How much can my company be fined under DORA?
DORA carries penalties of up to CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law. This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.
DORA (Digital Operational Resilience Act) creates ICT risk management obligations for the financial sector with penalties enforced by national financial regulators. Fines are effective, proportionate, and dissuasive — typically ranging from €1–50 million depending on violation severity and organization size.
| Regulation | Regulation (EU) 2022/2554 — DORA |
| Enforcement Date | January 17, 2025 (full enforcement) |
| Maximum Fine | Effective, proportionate, dissuasive per member state (typically €1–50M) |
| Scope | Banks, insurers, investment firms, crypto-asset service providers, payment institutions |
| Enforcer | National financial regulators (central banks, insurance authorities, banking supervisors) |
Common Questions
- What organizations are covered by DORA?
- DORA applies to all entities regulated under EU financial services law: banks, branches of non-EU banks, insurance companies, reinsurance companies, investment firms, crypto-asset service providers, payment institutions, e-money institutions, and currency exchange providers. Third-party service providers (cloud, outsourcing) also face requirements.
- What are the core DORA compliance obligations?
- Implement an ICT risk management framework covering governance, asset management, incident reporting, testing (resilience testing, penetration testing), and monitoring. Manage third-party ICT service provider risk. Report major ICT incidents and financial incidents to regulators.
- How does DORA interact with NIS2?
- DORA is the financial sector equivalent of NIS2. Both impose cybersecurity risk management and incident reporting. A financial services provider may be subject to both DORA (as a regulated entity) and NIS2 (as a critical or important operator), with harmonized but distinct requirements.
- What is digital resilience testing under DORA?
- Digital Operational Resilience Testing (DORT) requires financial entities to conduct regular stress tests and penetration tests to ensure they can withstand severe ICT disruptions. Testing must involve third-party providers and be documented and reported to regulators.
- Can a financial institution outsource DORA compliance?
- Partial outsourcing is allowed, but the regulated entity remains responsible for compliance. Critical ICT third-party service providers must meet specific requirements, and the regulated entity must maintain oversight and contractual control over these providers.
- When are DORA fines issued?
- Enforcement is carried out by national financial regulators. Fines can be issued for non-compliance with governance, risk management, testing, or reporting requirements. The first significant DORA enforcement actions are expected in H2 2025–H1 2026.
Maximum fine
CTPPs: 1% of daily global turnover (up to 6 months); Financial entities: per national law
Source: Regulation (EU) 2022/2554
How DORA penalties work
DORA's penalty regime (Article 50) is unusual in the EU regulatory landscape: rather than a one-off maximum fine, it authorises national competent authorities and ESAs to impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of 6 months. For designated critical ICT third-party service providers, the ESAs can directly impose periodic penalties. Member States must ensure penalties are 'effective, proportionate and dissuasive'.
Fine tiers by article
Periodic penalty payments for ongoing non-compliance — financial entities
Up to 1% of average daily worldwide turnover per day, for up to 6 months
or 1% per day (max 6 months) of global turnover
Applies to:
- ICT risk management framework absent or inadequate (Art. 5–16)
- Failure to classify and report major ICT-related incidents (Art. 17–23)
- Failure to conduct required digital operational resilience testing (Art. 24–27)
- Inadequate third-party ICT risk management (Art. 28–44)
Periodic penalty payments for critical ICT third-party service providers (CTPPs) — imposed directly by ESAs
Up to €5,000,000
or 1% per day of global turnover
Applies to:
- Failure of designated CTPP to comply with ESA oversight recommendations
- Refusal to provide information or documents to ESAs
- Failure to appoint a legal representative in the EU
Stacked exposure with other EU regulations
In the financial sector, DORA penalties may stack with NIS2 (where applicable to essential entities) and GDPR. However, DORA Article 1(2) establishes a lex specialis relationship with NIS2 — where DORA is more specific, it takes precedence for financial entities. Double penalties for the same act should be avoided, but regulators may investigate separately.
Calculate your stacked fine exposure →Frequently asked questions
What is the maximum DORA fine?
DORA does not specify a single maximum fine amount. Instead, it authorises periodic penalty payments of up to 1% of a financial entity's average daily worldwide turnover per day of non-compliance, for a maximum of 6 months. For a firm with €1B annual turnover, this could reach approximately €16M over 6 months.
Who enforces DORA?
National competent authorities (NCAs) designated by each Member State enforce DORA for financial entities under their supervision. For critical ICT third-party service providers, the European Supervisory Authorities (EBA, EIOPA, ESMA) enforce DORA directly through the Joint Oversight Committee.
Does DORA apply to non-financial companies?
DORA applies only to financial entities as defined in Art. 2, plus their critical ICT third-party service providers. Non-financial companies that are ICT service providers to banks or insurers may be designated as critical and become subject to DORA's oversight regime.
What is your stacked fine exposure across all EU regulations?
Calculate your combined risk across DORA, GDPR, NIS2, AI Act, DORA, and more — free, no signup.
Open fine risk calculator — freeFor informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.
Last updated: