DORA Penalties and Enforcement: What to Expect

DORA became applicable across the European Union on 17 January 2025, and the penalty framework that underpins it is now fully operational. Unlike many EU regulations that leave enforcement details almost entirely to Member States, DORA establishes a structured penalty architecture that combines national enforcement powers with direct EU-level oversight of critical ICT third-party providers. According to the European Banking Authority, over 22,000 financial entities and an estimated 15,000 ICT service providers now fall within the regulation’s enforcement perimeter.

This article examines the penalty framework in detail: who enforces DORA, what penalties apply, how enforcement compares with GDPR and NIS2, and what the expected timeline looks like.

What Is the DORA Penalty Framework?

DORA’s penalty structure is defined in Articles 50 to 52 of Regulation (EU) 2022/2554 and supplemented by national implementing measures. The framework applies differently to three categories of entities.

Financial entities – the 21 categories in Article 2, including credit institutions, investment firms, payment institutions, insurance undertakings, and crypto-asset service providers – face administrative fines of up to 2% of total annual worldwide turnover or EUR 10 million, whichever is higher. For a mid-size bank with EUR 500 million in revenue, the maximum fine per infringement is EUR 10 million. For an institution with EUR 5 billion in revenue, the cap rises to EUR 100 million. Member States may set higher limits – Germany’s implementing act empowers BaFin to exceed the DORA floor for serious or repeated violations.

Individual and ICT provider penalties

Individual members of the management body face personal fines of up to EUR 1 million. Under Article 5, the board must define, approve, oversee, and be responsible for the ICT risk management framework. The ECB’s 2025 supervisory review explicitly assessed board-level engagement with ICT risk governance as a key criterion.

Critical ICT third-party providers designated under Article 31 by the European Supervisory Authorities (ESMA, EBA, and EIOPA) face penalty payments of up to EUR 5 million or 1% of average daily worldwide turnover, for each day of non-compliance, up to six months. For a cloud provider with EUR 20 billion in annual revenue, the daily ceiling is approximately EUR 548,000 – accumulating to over EUR 100 million over six months.

DORA Enforcement Authorities

DORA enforcement is distributed across multiple layers. National competent authorities – BaFin in Germany, ACPR and AMF in France, Central Bank of Ireland, Banca d’Italia – have full enforcement powers including on-site inspections, remediation orders, public censure, and administrative fines.

For the 113 significant credit institutions under direct ECB supervision, the ECB’s Single Supervisory Mechanism integrates DORA into its broader supervisory review process (SREP). ICT risk assessments now form an explicit component of the annual examination.

Lead Overseers for critical ICT providers

The Joint Committee of EBA, ESMA, and EIOPA coordinates the designation of critical providers and assigns Lead Overseers. As of early 2026, the ESAs have designated 12 critical ICT providers, primarily major cloud infrastructure providers and core banking technology firms. This creates, for the first time, a mechanism for EU authorities to directly supervise and penalize non-EU technology companies providing critical services to the European financial sector.

How Does DORA Compare to GDPR and NIS2 Penalties?

Financial entities subject to DORA are typically also subject to GDPR and often NIS2. Understanding the comparative landscape is essential.

GDPR fines reach up to 4% of annual worldwide turnover or EUR 20 million for serious infringements. The median GDPR fine on financial services entities in 2025 was EUR 890,000 according to EDPB data. DORA’s 2% / EUR 10 million ceiling is lower than GDPR’s maximum but operates in addition to it. A single ICT incident involving personal data can trigger both DORA and GDPR enforcement with separate fines. The DORA vs GDPR overlap analysis maps these convergence points.

NIS2 comparison and cumulative risk

NIS2 imposes penalties of up to 2% of turnover or EUR 10 million for essential entities, and up to 1.4% or EUR 7 million for important entities. DORA operates as lex specialis relative to NIS2 for financial entities under Article 4.

These penalty regimes are not mutually exclusive. A bank suffering a major ICT incident potentially faces a DORA fine of up to 2% of turnover, a GDPR fine of up to 4%, personal fines of up to EUR 1 million per individual, and reputational sanctions. For an entity with EUR 1 billion in turnover, the theoretical combined exposure from a single incident exceeds EUR 60 million.

Enforcement Triggers

Enforcement follows specific triggers. Under DORA’s incident reporting framework, major incidents must be reported within strict timeframes: initial notification within 4 hours, intermediate report within 72 hours, final report within one month. In 2025, European financial entities reported over 2,100 major ICT incidents. According to the ECB Financial Stability Review, approximately 340 had systemic implications.

Competent authorities also conduct scheduled supervisory reviews of ICT risk management frameworks. Findings of material non-compliance – missing documentation, untested business continuity procedures, incomplete third-party registers – lead to remediation orders and formal enforcement.

Third-party concentration risk

DORA requires entities to manage concentration risk in ICT third-party arrangements. When a competent authority determines that dependence on a single provider creates unacceptable systemic risk, it can require diversification. The third-party risk management requirements under DORA are the most prescriptive in any EU financial regulation.

Expected Enforcement Timeline

DORA enforcement will follow a phased trajectory. During 2025-2026, competent authorities are conducting baseline assessments and building a picture of the sector’s compliance posture. The ECB has integrated DORA into its 2025 and 2026 SREP cycles.

Entities identified as materially non-compliant will receive formal remediation orders. The first administrative fines are expected in late 2026, targeting entities that made no meaningful compliance effort. The DORA compliance guide provides a framework for organizations still implementing. By 2028, DORA enforcement is expected to resemble established GDPR enforcement patterns. Cumulative GDPR fines across the EU exceeded EUR 4.5 billion by 2025 – DORA enforcement will follow a compressed version of this trajectory.

Preparation Steps for Financial Entities

Preparation means demonstrating good-faith compliance effort, not perfection. Competent authorities assess enforcement responses based partly on the entity’s compliance posture at the time of a review. Legiscope provides automated documentation and regulatory mapping that accelerates this evidence-gathering process.

Address the five core pillars systematically: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. Align DORA with existing GDPR obligations using the DORA vs GDPR overlap analysis, and review DORA-specific requirements for banking institutions. Entities that have assessed DORA non-compliance costs for fintechs should use those findings to prioritize remediation.

Frequently Asked Questions

What is the maximum DORA fine for a financial entity?

Up to 2% of total annual worldwide turnover or EUR 10 million, whichever is higher. Member States may set higher limits. Individual management body members face fines of up to EUR 1 million.

Can DORA and GDPR fines be imposed for the same incident?

Yes. They are enforced by separate authorities with separate mandates. The ne bis in idem principle does not apply across different regulatory frameworks addressing different legal interests.

How are critical ICT providers penalized?

Penalty payments of up to EUR 5 million or 1% of average daily worldwide turnover per day of non-compliance, imposed by the Lead Overseer. The Lead Overseer can also publish non-compliance recommendations, triggering contractual consequences as financial entities reassess providers.

When will the first DORA fines be published?

The first formal fines are expected in the second half of 2026, based on supervisory assessment work conducted throughout 2025 and early 2026. Initial actions will target entities with no demonstrable compliance effort.