DORA Penalties & Enforcement

DORA Enforcement: How Penalties Work

DORA (EU Regulation 2022/2554) establishes a robust enforcement framework that gives competent authorities significant powers to ensure compliance. Unlike many previous financial regulations, DORA explicitly addresses penalties for both financial entities and, for the first time, for Critical ICT Third-Party Providers (CTPPs). Understanding the enforcement mechanisms is essential for prioritising compliance efforts and managing regulatory risk.

Administrative Penalties for Financial Entities

Art. 50-52 of DORA require member states to lay down rules on administrative penalties and remedial measures applicable to infringements. While DORA does not specify harmonised penalty amounts for financial entities (leaving this to national implementation), it does establish the framework of enforcement powers that competent authorities must have:

• Administrative fines: Member states define the maximum amounts, but they must be effective, proportionate, and dissuasive. National implementations typically align with the magnitude of fines under related EU regulations (NIS2, GDPR).
• Cease-and-desist orders: Authorities can order entities to cease conduct that infringes DORA and to refrain from repeating that conduct.
• Public statements: Authorities can issue public statements identifying the entity and the nature of the infringement, creating significant reputational risk.
• Temporary prohibition: In severe cases, authorities can temporarily prohibit members of the management body from exercising management functions.
• Periodic penalty payments: Authorities can impose daily penalty payments to compel compliance.

BaFin Enforcement in Germany

In Germany, BaFin is the competent authority for DORA enforcement for most financial entities (banks, insurers, investment firms, payment institutions). BaFin has significant experience with ICT supervision through its prior oversight of BAIT/VAIT/KAIT/ZAIT compliance.

BaFin's enforcement toolkit under DORA includes:

• On-site and off-site inspections: BaFin can conduct inspections at any time, including requesting access to the information register, incident reports, testing results, and third-party contracts.
• Information requests: BaFin can require financial entities to provide any information necessary to verify compliance, including on short notice.
• Supervisory measures: BaFin can order remediation measures, impose conditions on operations, and require entities to submit remediation plans with defined timelines.
• Administrative proceedings: For material non-compliance, BaFin can initiate formal administrative proceedings leading to fines.

BaFin has signalled that DORA compliance will be a supervisory priority. Entities should expect increased attention to ICT risk management, incident reporting, and the information register during routine examinations. For entities migrating from BAIT, see our BAIT/VAIT to DORA migration guide.

Penalties for Critical Third-Party Providers (CTPPs)

The CTPP penalty framework is one of DORA's most novel features. For the first time, ICT service providers that are not themselves financial institutions face direct regulatory sanctions. Art. 35(8) gives the Lead Overseer the power to impose periodic penalty payments on CTPPs that do not comply with oversight recommendations:

• Up to 1% of average daily worldwide turnover in the preceding business year, per day
• Penalties can be imposed for up to 6 months continuously
• This can result in total penalties of up to approximately 180% of daily turnover over the maximum period

For major cloud providers or core banking platform vendors with multi-billion euro annual revenues, 1% of daily turnover can represent millions of euros per day. This creates a powerful incentive for CTPPs to cooperate with the oversight framework.

Additionally, the Lead Overseer can recommend that financial entities temporarily suspend or terminate arrangements with non-compliant CTPPs. While this is not a direct penalty on the CTPP, it creates substantial commercial pressure.

Criminal Sanctions

Art. 52 allows member states to decide whether to provide for criminal sanctions for certain DORA infringements instead of or in addition to administrative penalties. Where member states opt for criminal sanctions, they must ensure that the relevant criminal provisions are effectively enforced.

In Germany, criminal liability for management body members may arise under general corporate law provisions (e.g. breach of duty of care under GmbHG or AktG) if a DORA violation results in material damage. While DORA does not create new criminal offences per se, the explicit management body accountability under Art. 5 strengthens the legal basis for personal liability claims.

Factors in Determining Penalties

Art. 51 specifies the factors that competent authorities must consider when determining the type and level of administrative penalties:

• Gravity and duration: The seriousness of the infringement and how long it persisted
• Degree of responsibility: Whether the infringement was intentional or negligent
• Financial strength: The annual turnover of the entity, to ensure penalties are proportionate
• Profits gained or losses avoided: Any financial benefit the entity derived from the infringement
• Third-party losses: Losses suffered by clients or other third parties
• Cooperation: The degree of cooperation with the competent authority
• Previous infringements: Any prior regulatory violations by the entity
• Remedial actions: Steps taken to address the infringement and prevent recurrence

DORA vs. NIS2: Penalty Comparison

Financial entities may fall under both DORA and NIS2. Art. 1(2) of DORA clarifies that DORA is lex specialis to NIS2 for the financial sector, meaning DORA requirements take precedence where there is overlap. However, understanding both frameworks' penalty regimes is useful for compliance prioritisation:

Notable: DORA's initial notification deadline of 4 hours (compared to NIS2's 24 hours) is significantly tighter. Missing this deadline is one of the most likely early enforcement triggers. See our Incident Reporting page for preparation guidance.

Minimising Enforcement Risk

Competent authorities consider cooperation and remedial actions when determining penalties. Entities can minimise enforcement risk by:

• Documenting compliance efforts: Even if gaps remain, a documented compliance programme with a clear roadmap demonstrates good faith. Authorities distinguish between entities making genuine efforts and those ignoring requirements.
• Prioritising incident reporting: Late or missing incident reports are the easiest infringement to detect and prove. Invest heavily in this area.
• Maintaining the information register: The register is reported annually and provides a direct window into your third-party risk management. An incomplete or inaccurate register is a clear supervisory finding.
• Training the management body: Art. 5(4) training is explicitly required. Documented training records for the management body are a tangible compliance indicator.
• Cooperating fully with authorities: Cooperation is explicitly listed as a mitigating factor in Art. 51. Be transparent about gaps and remediation efforts.

For a comprehensive compliance roadmap, see our DORA Checklist. For cost estimates, see our DORA Costs and Timeline page.