DORA Penalties & Enforcement
DORA is enforced through administrative penalties, remedial measures, and, for critical ICT third-party providers, periodic penalty payments. Competent authorities can require entities to fix deficiencies, impose fines set under national law, and publish decisions. For designated critical providers, the EU overseer can levy penalty payments of up to 1% of average daily worldwide turnover per day, for up to six months, until they comply.
Headline exposure
Administrative penalties and remedial measures
For financial entities, DORA requires member states to give competent authorities the power to impose administrative penalties and remedial measures for breaches. The regulation deliberately leaves the specific amounts to national law, so the maximum fine differs across the EU. Beyond fines, authorities can order an entity to cease conduct, require specific remediation, and demand changes to its ICT risk-management framework. Penalties must be effective, proportionate, and dissuasive, and authorities weigh factors such as the gravity and duration of the breach, the degree of responsibility, and the entity's financial strength.
Liability of individuals
Because DORA treats operational resilience as a governance matter, enforcement is not limited to the legal entity. Administrative penalties and measures can reach members of the management body and other natural persons responsible for a breach. This reinforces the message across the five pillars that accountability sits at board level, not solely with the IT function.
Criminal penalties (member-state discretion)
DORA establishes an administrative enforcement regime but expressly allows member states to decide not to lay down administrative penalties for breaches that are already subject to criminal penalties under national law. In practice this means the exposure for a given breach depends on the member state: some rely purely on administrative sanctions, others layer criminal liability on top. Multinational entities should map their obligations per jurisdiction.
Periodic penalty payments for critical ICT providers
The strongest financial tool in DORA applies to critical ICT third-party providers under the pan-EU oversight framework. Where such a provider does not comply with a request or recommendation from its lead overseer, the overseer can impose periodic penalty payments to compel compliance, up to 1% of the provider's average daily worldwide turnover in the preceding business year, imposed on a daily basis for up to six months. This is a coercive measure designed to force cooperation from the large cloud, data, and software providers on which the financial sector depends.
Publication of decisions (naming and shaming)
Competent authorities must generally publish administrative penalties and measures on their official websites, including the type of breach and the identity of the entity, unless publication would be disproportionate or jeopardise an investigation or financial stability. The reputational impact of publication often outweighs the direct financial penalty, particularly for entities whose clients value resilience.
Member-state divergence
Because so much of the penalty regime is set nationally, the practical consequences of non-compliance vary across the EU. A breach that draws a modest administrative fine in one member state might attract a larger penalty, or criminal exposure, in another. Entities operating across borders should not assume a single, uniform sanction ceiling. To reduce exposure, close gaps proactively: work through the compliance checklist and benchmark with the Readiness Score.
Frequently asked questions
What is the maximum fine under DORA?
DORA does not set a single EU-wide maximum for financial entities, administrative penalties are set by national law, so the ceiling varies by member state. For designated critical ICT third-party providers, the overseer can impose periodic penalty payments of up to 1% of average daily worldwide turnover, levied daily for up to six months.
Can individuals be held liable under DORA?
Yes. DORA allows administrative penalties and measures to be applied to members of the management body and other individuals responsible for a breach, reflecting that ICT risk is a board-level obligation. Some member states may also apply criminal penalties.
Does DORA impose criminal penalties?
DORA itself sets an administrative enforcement regime, but it allows member states to lay down criminal penalties for certain breaches. Whether criminal liability applies therefore depends on how each member state has transposed and supplemented the regime in national law.
What happens if a major incident is not reported?
Failing to report a major ICT-related incident on time is a breach of the incident-reporting obligations and can attract administrative penalties and remedial measures. Use our incident classifier to gauge whether an incident is reportable.