DORA Penalty Framework: How 27 Member States Created a Patchwork of Enforcement — And What It Means for Cross-Border Institutions

The Penalty Landscape Across the EU

The DLA Piper October 2025 analysis provides the most comprehensive mapping of DORA penalty divergence across the EU, revealing structural patterns that carry implications for cross-border compliance strategy.

Absolute Penalty Maximums (Institutions)

The range of absolute maximum penalties — the highest fine an NCA can impose regardless of turnover — spans an order of magnitude:

The Italian maximum of EUR 20 million aligns the DORA penalty ceiling with the GDPR maximum fine for non-turnover-based penalties. This alignment suggests that Italian legislators viewed DORA violations as carrying equivalent severity to GDPR violations — a notable regulatory signal given that DORA and GDPR can overlap (a data breach at a financial institution may violate both regulations simultaneously).

Turnover-Based Penalties

Several member states implemented turnover-based penalty mechanisms that scale the maximum fine with the institution's size:

• Sweden: Up to 10% of annual turnover — the most aggressive turnover-based penalty in the EU
• Netherlands: Differentiated by breach type, with higher percentages for more severe violations
• Germany: Distinguishes between intentional and negligent violations, with different penalty ranges for each
• Spain: Up to 5% of annual turnover — the lowest turnover-based rate

The 2x gap between Sweden's 10% and Spain's 5% means that a EUR 10 billion turnover institution could face a maximum penalty of EUR 1 billion in Sweden versus EUR 500 million in Spain for the same violation — a difference of EUR 500 million in potential enforcement exposure.

Personal Liability

Several jurisdictions extended DORA penalties to individuals — particularly senior managers and members of the management body. This personal liability dimension aligns with DORA Art. 5's emphasis on management body accountability for ICT risk management. Maximum personal penalties of up to EUR 1 million in several jurisdictions create meaningful individual incentives for compliance.

CTPP-Specific Penalties

The CTPP penalty framework is distinct from the financial entity penalty framework. Under Art. 35(6), the Lead Overseer can impose periodic penalty payments of up to 1% of the CTPP's average daily worldwide turnover in the preceding business year, applied daily for up to six months. For a CTPP with EUR 100 billion in annual revenue (approximately EUR 274 million daily), 1% of daily turnover is EUR 2.74 million — per day. Over six months, the maximum cumulative penalty could reach approximately EUR 500 million. This penalty structure is designed to compel cooperation rather than punish past violations.

Enforcement Procedure Divergence

Beyond penalty levels, member states diverge on enforcement procedures:

• Germany distinguishes between intentional and negligent violations, applying different penalty ranges based on culpability.
• Netherlands differentiates penalties by breach type, with specific penalty categories for different types of DORA obligations.
• France uses a graduated enforcement model with warning, injunction, and penalty stages.
• Italy applies the highest absolute penalties but within a framework that considers mitigating factors including the entity's remediation efforts.

A Regulation, Twenty-Seven Interpretations

DORA is a directly applicable EU Regulation — meaning it applies uniformly across all 27 EU member states without requiring national transposition into domestic law. The regulation's substantive provisions (Art. 5-49) create identical obligations for financial entities and ICT third-party service providers regardless of which member state they are established in. This was a deliberate design choice: DORA was enacted as a Regulation rather than a Directive precisely to avoid the transposition divergence that had plagued earlier financial sector directives.

However, DORA delegated one critical area to member states: the penalty framework. Art. 50-64 establish the framework for administrative penalties and remedial measures but leave the specific penalty levels, enforcement procedures, and penalty types to be determined by each member state's national competent authority (NCA) legislation. The result, analyzed comprehensively by DLA Piper in October 2025, is a patchwork of enforcement regimes that vary dramatically across the EU.

The divergence is not marginal — it is structural. According to the DLA Piper analysis:

• Highest absolute penalty (institutions): Italy — up to EUR 20 million
• Lowest absolute penalty (institutions): Czech Republic — up to EUR 2 million
• Highest turnover-based penalty: Sweden — up to 10% of annual turnover
• Lowest turnover-based penalty: Spain — up to 5% of annual turnover
• Personal liability (individuals): Up to EUR 1 million in several jurisdictions
• CTPP penalties: Up to EUR 5 million or 1% of daily worldwide turnover

The 10x gap between Italy's EUR 20 million maximum and Czech Republic's EUR 2 million maximum for the same regulatory obligation means that a cross-border financial group faces radically different enforcement consequences depending on which member state's NCA takes action. A DORA violation that could result in a EUR 20 million fine from the Italian NCA (Banca d'Italia) might result in a EUR 2 million fine from the Czech NCA (CNB) for an identical breach.

For cross-border institutions — which represent the majority of systemically important financial entities in the EU — this penalty divergence creates regulatory arbitrage opportunities, compliance planning complexity, and potential supervisory coordination challenges.

Implications for Cross-Border Institutions

The DORA penalty divergence creates specific strategic and operational challenges for financial institutions operating across multiple EU member states.

Regulatory Arbitrage Risk

The 10x penalty gap between the highest and lowest penalty maximums creates theoretical regulatory arbitrage potential. An institution might perceive lower compliance urgency in jurisdictions with lower penalty ceilings — a perception that could lead to differentiated compliance investment across jurisdictions. However, several factors mitigate this risk:

NCA cooperation mechanisms. DORA Art. 32-44 establish cooperation mechanisms between NCAs and the ESAs for cross-border supervision. An institution that maintains lower compliance standards in a lower-penalty jurisdiction may face supervisory action from its home NCA (which may apply higher penalties) if the deficiency affects its group-level operational resilience.

Group-level compliance expectation. NCAs are expected to assess DORA compliance at the group level, not just at the entity level. A financial group whose subsidiary in a low-penalty jurisdiction maintains lower resilience standards may face group-level supervisory consequences from its consolidated supervisor.

Reputational risk outweighs penalty risk. For G-SIBs and large financial groups, the reputational cost of a DORA penalty — regardless of its absolute amount — significantly exceeds the financial cost. A EUR 2 million fine in the Czech Republic generates the same negative headline as a EUR 20 million fine in Italy.

Compliance Planning Complexity

Cross-border institutions must navigate the penalty landscape across all jurisdictions where they operate. This requires:

Penalty mapping. Institutions need a comprehensive map of DORA penalty levels, enforcement procedures, and aggravating/mitigating factors for each jurisdiction. The DLA Piper October 2025 analysis provides the foundational data, but institutions must maintain this mapping as national implementations evolve.

Worst-case planning. Prudent compliance planning should use the highest applicable penalty level as the planning benchmark — not the lowest. An institution operating in both Italy (EUR 20M maximum) and Czech Republic (EUR 2M maximum) should plan for the Italian enforcement ceiling.

Personal liability assessment. In jurisdictions with personal penalties for senior managers, individual executives need clarity on their exposure. This has direct implications for governance structures, D&O insurance, and the delegation of DORA-related responsibilities.

The Convergence Question

The initial penalty divergence may narrow over time. Several convergence mechanisms exist:

ESA guidance. The ESAs may issue guidance on penalty calibration to promote convergence across member states. While the ESAs cannot override national penalty legislation, their guidance carries significant practical influence.

Enforcement precedent. As NCAs begin imposing DORA penalties, a body of enforcement precedent will emerge. Institutions fined in high-penalty jurisdictions will create benchmarks that influence enforcement expectations in lower-penalty jurisdictions.

Legislative harmonization pressure. If penalty divergence creates visible regulatory arbitrage or enforcement inconsistency, the European Commission may propose amendments to harmonize penalty levels — following the precedent set by GDPR enforcement divergence debates.

Strategic Recommendations for Cross-Border Compliance

The DORA penalty framework divergence, while creating complexity, also provides strategic opportunities for institutions that approach cross-border compliance proactively.

The High-Water-Mark Strategy

The most robust compliance approach for cross-border institutions is to implement DORA compliance at the highest standard required by any jurisdiction in which they operate. This "high-water-mark" strategy:

• Eliminates regulatory arbitrage risk: By meeting the highest standard everywhere, the institution cannot be accused of differential compliance investment across jurisdictions.
• Simplifies compliance management: A single, group-wide compliance standard is operationally simpler than maintaining jurisdiction-specific compliance levels.
• Prepares for convergence: If penalty levels converge upward (as they typically do in EU regulation), institutions that implemented to the highest standard will face no incremental compliance burden.
• Provides competitive advantage: In a market where DORA compliance quality will increasingly differentiate institutions, meeting the highest standard positions the institution favorably with clients, regulators, and counterparties.

Penalty-Specific Insights by Jurisdiction

Italy (EUR 20M maximum): Italian financial entities face the highest absolute penalty exposure in the EU. DORA compliance investment should be proportionally elevated, with particular attention to Banca d'Italia supervisory expectations and the Italian framework's consideration of remediation efforts as mitigating factors.

Sweden (10% turnover): Swedish financial entities face the most aggressive turnover-based penalty, making the financial risk of non-compliance potentially the highest in the EU for large institutions. The compliance business case is strongest in Sweden, where the cost of non-compliance scales linearly with institution size.

Germany (intentional vs. negligent distinction): The German framework's distinction between intentional and negligent violations creates a specific incentive to demonstrate good-faith compliance efforts. Documented DORA compliance programmes, regular testing, and evidence of remediation efforts all serve to position any potential violation as negligent rather than intentional — significantly reducing the applicable penalty range.

Czech Republic (EUR 2M maximum): The lowest penalty ceiling creates a risk of under-investment in compliance for Czech-only institutions. However, for cross-border groups, the Czech subsidiary should be held to the group-wide standard, not the local minimum.

The Personal Liability Dimension

In jurisdictions with personal penalties, individual executives must:

• Understand their personal exposure: Senior managers responsible for ICT risk management, operational resilience, or DORA compliance functions face personal liability of up to EUR 1 million in several jurisdictions.
• Document their governance role: Evidence of active board engagement with DORA compliance — agenda items, minutes, decisions, challenge sessions — provides personal mitigation in the event of enforcement.
• Ensure adequate D&O coverage: Directors and officers insurance should explicitly cover DORA-related personal penalties in applicable jurisdictions.

The Emerging Enforcement Landscape

As of early 2026, no EU NCA has yet imposed a major DORA penalty. The enforcement landscape remains in its formative stage. However, the penalty frameworks are in place, the supervisory expectations are published, and the first supervisory examinations are underway. The transition from framework to enforcement is a matter of when, not whether — and institutions that have invested in comprehensive compliance will be best positioned when the first enforcement actions are announced.