Skip to main content
DORA Auditor

DORA Penalties & Enforcement

Last updated: 3 authoritative sourcesDORA Auditor Editorial Team

DORA is enforced through administrative penalties, remedial measures, and, for critical ICT third-party providers, periodic penalty payments. Competent authorities can require entities to fix deficiencies, impose fines set under national law, and publish decisions. For designated critical providers, the EU overseer can levy penalty payments of up to 1% of average daily worldwide turnover per day, for up to six months, until they comply.

Headline exposure

Critical ICT third-party providers face periodic penalty payments of up to 1% of their average daily worldwide turnover, imposed daily for up to six months. Financial entities face administrative penalties whose ceilings are set by each member state, potentially significant, and applied to firms and responsible individuals alike.

Administrative penalties and remedial measures

For financial entities, DORA requires member states to give competent authorities the power to impose administrative penalties and remedial measures for breaches. The regulation deliberately leaves the specific amounts to national law, so the maximum fine differs across the EU. Beyond fines, authorities can order an entity to cease conduct, require specific remediation, and demand changes to its ICT risk-management framework. Penalties must be effective, proportionate, and dissuasive, and authorities weigh factors such as the gravity and duration of the breach, the degree of responsibility, and the entity's financial strength.

Liability of individuals

Because DORA treats operational resilience as a governance matter, enforcement is not limited to the legal entity. Administrative penalties and measures can reach members of the management body and other natural persons responsible for a breach. This reinforces the message across the five pillars that accountability sits at board level, not solely with the IT function.

Criminal penalties (member-state discretion)

DORA establishes an administrative enforcement regime but expressly allows member states to decide not to lay down administrative penalties for breaches that are already subject to criminal penalties under national law. In practice this means the exposure for a given breach depends on the member state: some rely purely on administrative sanctions, others layer criminal liability on top. Multinational entities should map their obligations per jurisdiction.

Periodic penalty payments for critical ICT providers

The strongest financial tool in DORA applies to critical ICT third-party providers under the pan-EU oversight framework. Where such a provider does not comply with a request or recommendation from its lead overseer, the overseer can impose periodic penalty payments to compel compliance, up to 1% of the provider's average daily worldwide turnover in the preceding business year, imposed on a daily basis for up to six months. This is a coercive measure designed to force cooperation from the large cloud, data, and software providers on which the financial sector depends.

Publication of decisions (naming and shaming)

Competent authorities must generally publish administrative penalties and measures on their official websites, including the type of breach and the identity of the entity, unless publication would be disproportionate or jeopardise an investigation or financial stability. The reputational impact of publication often outweighs the direct financial penalty, particularly for entities whose clients value resilience.

Member-state divergence

Because so much of the penalty regime is set nationally, the practical consequences of non-compliance vary across the EU. A breach that draws a modest administrative fine in one member state might attract a larger penalty, or criminal exposure, in another. Entities operating across borders should not assume a single, uniform sanction ceiling. To reduce exposure, close gaps proactively: work through the compliance checklist and benchmark with the Readiness Score.

Frequently asked questions

What is the maximum fine under DORA?
Can individuals be held liable under DORA?
Does DORA impose criminal penalties?
What happens if a major incident is not reported?

Sources

  1. Regulation (EU) 2022/2554 (DORA), EUR-Lex
  2. ESMA, Digital Operational Resilience Act (DORA)
  3. European Banking Authority, DORA