Module 9: Penalties, Enforcement, and Supervisory Expectations

Step 1 – Where We Are Now: DORA’s Enforcement Timeline

Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – has applied in full since 17 January 2025. As of today (December 2025), there is no transitional period in the Regulation itself: financial entities are expected to be compliant now.

Key timeline anchors:

• December 2022 – DORA adopted.
• January 2023–January 2025 – 2‑year implementation window; development of detailed technical standards (RTS/ITS) by the ESAs.
• 17 January 2025 – DORA starts applying; enforcement powers of national competent authorities (NCAs) and ESAs are fully live.
• 2024–2025 – ESAs (EBA, EIOPA, ESMA) and the European Commission publish final technical standards and guidance, and issue public statements clarifying no automatic grace period.

Because this module focuses on penalties and supervisory expectations, you should keep three realities in mind as you study:

1. DORA is binding now: supervisory authorities can already investigate, order remediation, and apply sanctions.
2. Supervisory expectations are dynamic: NCAs and ESAs are refining their approaches as they see real implementation gaps.
3. Enforcement risk is uneven: large, systemically important institutions and critical ICT third‑party providers (CTPPs) face earlier and more intensive scrutiny than small entities, but all in‑scope entities are legally bound.

Throughout this module, read DORA not as a theoretical framework but as live law that supervisors are starting to enforce in practice.

Step 2 – Who Enforces DORA? The Supervisory Architecture

DORA creates a multi‑layered supervisory system. Understanding who can act against whom is essential for assessing enforcement risk.

1. National Competent Authorities (NCAs)

• Primary supervisors for financial entities (FEs): banks, investment firms, insurers, payment institutions, crypto‑asset service providers under MiCA, etc.
• NCAs enforce DORA using:
• On‑site and off‑site inspections
• Requests for information, data, and documents
• Orders to remediate deficiencies
• Administrative fines and other sanctions
• Examples: BaFin (Germany), ACPR/AMF (France), Banco de España/CNMV (Spain), etc.

2. European Supervisory Authorities (ESAs)

• EBA, ESMA, EIOPA:
• Develop regulatory technical standards (RTS) and implementing technical standards (ITS) that specify DORA requirements.
• Coordinate supervisory practices across Member States (e.g., common questionnaires, templates, joint exercises).
• Mediate cross‑border issues and promote convergence of enforcement.
• For most financial entities, ESAs do not directly fine firms; they act through NCAs, but their expectations strongly shape national enforcement.

3. Joint Oversight of Critical ICT Third‑Party Providers (CTPPs)

DORA introduces a new layer for certain ICT providers that are designated as critical:

• A Lead Overseer (one of the ESAs) is appointed for each CTPP.
• A Joint Oversight Forum (JOF) coordinates cross‑sector oversight.
• These EU‑level bodies can:
• Conduct inspections of CTPPs.
• Issue recommendations and binding instructions.
• Impose periodic penalty payments for non‑compliance.

4. Other Actors

• European Commission: may adopt delegated acts, and plays a role in designating CTPPs and shaping overall policy.
• European Central Bank (ECB): within the Single Supervisory Mechanism (SSM), the ECB integrates DORA expectations into its prudential supervision of significant banks.

Mental model:

• FEs → supervised mainly by NCAs, influenced by ESAs and (for banks) the ECB.
• CTPPs → supervised directly at EU level by ESAs as Lead Overseers.

This split is crucial: the penalty regimes differ between FEs and CTPPs, as you will see next.

Step 3 – Enforcement Toolkit for Financial Entities and Management Bodies

DORA requires Member States to provide effective, proportionate, and dissuasive penalties. While exact numbers vary by country, the types of enforcement tools are consistent.

1. Measures Against the Financial Entity

NCAs can typically:

• Issue binding orders:
• Remedy specific ICT or cyber deficiencies within a set deadline.
• Restrict or prohibit use of a particular ICT service or provider.
• Order the suspension of a migration or major change until risks are addressed.
• Impose administrative fines for infringements such as:
• Failure to implement an ICT risk management framework consistent with DORA.
• Inadequate incident classification and reporting.
• Non‑compliant outsourcing contracts or failure to manage ICT third‑party risk.
• Failure to participate in required threat‑led penetration testing (TLPT) when in scope.
• Impose periodic penalty payments to force compliance with a remedial order (e.g., a daily fine until a required corrective measure is implemented).

2. Measures Against Management Bodies and Individuals

DORA emphasizes management body accountability:

• NCAs may:
• Issue public statements naming responsible institutions and, in some Member States, individuals.
• Impose administrative fines on members of the management body where national law allows.
• Use existing prudential powers (e.g., fit‑and‑proper assessments) to challenge the suitability of board members who systematically fail to ensure DORA compliance.
• In some jurisdictions, criminal law may apply in severe cases (e.g., deliberate falsification of incident reports, obstruction of supervision, or gross negligence leading to systemic outages), but this is based on national criminal codes, not DORA itself.

3. Aggravating and Mitigating Factors

When setting penalties, authorities typically consider:

• Severity and duration of the breach (e.g., multi‑day outage vs. minor temporary disruption).
• Impact on clients and markets (e.g., payment failures, data breaches, inability to trade).
• Intent and cooperation:
• Did the entity conceal incidents or under‑report them?
• Did it cooperate fully and remediate promptly?
• History of non‑compliance or prior warnings.

For an advanced analysis, always ask: How would a supervisor justify the proportionality of any sanction in light of these factors?

Step 4 – Case Study: Enforcement Scenario for a Mid‑Size Bank

Consider a hypothetical mid‑size EU bank in late 2025.

Facts

• The bank experiences a two‑day outage in its mobile banking app due to a failed deployment by an ICT provider.
• It:
• Delays incident reporting, sending an incomplete report to the NCA.
• Has no up‑to‑date mapping of critical functions to supporting ICT assets.
• Uses contracts with ICT providers that lack DORA‑required clauses (e.g., on access, audit, termination).
• An NCA on‑site inspection reveals that the management body:
• Never formally approved the ICT risk management framework.
• Receives no regular dashboards on ICT risk or resilience testing.

Likely Supervisory Response

1. Immediate measures

• Order to restore services and provide a root‑cause analysis.
• Order to submit a complete incident report and updated incident classification methodology.

1. Remediation orders

• Implement a DORA‑compliant ICT risk management framework, approved by the board, within X months.
• Update and re‑negotiate key ICT contracts to comply with DORA within a set timeline.
• Establish regular management body reporting on ICT risk and resilience.

1. Sanctions

• Administrative fine on the entity for:
• Failure to report the major incident in line with DORA timelines and content.
• Failure to manage ICT third‑party risk and contracts appropriately.
• Possible public statement describing the violation, to signal expectations to the market.

1. Follow‑up supervision

• Enhanced monitoring (e.g., additional reporting requirements) for 12–24 months.
• The NCA may integrate DORA findings into the bank’s overall risk assessment and capital discussions.

Analytical question for you:

> Which elements of this case are most likely to trigger a higher penalty: the outage itself, the delayed reporting, or the structural governance failings? Explain your reasoning from a supervisor’s perspective.

Use this scenario to practice linking facts → legal requirements → potential sanctions.

Step 5 – Oversight and Sanctions for Critical ICT Third‑Party Providers (CTPPs)

DORA creates a distinct enforcement regime for ICT providers designated as critical because many financial entities depend on them (e.g., major cloud providers).

1. Designation and Scope

• The European Commission, based on ESAs’ analysis, designates certain ICT providers as Critical ICT Third‑Party Providers (CTPPs).
• Criteria include:
• Number and systemic importance of financial entities served.
• Degree of substitutability.
• Concentration and cross‑border implications.

2. Powers of the Lead Overseer

The ESA acting as Lead Overseer can:

• Conduct general investigations and thematic reviews.
• Perform on‑site inspections, including at data centres within the EU.
• Request detailed information on:
• ICT security and resilience controls.
• Incident management and reporting.
• Sub‑outsourcing chains.

3. Sanctions and Penalties for CTPPs

If a CTPP fails to comply with DORA oversight measures, the Lead Overseer can:

• Issue recommendations and instructions to remediate.
• Impose periodic penalty payments (e.g., daily fines) until the CTPP complies with:
• Oversight instructions.
• Information requests.
• Remediation deadlines.

Member States must also ensure that effective, proportionate, and dissuasive penalties are available at national level for CTPPs, which may include:

• Administrative fines.
• Restrictions on the CTPP’s ability to provide services to additional financial entities.
• In extreme cases, termination of certain critical services or prohibition of new contracts in the EU financial sector.

4. Indirect Impact on Financial Entities

Even though the CTPP is directly supervised at EU level, financial entities remain responsible for their own compliance. If a CTPP fails to meet DORA standards:

• FEs must reassess concentration risk and contingency planning.
• Supervisors may require FEs to exit or diversify away from a non‑compliant CTPP.

So while CTPPs face their own penalty regime, FEs can still be sanctioned for over‑reliance on a problematic provider or for failing to plan for substitution.

Step 6 – Thought Exercise: Assessing Enforcement Risk for a Fintech

Imagine you are the chief risk officer of an EU‑licensed payment institution (PI) in late 2025. You rely heavily on a cloud‑based core banking platform provided by a large ICT firm that may be designated as a CTPP.

Your current situation:

• You have some DORA‑aligned policies, but:
• ICT asset mapping is incomplete.
• Contracts with your main ICT provider are still missing some DORA‑required clauses.
• You have never participated in a threat‑led penetration test (TLPT), although your NCA has hinted that you might be in scope.
• You have had no major incidents yet, but minor outages have not always been logged or classified.

Task 1 – Rank Your Enforcement Risks

Rank the following areas from highest to lowest enforcement risk in the next 12 months, and justify your ranking:

1. Incomplete ICT asset mapping.
2. Missing contractual clauses with your main ICT provider.
3. Lack of TLPT experience.
4. Weak logging and classification of minor incidents.

Write a short justification (3–5 bullet points) focusing on:

• Which gaps are most visible to supervisors.
• Which gaps create the highest potential harm if an incident occurs.
• Where DORA and recent ESA/NCA communications have been most explicit.

Task 2 – Design a 3‑Month Remediation Prioritization

If your NCA announced a thematic review on DORA implementation starting in 3 months, which three concrete actions would you prioritize immediately to reduce your enforcement exposure? Be specific (e.g., “launch a fast‑track contract remediation program for top 5 ICT providers”).

Step 7 – Current Supervisory Expectations and Public Statements (2024–2025)

Since mid‑2024, ESAs, the European Commission, and several NCAs have issued public statements and guidance clarifying how they expect firms to approach DORA.

Key themes emerging across the EU:

1. No Automatic Grace Period

• Authorities consistently stress that DORA has applied in full since 17 January 2025.
• While some NCAs may sequence their supervisory focus (e.g., starting with larger entities or certain sectors), they do not recognize a legal “wait‑and‑see” period.

2. Focus on Governance and Material Risk Areas

Supervisors expect, at a minimum, that by late 2025:

• The management body has:
• Approved an ICT risk management framework aligned with DORA.
• Received at least some formal reporting on ICT risk and resilience.
• Critical or important functions are identified and mapped to ICT assets and third‑party services.
• There is a documented incident management process and a working incident classification scheme.

3. Evidence of a Structured Implementation Plan

Even if not fully compliant, entities should be able to show:

• A DORA gap analysis covering all key pillars (ICT risk management, incident reporting, testing, third‑party risk, information sharing).
• A prioritized remediation roadmap with clear deadlines and accountable owners.
• Progress tracking (e.g., Gantt charts, heat maps) that supervisors can review.

4. Convergence of Supervisory Practices

The ESAs’ work on common templates and questionnaires is pushing NCAs toward:

• Similar self‑assessment questionnaires for firms.
• Comparable incident reporting formats.
• Shared TLPT frameworks across Member States.

In practice, this means that enforcement risk is becoming more harmonized: a major DORA gap that would be criticized in one Member State is increasingly likely to be criticized in others.

When you read new ESA or NCA statements, always ask:

> Does this change how an NCA will prioritize inspections, or how it will judge proportionality of penalties?

This is how you connect soft law (guidance) to hard law (sanctions).

Step 8 – Quick Check: Understanding Supervisory Priorities

Answer this question to test your understanding of current supervisory expectations under DORA.

Step 9 – Key Terms and Concepts Review

Use these flashcards to reinforce core enforcement and supervisory concepts under DORA.

Step 10 – Mini Framework: Assessing DORA Enforcement Risk for Any Organization

To conclude, apply a structured 4‑lens framework to assess DORA enforcement risk for any in‑scope organization.

Lens 1 – Governance & Accountability

Ask:

• Has the management body formally approved an ICT risk management framework aligned with DORA?
• Are there regular, documented reports on ICT risk, incidents, and resilience testing to the board?

> If no, risk of high‑impact sanctions is significant.

Lens 2 – Critical Functions & ICT Third‑Party Risk

Ask:

• Are critical or important functions clearly identified and mapped to ICT assets and providers?
• Are contracts with major ICT providers DORA‑compliant, especially on access, audit, data location, and termination?

> Weaknesses here increase both operational risk and sanction risk if incidents occur.

Lens 3 – Incident Management & Reporting

Ask:

• Is there a working incident classification scheme consistent with DORA criteria?
• Has the entity tested its ability to report major incidents within required timelines and formats?

> Poor incident reporting is highly visible to supervisors and often leads to enforcement.

Lens 4 – Implementation Evidence

Ask:

• Is there a documented DORA gap analysis and prioritized remediation plan?
• Can the entity show progress (e.g., completed milestones, updated policies, training records)?

> Even if not perfect, credible evidence of structured progress can mitigate enforcement severity.

---

Your task:

Pick a type of organization (e.g., large bank, small insurer, payment institution, crypto‑asset service provider) and, using the four lenses, write 1–2 bullet points per lens describing:

• The most likely DORA weakness for that type of entity.
• The most probable supervisory response if that weakness is not addressed within the next year.

This exercise is designed to help you move from theory to practical enforcement risk assessment, which is the core learning objective of this module.