← All posts

DORA fines are here: What the first enforcement actions mean for you

For eighteen months after DORA became applicable, the prevailing mood among compliance teams could be summarised as cautious optimism. Regulators were gathering data, running questionnaires, and assessing baseline readiness. Firms that engaged in good faith had little reason to fear immediate consequences.

That phase is now over.

In the first half of 2026, multiple national competent authorities have moved from assessment to action. Compulsion payments have been issued. Remediation orders are being enforced with deadlines. And the Register of Information submissions from March 2026 gave supervisors the data they needed to identify which firms are genuinely compliant and which have been filing paperwork without substance behind it.

The shift from tolerance to accountability

The transition was not sudden. It followed a logical sequence that supervisors had signalled openly.

Throughout 2025, NCAs collected Register of Information submissions, conducted initial reviews of ICT risk frameworks, and held supervisory dialogues with institutions across the sector. That intelligence gathering established baselines. Supervisors now know what good looks like in their jurisdictions, and they know which institutions fall short.

2026 marks the year when that knowledge becomes the foundation for enforcement decisions. Regulators are no longer asking whether firms have heard of DORA. They are examining whether the frameworks firms claim to have actually function under stress. The question has shifted from "have you documented this?" to "prove it works."

How penalty regimes differ across Europe

DORA establishes maximum penalty levels at the EU level, but enforcement power sits with national authorities. This means the practical consequences of non-compliance vary depending on where you are supervised.

Italy has set among the highest national ceilings in Europe. Administrative fines for financial entities can reach EUR 20 million or 10% of total annual turnover, whichever is higher. For serious or repeated violations, the Italian supervisory framework allows penalties that exceed what many firms expected from a regulation focused on operational resilience. Ireland follows a similar trajectory. The Central Bank of Ireland can impose fines of up to EUR 10 million or 10% of annual turnover. Ireland's enforcement culture has historically been assertive, and DORA gives the CBI additional tools that align with its existing approach to financial services supervision. Germany operates through BaFin, which has integrated DORA supervision into its existing IT oversight framework. BaFin's approach tends to be procedural and thorough. Firms can expect detailed information requests, structured remediation timelines, and escalating consequences for missed deadlines. The Nordic countries present a picture of coordinated supervisory intent. Finanstilsynet in Norway, Finansinspektionen in Sweden, the Danish FSA, and FIN-FSA in Finland have all positioned digital resilience as a top priority for 2026. While Nordic regulators have historically favoured dialogue over punitive action, the DORA framework gives them tools they did not previously have, and the political context around operational resilience and national security has shifted expectations.

Personal liability for senior managers

One dimension of DORA enforcement that has received less attention than it deserves is the personal liability framework. DORA does not only target institutions. It also creates consequences for the individuals responsible for ICT risk governance.

Natural persons, typically board members or senior managers with designated ICT risk responsibilities, can face personal fines of up to EUR 1,000,000. Beyond financial penalties, NCAs can issue temporary bans on individuals holding management positions in financial services.

This is not theoretical. DORA Article 5 places explicit responsibility on the management body. If a supervisor concludes that an institution's ICT risk governance was inadequate, the question of who was responsible has a clear regulatory answer. The person designated under Article 5(2) carries personal accountability for the framework's effectiveness.

For board members, the practical implication is straightforward: passive oversight is no longer a defensible position. Evidence of genuine engagement, including meeting minutes, approved policies, allocated budgets, and completed training, is the minimum that demonstrates compliance with governance obligations.

Critical ICT third-party providers face direct penalties

The 19 designated Critical Third-Party Providers are now subject to direct ESA oversight. The penalty framework for CTPPs operates differently from financial entities:

  • Fines of up to EUR 5,000,000 per violation for legal persons
  • Fines of up to EUR 500,000 per violation for natural persons (senior managers within the CTPP)
  • For ongoing violations, up to 1% of average daily global turnover applied for up to six months

For financial entities, the indirect risk is significant. If a CTPP you depend on receives remediation orders and fails to comply, your supervisor may require you to demonstrate that your exit plan is credible and executable. The contractual provisions you negotiated under Article 28 and the exit strategies you documented under Article 28(8) move from compliance artefacts to operational necessities.

What the first enforcement actions tell us

Three patterns are emerging from the initial wave of supervisory action.

Register of Information failures are the primary trigger. The March 2026 submission deadline gave NCAs a concrete, verifiable data point. Firms that submitted incomplete registers, failed validation checks, or missed the deadline entirely have received the earliest attention. This is unsurprising. The RoI is the most auditable obligation in DORA: either you submitted it correctly or you did not. Incident reporting gaps are being identified retrospectively. Supervisors are cross-referencing known ICT disruptions against the incident reports they received. Where a firm experienced a visible outage but filed no major incident report, supervisors are asking why. The classification criteria in the RTS are specific enough that regulators can form a view on whether a firm should have reported. Governance gaps surface during on-site interactions. When supervisors visit, they ask to see board minutes, ICT risk policies, and evidence of management body engagement. Institutions where ICT risk governance exists only on paper, with no evidence of active board involvement, are receiving findings.

What this means for firms that are not yet fully compliant

The data suggests that roughly half of EU financial entities entered 2026 without full DORA compliance. If you are in that group, the situation is not hopeless, but the window for unscrutinised remediation is closing.

The most important distinction in enforcement is between firms that are working toward compliance with a documented plan and firms that have not engaged at all. NCAs have discretion in how they apply penalties. Article 54 explicitly requires them to consider the severity and duration of breaches, the degree of responsibility, the financial strength of the entity, and the level of cooperation. A credible remediation programme, actively tracked and resourced, remains the strongest defence against punitive action.

What supervisors will not tolerate is inaction disguised as complexity. Claiming that DORA is too broad, too difficult, or too new to implement is not a position that carries weight eighteen months after the regulation became applicable. The firms receiving enforcement attention in 2026 are overwhelmingly those that did little or nothing in 2025, not those that tried and fell short.

Practical steps for the second half of 2026

If your institution has gaps, prioritise visibility and documentation above all else:

  • Ensure your Register of Information is complete, validated, and ready for the next submission cycle
  • Verify that your incident reporting process can produce a compliant notification within the four-hour window
  • Confirm that board-level governance is documented with evidence of genuine engagement
  • Track your remediation efforts in a way that creates an audit trail

When a supervisor asks what you have done, the answer should be demonstrable, not anecdotal. Dates, decisions, allocated resources, and completed actions create a narrative of good faith effort that directly influences how NCAs exercise their discretionary powers.

The regulation is no longer new. The enforcement framework is no longer theoretical. The question for every financial entity in Europe is no longer whether DORA applies, but whether your compliance will hold up when your supervisor decides to look closely.

Ready to simplify DORA compliance?

Purpose-built platform for EU financial entities. Start your free trial today.

Get Started →