

On this page

An annual obligation

Keeping and filing the DORA Register of Information isn't a one-off exercise: it's an annual obligation for financial entities in scope of DORA. Each year, the register is updated, validated and submitted to the competent authority.

It also isn't a static document you complete once and forget. ICT arrangements start and end, providers change, functions get reclassified — so each year's register can look meaningfully different from the last one. Treat the deadline as the finish line of a data-quality process that runs all year, not a form to fill in during the final week.

The data reference date

The register reflects your situation as at 31 December of the previous calendar year. In practice, the register filed in 2026 describes your ICT arrangements as at 31 December 2025. Anything that took effect after that date belongs to the following cycle.

That reference date applies to the data, not to when you compile it. Nothing stops you from preparing and validating the register well in advance of the deadline, as soon as the year-end data is settled — in fact, that's exactly what avoids the last-minute rush described below.

The European filing calendar

31 Dec N-1Data reference date for the register.
NCA deadlineEntities file with their national competent authority — set by each authority, ahead of 31 March.
31 March NTransmission of the consolidated registers by national authorities to the ESAs (European Supervisory Authorities).

The gap between your national deadline and 31 March exists because your authority needs time to receive, check and consolidate every supervised entity's register into a single national submission before forwarding it to the ESAs. The earlier its own cut-off, the more entities — or the more complex registers — it typically has to process.

The date that concerns you isn't the ESAs' — it's the earlier deadline set by your own national authority.

In France: the ACPR deadline

Because national authorities must transmit to the ESAs by 31 March, they set entities an earlier submission deadline to leave time for collection and consolidation. In France, filing goes through the ACPR's OneGate portal. The exact deadline for the current cycle should be confirmed with the ACPR.

Operating in more than one country

Entities that operate in several EU member states, or whose group includes subsidiaries supervised by different authorities, are effectively working to more than one deadline: each national competent authority can set its own submission window ahead of the 31 March ESAs cut-off. A calendar built around one entity's ACPR filing won't necessarily match the deadline a subsidiary faces with its own home regulator. Build the group's internal timeline around the earliest deadline across all jurisdictions involved, not an average of them.

Not to be confused with other DORA deadlines

DORA sets several distinct obligations, each on its own timing — mixing them up is a common source of confusion. The Register of Information follows the annual calendar described above. It is separate from major ICT-related incident reporting, which follows an initial/intermediate/final notification timeline triggered by the incident itself rather than a fixed date, and from threat-led penetration testing (TLPT), which runs on a multi-year cycle set by the authority for the entities in its scope. If you're checking a "DORA deadline," make sure it's the one for the obligation you actually mean.

Why you should start early

The deadline itself is rarely the problem — gathering the data is. Tracking down every ICT arrangement, valid LEIs, the criticality of each function and the subcontracting chain takes weeks; technical validation is fast once the data is in hand. A realistic way to work backwards from the deadline:

Start from a checklist of what to gather, then follow the step-by-step method to build the register itself.

Meeting the deadline with a file that gets bounced isn't meeting the deadline. Before you submit, check why registers get rejected — most rejections are avoidable technical issues, not late filings.

Be ready before the deadline, not the day before

DoraReady checks your register against the EBA's 116 validation rules, flags line by line what would cause a rejection, and generates the xBRL-CSV package — so you're ready without a last-minute rush. Everything runs in your browser: your data never leaves your machine.

Run the free diagnostic

Frequently asked questions

Is the register filed every year?
Yes: keeping and filing the register is an annual obligation for entities in scope of DORA.
What is the data reference date?
31 December of the previous year. The 2026 register reflects the situation as at 31/12/2025.
What is the deadline in France?
Authorities transmit to the ESAs by 31 March at the latest; the ACPR sets an earlier submission deadline for entities upstream, via OneGate — exact date to confirm with the ACPR.
Does DoraReady guarantee acceptance?
No. It reduces the risk of technical rejection by checking the file before submission; it does not replace the regulator's review and does not guarantee acceptance.

← The complete DORA register guide · Lire en français →