DORA is not a guideline — it is a binding EU regulation with real enforcement teeth. As supervisory authorities move into active enforcement in 2026, understanding the penalty framework is essential for board members, CISOs, and compliance officers.

Penalties for Financial Institutions

National competent authorities can impose administrative penalties including:

  • Fines up to 2% of total annual global turnover or EUR 10 million, whichever is higher
  • Individual fines up to EUR 1 million for responsible persons
  • Cease and desist orders requiring immediate remediation
  • Public disclosure of the identity of the entity and the nature of the breach
  • Temporary suspension of business activities

Penalties for Critical ICT Third-Party Providers

For designated Critical Third-Party Providers (CTPPs), the penalty framework is even more stringent:

  • Fines up to EUR 5 million
  • Daily penalty payments of up to 1% of average daily global turnover for continued non-compliance, for up to six months
  • Mandatory adoption of specific measures dictated by the Lead Overseer
  • Requests to terminate contracts with non-compliant sub-contractors

Beyond Financial Penalties

The reputational damage from DORA enforcement may be more costly than the fines themselves:

  • Public statements: Regulators can publish the identity of the non-compliant entity
  • Client trust erosion: Institutional clients increasingly require DORA compliance as a procurement criterion
  • Audit escalation: Non-compliance triggers enhanced supervisory scrutiny
  • Insurance implications: Cyber insurance premiums may increase or coverage may be denied

Aggravating and Mitigating Factors

Regulators consider several factors when determining penalty severity:

Aggravating

  • Repeated non-compliance
  • Failure to cooperate with supervisory authorities
  • Deliberate concealment of incidents
  • Breaches affecting critical services across multiple Member States

Mitigating

  • Prompt self-reporting of breaches
  • Active cooperation with authorities
  • Demonstrable remediation efforts
  • First-time infringement with good compliance history

Board-Level Accountability

DORA explicitly places responsibility on the management body (board of directors) for ICT risk management. Board members can be held personally liable for systemic failures in digital operational resilience. This makes DORA compliance a C-suite priority, not just an IT concern.