5 November 2025

DORA Penalty Regimes

Overview of Divergence Among Member States

Key takeaways

Since 17 January 2025, entities across the financial sector must comply with the Digital Operational Resilience Act (DORA).
While DORA harmonises the substantive rules of the EU's digital operational resilience framework, the Act delegates the imposition of principle-based administrative penalties to the Member States under Article 50 of DORA. This has resulted in considerable divergence across Member States.
The national regimes on administrative penalties differ considerably in terms of maximum monetary amounts, as well as the granularity of penalty regimes. These national differences may be relevant to financial entities in conducting risk assessments in relation to compliance with DORA.

Administrative penalties under DORA

As we reported in our previous briefing, since 17 January 2025 entities have been required to comply with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act / DORA). That briefing also explores how different Member States have implemented DORA into their national frameworks.

This briefing looks at one specific aspect of these frameworks: administrative penalties.

Article 50 of DORA lays down rules on administrative penalties. It requires Member States to implement national rules establishing 'appropriate administrative penalties' for breaches of DORA and to ensure their effective implementation. In addition, penalties must be 'effective, proportionate and dissuasive', which are common principles in European legislation (see for example the General Data Protection Regulation).

As DORA does not complement these principle-based rules with bright-line rules that set clear bounds, Member States have significant discretion regarding the maximum monetary amount that can be imposed under administrative penalties.

Differences across Member States¹

The national regimes on administrative penalties differ considerably in terms of maximum monetary amounts, as well as the granularity of the statutory provisions regarding the calculation of penalties. Possible differences or similarities in supervisory practices, have not been considered.

The table below provides an overview of a selection of national regimes in key Member States.

Maximum amount for legal entities

Most Member States combine a turnover-based ceiling (maximum [X]% of the turnover for the preceding financial year) with an absolute ceiling (EUR [X]).
The turnover-based ceilings vary between 5% (Spain) and 10% (Sweden).
The absolute ceilings vary between EUR2 million (Czech Republic) and EUR20 million (Italy).
Certain Member State regimes, including Germany and the Netherlands, also differentiate between the type of breach (intentional or negligent) and nature of provision breached and reflect this in the penalty calculation.

Maximum amount for individuals

Article 50 of DORA clarifies that competent authorities should have the power to impose administrative penalties on members of the management body and other individuals responsible for breaches of DORA, subject to conditions set out in national legislation.
Most Member States stipulate maximum amounts for penalties imposed on these individuals. These amounts generally take the form of absolute ceilings, varying between EUR100,000 (Finland) and EUR5 million (Germany).
Notably, some Member States combine absolute ceilings, with provisions that lower those ceilings, based on the income of the person (Finland) or a multiple of [X] times the profit gained from the breach (e.g. Spain, where the multiple applied is three times).

Conclusion

While DORA harmonises the substantive rules of the EU's digital operational resilience framework, the principle-based penalties regime of Article 50 has facilitated significant divergence across Member States.

The Member State in which financial entities violate DORA provisions may therefore be a significant differentiating factor in the amount of the administrative penalty imposed for the violation. Financial entities would be prudent to consider these differences when preparing risk assessments related to digital operational resilience.

A full table of the DORA penalty regimes across selected Member States is set out in the table below.

To stay abreast of this continuously developing landscape and what it means for your operations, please contact our European Financial Services Regulatory Team.

DORA PENALTY REGIMES – MEMBER STATE OVERVIEW

Country	National Legislation	Enforcement Authority	Sanctions
Belgium	Law of 25 March 2025, concerning the digital operational resilience of the financial sector and various provisions		Highest financial penalty for financial entity: EUR5 million or 10% of the financial entity’s net annual turnover for the previous financial year, whichever amount is higher. Highest financial penalty for individual: EUR5 million.
Czech Republic²	Act No. 31/2025 Coll., on the Implementation of European Union Regulations in the Area of Financial Market Digitalisation (the Financial Market Digitalisation Act)	Czech National Bank	Highest financial penalty for financial entity: CZK50 million (approx. EUR2 million) Highest financial penalty for individual: N/A specifically under DORA. Prohibition from performing in a statutory body, liability for civil damages, or general criminal liability shall apply.
Finland	Act on the Financial Supervisory Authority (878/2008)	Financial Supervisory Authority (Finanssivalvonta)	According to the Finnish Act on the Financial Supervisory Authority, the administrative sanction may amount to a maximum of 10% of the financial entity’s turnover for the financial year preceding the imposition of the penalty, but not exceeding EUR10 million. For individual, the penalty may be up to 10% of their income as declared in the most recently completed taxation, but not exceeding EUR100,000.
France³		ACPR	No local regime has been implemented in France with respect to article 50(3) at this stage.
Germany⁴	Financial Market Digitalisation Act (FinmadiG)	BaFin, Bundesbank	Highest financial penalty for financial entity: EUR5 million Highest financial penalty for individual: EUR5 million (highest penalty only applicable to breaches of Art. 19 para. 4 and Art. 26 para. 1 sentence 1 DORA and generally only imposed).
Ireland⁵	European Union (Digital Operational Resilience) Regulations 2025 (SI 12/2025) European Union (Digital Operational Resilience) (No. 2) Regulations 2025 (SI 20/2025)	Central Bank of Ireland	Financial entities could face fines up to EUR10 million or 10% of their annual turnover, while individuals could be fined up to EUR1 million.
Italy	Decreto Legislativo N. 23/2025.	Banca d’Italia, Consob, IVASS, COVIP	Highest financial penalty for financial entity: Up to EUR20 million or, if higher, up to 10% of the financial entity’s annual turnover. Highest financial penalty for individual: Up to EUR5 million, with possible bans from management, direction or control functions.
Luxembourg	DORA Implementing Law (July 2024)	CSSF, CAA	Fines up to EUR5 million
Netherlands⁷	DNB issued supervisory expectations	DNB	Highest financial penalty for financial entity: EUR5 million. Depending on which provision of DORA has been breached. Base amounts vary from EUR10,000 to EUR2,5 million, and may be increased or lowered depending on specific circumstances.
Norway			Highest financial penalty for financial entity: EUR4.4 million (NOK50 million). Highest financial penalty for individual: EUR4.4 million (NOK50 million).
Spain⁸	Draft Law on the Digitalisation and Modernisation of the Financial Sector (Anteproyecto de Ley de digitalization y modernización del sector financiero)	CNMV, Bank of Spain	Highest financial penalty for financial entity: highest of: (i) EUR5 million; (ii) 5% of the total annual net turnover based on the latest approved accounts; or (iii) five times the amount of the profits gained or losses avoided due to the infringement. Highest financial penalty for individual: higher of: (i) EUR1 million; or (ii) five times the profit gained or loss avoided.
Sweden	Act with supplementary provisions to the EU Regulation on Digital Operational Resilience for the Financial Sector (Sw. lag (2024:1278) med kompletterande bestämmelser till EU:s förordning om digital operativ motståndskraft för finanssektorn)	Swedish Financial Supervisory Authority (Sw. Finansinspektionen)	Highest financial penalty for financial entity: highest of (i) EUR1 million(ii) 10% of the total annual net turnover based on the latest approved accounts, or where applicable, the equivalent turnover at group level, or (iii) three times the amount of the benefit derived from the breach where the benefit can be determined. Highest financial penalty for individual: highest of (i) EUR500,00, or (ii) three times the amount of the benefit derived from the breach where the benefit can be determined.

¹For convenience, the briefing refers to Member States, even if not all countries are Member States (Norway is a member of the European Economic Area (EEA) and has implemented DORA on that basis).
²The Act entered into force in January 2025.
³Awaiting formal legislative alignment.
⁴Certain duties (ICT risk management) for certain entities (institutions under BaFin supervision not subject CRR) may not be fully applicable until end of December 2026.
⁵The Acts came into force on 17 January 2025 and 11 February 2025 respectively and the transposition into Irish law is completed.
⁶Emphasis on resilience testing, incident classification and on powers of authorities.
⁷Focus on third-party risk and resilience testing.
⁸Focus on ICT risk and third-party oversight NB: In Spain is still pending formal adoption. It is set to be implemented through the Draft Law on the Digitalisation and Modernisation of the Financial Sector (Draft Law), which is currently awaiting parliamentary processing.