EU DORA penalties and fines

DORA requires Member States to establish appropriate administrative penalties and remedial measures for breaches of the regulation, and to ensure effective implementation. The regulation does not provide one uniform EU-wide maximum fine for every financial entity breach in the way some other EU regimes do.

For a visitor assessing exposure, the first distinction is therefore between EU-level DORA powers and national penalty rules. DORA supplies the minimum enforcement toolkit and sanctioning factors; Member State law supplies the detailed national administrative penalty framework unless the Member State uses criminal penalties for the same breaches.

DORA requires competent authorities to have the supervisory, investigatory, and sanctioning powers needed to perform their duties. Those powers include access to relevant documents and data, on-site inspections or investigations, and the ability to require corrective and remedial measures for breaches.

The minimum remedial and sanctioning toolkit is broad. Competent authorities must be able to order a person to stop breaching conduct, require temporary or permanent cessation of practices that conflict with DORA, adopt measures of a pecuniary nature to ensure continued compliance, require certain data traffic records where national law permits and a breach is reasonably suspected, and issue public statements identifying the person and nature of the breach.

DORA tells competent authorities to exercise penalty and remedial powers through their national legal frameworks. When determining the type and level of an administrative penalty or remedial measure, authorities must consider whether the breach was intentional or negligent and assess the circumstances of the breach.

The regulation lists sanctioning factors that are practical risk indicators for compliance teams: materiality, gravity, duration, responsibility, financial strength, profits gained or losses avoided, third-party losses, cooperation with the authority, and previous breaches.

DORA includes safeguards around enforcement publication. Competent authorities must publish final administrative penalty decisions on their official websites without undue delay after the addressee has been notified, but publication can be deferred, anonymised, or withheld in specified circumstances such as disproportionate damage, personal-data concerns, market-stability risk, or an ongoing criminal investigation.

Published penalty information must remain online only for the period necessary to meet the DORA publication rule and cannot exceed five years. If a published decision is appealed, the competent authority must add appeal information and later outcome information, including any judicial annulment.

DORA has a separate EU-level oversight regime for critical ICT third-party service providers. A Lead Overseer can request information, conduct investigations and inspections, request reports on actions or remedies, and issue recommendations. Critical providers must cooperate in good faith.

If a critical ICT third-party service provider wholly or partly fails to comply with required oversight measures after at least 30 calendar days from notification, the Lead Overseer must adopt a decision imposing a periodic penalty payment to compel compliance. The payment is imposed daily until compliance, for no more than six months, and may be up to 1% of the provider's average daily worldwide turnover in the preceding business year.

Critical ICT third-party service providers can also owe oversight fees under DORA's oversight framework. Those fees fund the Lead Overseer's oversight work and are calculated under a delegated regulation; they should not be described as penalties or fines.

For penalty analysis, keep three buckets separate: national administrative penalties and remedial measures for DORA breaches, criminal penalties where Member State law uses them, and EU-level periodic penalty payments used by the Lead Overseer to compel critical ICT third-party provider compliance with oversight measures.