How much can my company be fined under DORA?
DORA carries penalties of up to Varies by member state (effective, proportionate, dissuasive). This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.
Maximum fine
Varies by member state (effective, proportionate, dissuasive)
Source: Regulation (EU) 2022/2554
How DORA penalties work
DORA's penalty regime (Article 50) is unusual in the EU regulatory landscape: rather than a one-off maximum fine, it authorises national competent authorities and ESAs to impose periodic penalty payments of up to 1% of average daily worldwide turnover for each day of non-compliance, for a maximum of 6 months. For designated critical ICT third-party service providers, the ESAs can directly impose periodic penalties. Member States must ensure penalties are 'effective, proportionate and dissuasive'.
Fine tiers by article
Periodic penalty payments for ongoing non-compliance — financial entities
Up to 1% of average daily worldwide turnover per day, for up to 6 months
or 1% per day (max 6 months) of global turnover
Applies to:
- ICT risk management framework absent or inadequate (Art. 5–16)
- Failure to classify and report major ICT-related incidents (Art. 17–23)
- Failure to conduct required digital operational resilience testing (Art. 24–27)
- Inadequate third-party ICT risk management (Art. 28–44)
Periodic penalty payments for critical ICT third-party service providers (CTPPs) — imposed directly by ESAs
Up to €5,000,000
or 1% per day of global turnover
Applies to:
- Failure of designated CTPP to comply with ESA oversight recommendations
- Refusal to provide information or documents to ESAs
- Failure to appoint a legal representative in the EU
Stacked exposure with other EU regulations
In the financial sector, DORA penalties may stack with NIS2 (where applicable to essential entities) and GDPR. However, DORA Article 1(2) establishes a lex specialis relationship with NIS2 — where DORA is more specific, it takes precedence for financial entities. Double penalties for the same act should be avoided, but regulators may investigate separately.
Calculate your stacked fine exposure →Frequently asked questions
What is the maximum DORA fine?
DORA does not specify a single maximum fine amount. Instead, it authorises periodic penalty payments of up to 1% of a financial entity's average daily worldwide turnover per day of non-compliance, for a maximum of 6 months. For a firm with €1B annual turnover, this could reach approximately €16M over 6 months.
Who enforces DORA?
National competent authorities (NCAs) designated by each Member State enforce DORA for financial entities under their supervision. For critical ICT third-party service providers, the European Supervisory Authorities (EBA, EIOPA, ESMA) enforce DORA directly through the Joint Oversight Committee.
Does DORA apply to non-financial companies?
DORA applies only to financial entities as defined in Art. 2, plus their critical ICT third-party service providers. Non-financial companies that are ICT service providers to banks or insurers may be designated as critical and become subject to DORA's oversight regime.
What is your stacked fine exposure across all EU regulations?
Calculate your combined risk across DORA, GDPR, NIS2, AI Act, DORA, and more — free, no signup.
Open fine risk calculator — freeFor informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.
Last updated: