DORA: Enforcement and Penalties

Enforcement and Penalties [Art 46-56]

Rule: Member States designate competent authorities with supervisory powers to enforce DORA. Penalties are determined by Member State law, with DORA establishing minimum powers.

Competent Authorities [Art 46]

Each Member State designates competent authorities:

Sector	Typical Authority
Credit institutions	Banking supervisor (e.g., ECB, national authority)
Insurance	Insurance supervisor
Investment firms	Securities regulator
Payment institutions	Payment services regulator

Supervisory Powers [Art 50]

Competent authorities must have power to:

Power	Description
Access information	Request any documents, data, information
On-site inspections	Conduct inspections at entity premises
Require remediation	Order corrective measures
Issue warnings	Public warnings
Impose penalties	Administrative penalties and measures
Suspend activities	Temporarily suspend activities
Withdraw authorization	For serious, repeated breaches

Administrative Penalties [Art 50(4)]

Member States must ensure competent authorities can impose:

Administrative penalties
Periodic penalty payments
Other administrative measures

Penalty factors:

Gravity and duration of breach
Financial strength of entity
Profits gained/losses avoided
Third-party losses
Cooperation with authorities
Previous breaches

Member State Implementation

DORA sets minimum powers; Member States may go further:

Aspect	DORA Requirement	Member State Discretion
Minimum powers	Art 50 powers mandatory	May add more
Penalty amounts	Not specified	Set by national law
Criminal penalties	Not required	Member States may add
Publication	Required for administrative decisions	Timing and details

Critical ICT Third-Party Provider Oversight [Art 31-44]

For designated critical providers:

Oversight Tool	Application
Lead Overseer	ESA coordinates oversight
Information requests	Direct requests to provider
General investigations	Review policies, procedures, data
On-site inspections	At provider premises
Recommendations	Address security weaknesses
Periodic penalty payments	For non-compliance with recommendations

Penalty Payments for Critical Providers [Art 35(8)]

Lead Overseer can impose periodic penalty payments:

For non-compliance with recommendations
Amount: Up to 1% of average daily worldwide turnover
Duration: Up to 6 months until compliance achieved

Relationship with Sector-Specific Enforcement

Sector	Enforcement Integration
Banking	CRD/CRR supervisory powers apply
Insurance	Solvency II supervision applies
Investment	MiFID II enforcement applies
Payment services	PSD2 supervision applies

Cooperation Between Authorities [Art 47-48]

Authorities must cooperate:

Share information on ICT risks
Coordinate supervisory activities
Joint inspections where appropriate
Notify relevant authorities of findings

ESA Role

European Supervisory Authorities:

Issue technical standards
Coordinate oversight
Lead oversight of critical ICT providers
Maintain risk indicators

Reporting to ESAs [Art 54]

Competent authorities must report annually:

Summary of supervisory activities
Number and types of measures taken
ICT incidents reported
Weaknesses identified

Whistleblowing [Art 53]

Member States must establish:

Mechanisms for reporting breaches
Protections for reporters
Confidentiality for whistleblowers
Independent channel for reporting

Framework	Penalty Regime
DORA	Member State determined, minimum powers in Art 50
NIS2	€10M or 2% (essential), €7M or 1.4% (important)
GDPR	€20M or 4% of global turnover
MiCA	Up to €5M or 3% (individuals), €15M or 12.5% (legal persons)

Compliance Priorities

To reduce enforcement risk:

ICT risk framework — Comprehensive, documented, approved by management
Incident reporting — Meet 4h/72h/1mo timelines
Testing program — Regular testing, TLPT if required
Third-party management — Register, contracts, due diligence
Documentation — Evidence of compliance activities
Cooperation — Engage constructively with supervisors

Citation

Art 46-56, Regulation (EU) 2022/2554