Penalty Divergence Across the EU: A DLA Piper-Sourced Analysis of 27 DORA Enforcement Regimes
One Regulation, 27 Penalty Regimes
DORA (EU 2022/2554) was deliberately structured as a Regulation rather than a Directive. The distinction matters: Directives require national transposition, which produces divergent implementations across member states. Regulations apply directly, creating uniform obligations. In theory, a bank in Milan faces the same DORA requirements as a bank in Stockholm.
In practice, this uniformity has a significant exception: penalties. DORA Articles 50-64 establish the enforcement framework but leave member states with discretion on penalty ceilings, calculation methodologies, aggravating and mitigating factors, and personal liability provisions. The result, documented in DLA Piper's October 2025 analysis, is a fragmented enforcement landscape where the financial consequences of the same DORA breach vary by a factor of ten depending on geography.
For cross-border financial groups operating across multiple EU jurisdictions — which describes most systemically important institutions — this fragmentation creates compliance complexity, enforcement arbitrage risk, and strategic questions about where to allocate compliance resources.
The Penalty Landscape: A 27-State Map
DLA Piper's analysis provides the most comprehensive public mapping of DORA penalty regimes across all 27 member states. The data reveals three structural dimensions of divergence: absolute penalty ceilings, turnover-based calculation mechanisms, and qualitative distinctions in penalty assessment.
Absolute Penalty Ceilings
| Country | Maximum absolute penalty (EUR) | Relative position |
|---|---|---|
| Italy | 20,000,000 | Highest in the EU |
| France | 15,000,000 | Second highest |
| Netherlands | 10,000,000 | Top tier |
| Germany | 5,000,000 | Mid-range |
| Ireland | 5,000,000 | Mid-range |
| Belgium | 5,000,000 | Mid-range |
| Austria | 5,000,000 | Mid-range |
| Poland | 4,000,000 | Mid-range |
| Portugal | 3,000,000 | Lower range |
| Czech Republic | 2,000,000 | Lowest in the EU |
The range from EUR 2 million (Czech Republic) to EUR 20 million (Italy) represents a tenfold variation. For a financial group operating in both jurisdictions, the same breach carries fundamentally different financial risk profiles depending on which supervisor acts first.
Turnover-Based Mechanisms
Several member states supplement or replace absolute ceilings with turnover-based calculations, creating a second dimension of divergence that disproportionately affects larger institutions:
| Country | Turnover-based ceiling | Implication for large institutions |
|---|---|---|
| Sweden | 10% of annual turnover | Potentially the highest penalty in the EU for large institutions |
| Spain | 5% of annual turnover | Significant exposure for major banks |
| Finland | 5% of annual turnover | Aligned with Spain |
| Denmark | 5% of annual turnover | Nordic alignment |
| Luxembourg | Not primary mechanism | Absolute ceiling applies |
| Germany | Not primary mechanism | EUR 5M absolute ceiling |
| Italy | Not primary mechanism | EUR 20M absolute ceiling |
The implications are stark. A Swedish bank with EUR 5 billion in annual turnover faces a theoretical maximum penalty of EUR 500 million — one hundred times Italy's absolute ceiling. For a small German bank with EUR 50 million turnover, the EUR 5 million absolute ceiling exceeds what a 10% turnover calculation would produce.
This creates an inverse proportionality problem: turnover-based regimes hit large institutions harder in absolute terms but may be proportionally smaller as a percentage of capital. Absolute ceilings hit smaller institutions harder proportionally while capping exposure for the largest.
Qualitative Distinctions: Where the Real Divergence Lives
Beyond numerical ceilings, member states have adopted materially different approaches to penalty assessment that affect how supervisors calculate actual penalties within their legal ceilings.
The Intentional vs. Negligent Distinction
Germany stands out for explicitly differentiating between intentional and negligent breaches. Under the German transposition, an institution that knowingly fails to implement a DORA requirement faces the full penalty range, while one that demonstrates good-faith compliance efforts that fell short may face reduced penalties.
This distinction creates a documented defense pathway for institutions that can evidence their compliance efforts — including board-approved ICT risk management frameworks, resource allocation for DORA implementation, and timely remediation of identified gaps.
Other member states have not adopted this explicit distinction, relying instead on general aggravating and mitigating factors. The practical difference: in Germany, compliance process documentation has direct penalty mitigation value. In Italy or Sweden, the same documentation may influence penalty assessment but does not create a formal defense category.
Breach Type Differentiation
The Netherlands has adopted a nuanced approach that differentiates penalties by breach type. The penalty for inadequate ICT risk management framework (Pillar I) may differ from the penalty for failure to report a major incident within timelines (Pillar II) or for deficient third-party risk management (Pillar IV).
This approach aligns penalties with the supervisory harm caused by different breach types. An institution that has a comprehensive ICT risk framework but missed an incident reporting deadline faces a different enforcement posture than one that has no framework at all.
Personal Liability
Several member states have transposed personal liability provisions that extend beyond the institutional level to individual members of the management body. Under Art. 5's governance obligations, board members bear direct responsibility for ICT risk management. Some member states have created penalty mechanisms that can hold individuals personally liable for governance failures.
| Personal liability approach | Countries | Maximum individual penalty |
|---|---|---|
| Explicit personal fines | Germany, France, Italy | Up to EUR 1,000,000 |
| Disqualification orders | Ireland, Netherlands | Bar from serving as director |
| Reputational sanctions | Multiple states | Public naming of responsible individuals |
| No explicit personal liability | Several states | Institutional penalty only |
The personal liability dimension is particularly significant for non-executive directors and board members from non-technology backgrounds. Under DORA Art. 5(4), management body members must complete ICT risk training. In jurisdictions with personal liability, failure to complete this training or to exercise adequate oversight of ICT risk creates individual exposure.
The Cross-Border Compliance Challenge
For financial groups operating across multiple EU jurisdictions, the penalty divergence creates three strategic challenges:
1. Jurisdictional Penalty Arbitrage Risk
If a group-wide DORA breach is identified — for example, an inadequate ICT risk management framework applied across the group — which supervisor imposes the penalty? Art. 50-64 do not provide a clear allocation mechanism for group-wide breaches. In theory, each national supervisor could impose separate penalties on the entities within its jurisdiction.
This creates a multiplicative risk: a group operating in ten member states could face ten separate penalty proceedings for what is functionally a single compliance failure. The total exposure is not the highest single-country ceiling — it is the sum of penalties across all affected jurisdictions.
2. Compliance Resource Allocation
Rational compliance resource allocation requires understanding where enforcement risk is highest. A group might reasonably prioritize compliance efforts in jurisdictions with the highest penalty exposure — Italy (EUR 20M), Sweden (10% turnover), France (EUR 15M) — over jurisdictions with lower ceilings.
But this analysis is complicated by the probability dimension. A jurisdiction with a high penalty ceiling but low supervisory capacity may present less actual risk than one with a moderate ceiling but aggressive enforcement culture. BaFin's EUR 5 million ceiling, combined with Germany's historically rigorous supervisory approach, may represent greater practical risk than a higher ceiling in a jurisdiction with less supervisory capacity.
3. Home-Host Supervisor Dynamics
For cross-border groups, the relationship between home and host supervisors determines which authority takes the lead on enforcement. Under the SSM (Single Supervisory Mechanism), the ECB directly supervises significant institutions — but DORA enforcement largely remains with national competent authorities. This creates a coordination challenge that the ESAs' July 2025 oversight guide partially addresses but does not fully resolve.
The Convergence Question
The penalty divergence is a structural feature of DORA's enforcement framework, not a bug. DORA Article 64 acknowledges that member states will implement penalty provisions according to their national legal traditions and institutional frameworks.
But the divergence raises legitimate questions about the Single Market:
Level playing field. If the same breach costs EUR 2 million in Prague and EUR 20 million in Rome, institutions in lower-penalty jurisdictions face weaker compliance incentives. Over time, this could create a competitive distortion where institutions relocate compliance-sensitive functions to lower-penalty jurisdictions.
Supervisory signaling. High penalty ceilings signal supervisory seriousness. Italy's EUR 20 million ceiling, combined with the Italian market's experience of targeted cyberattacks (NoName057's focus on Italian financial institutions), sends a deterrent message that lower-ceiling jurisdictions may struggle to match.
Enforcement convergence pressure. As the ESAs' oversight framework matures and JET examination processes create cross-border precedents, there will be pressure for penalty outcomes to converge even if legal ceilings diverge. A JET finding that produces a EUR 500,000 fine in one jurisdiction and a EUR 5 million fine in another for the same deficiency will strain supervisory credibility.
A Framework for Managing Penalty Divergence
For compliance officers navigating this landscape, a structured approach to penalty risk management is essential:
Step 1 — Map your jurisdictional exposure. Identify every EU jurisdiction where your group operates regulated entities. For each, document the applicable penalty ceiling (absolute and turnover-based), qualitative distinctions (intentional vs. negligent, breach type differentiation), and personal liability provisions.
Step 2 — Assess supervisory posture. Beyond legal provisions, assess each NCA's practical enforcement culture. Has the supervisor published DORA-specific guidance? Staffed a dedicated DORA team? Conducted thematic reviews? The penalty ceiling is the theoretical maximum; the supervisory posture determines the practical likelihood.
Step 3 — Prioritize by combined risk. Multiply exposure (penalty ceiling) by probability (supervisory posture) to identify highest-risk jurisdictions. A high-ceiling, high-probability jurisdiction demands primary compliance attention.
Step 4 — Build compliance documentation defensively. In jurisdictions with the intentional vs. negligent distinction (Germany), or general mitigating factor provisions (most states), maintain documentation that evidences good-faith compliance efforts: board minutes approving ICT risk frameworks, training records, testing results, remediation plans with timelines.
Step 5 — Prepare for simultaneous proceedings. Develop a legal response framework for the scenario where multiple NCAs initiate penalty proceedings for the same or related breaches. This requires coordinated legal counsel across jurisdictions and a clear communication strategy with each supervisor.
The Penalty Divergence in Context
The EUR 2 million to EUR 20 million range — or the 5% to 10% turnover-based range — should be placed in context. GDPR's penalty ceiling of EUR 20 million or 4% of global turnover was considered aggressive when adopted. DORA's ceilings are comparable at the high end (Italy matches GDPR's absolute ceiling) and potentially exceed it at the extreme (Sweden's 10% of turnover exceeds GDPR's 4%).
But DORA penalties also exist alongside other enforcement mechanisms:
- CTPP oversight penalties. Art. 35(8) empowers the Lead Overseer to impose penalties on designated CTPPs of up to 1% of average daily worldwide turnover per day of non-compliance — a potentially massive figure for hyperscale cloud providers.
- Supervisory measures. NCAs can require remediation actions, restrict activities, or impose additional reporting requirements independently of financial penalties.
- Market consequences. A public enforcement action — regardless of the penalty amount — carries reputational consequences that may exceed the financial penalty in magnitude.
The penalty divergence, while significant, is one dimension of a multi-dimensional enforcement landscape. Institutions that focus exclusively on penalty ceilings while neglecting the operational consequences of enforcement actions are managing the wrong risk.
What Comes Next
DLA Piper's October 2025 analysis captured a snapshot of the penalty landscape in its early implementation phase. No member state had imposed a public DORA penalty at the time of publication. The enforcement landscape will evolve as supervisors build examination capacity, identify systemic gaps, and establish enforcement precedents.
The first DORA penalties — whenever they arrive — will set the tone for the enforcement regime. If initial penalties cluster at the lower end of available ranges, the deterrent effect will be limited. If any supervisor imposes a penalty near its ceiling, the signal will reverberate across the Single Market.
For compliance officers, the practical takeaway is to prepare as though your highest-exposure jurisdiction's ceiling applies, while documenting compliance efforts defensively for jurisdictions that reward good faith. Our enforcement outlook for 2026 and ESA oversight activities guide provide additional context on how supervisors plan to exercise these powers. Assess your own readiness with our self-assessment tool. The penalty divergence is real, it is structural, and it will influence competitive dynamics across the European financial sector for years to come.
This analysis draws on DLA Piper's October 2025 assessment of DORA penalty regime divergence across EU member states. Specific penalty amounts and calculations are subject to national implementation provisions and may evolve as member states refine their enforcement frameworks.