Like any legal act, the Digital Operational Resilience Act (DORA) imposes obligations on the entities it covers. Failure to fulfill these obligations may result in sanctions being imposed on entities that neglect DORA compliance.
The principle of proportionality
Before discussing the sanctions resulting from non-compliance with the DORA Regulation, it is important to discuss the principle of proportionality, which is mentioned in Article 4 of the legal act. According to this principle, financial entities applying the provisions of Chapters II, III, IV, and V must take into account their size and overall risk profile. They must also consider the nature, scale, and complexity of their services, activities, and operations. The competent authorities are responsible for verifying the correct application of the principle of proportionality. They do so by reviewing the consistency of the ICT risk management framework based on reports from financial entities.
Responsibility of the management board
The management board of the financial entity is ultimately responsible for compliance with the regulation. The management board is responsible for defining, approving, and supervising the implementation of ICT risk management arrangements, and it bears full responsibility for implementing these arrangements. To effectively manage ICT-related risks, the management board must establish various policies, procedures, plans, budgets, and reporting channels. Additionally, management board members must actively update their knowledge and skills in ICT-related risk management through regular training. Furthermore, financial entities that are not micro-enterprises must establish a function to monitor and supervise ICT-related risks. To this end, they may appoint a member of the management staff as the person responsible for this area and the related documentation.
Like DORA, NIS2 includes new measures that enable the personal liability of senior management for gross negligence in the context of security incidents. As a result, management bodies must ensure a high level of cybersecurity within their organizations.
Instruction to RTS JC 2023 86 guidelines, which can help document cybersecurity in financial entities and ICT service providers.
DORA and NIS2: Similarities
In 2023, several EU regulations took effect, including those related to cybersecurity and digital resilience. DORA and NIS2 are particularly important in this group. DORA focuses on the financial sector, requiring entities operating within it to comply with digital resilience standards. Failure to comply with its provisions may result in severe penalties, such as fines calculated as a percentage of the company’s annual revenue. Conversely, NIS 2 applies to a wide range of organizations and can lead to financial penalties of millions of euros and other sanctions, such as a ban on operations, for violations. Failure to comply with DORA and NIS 2 requirements can have serious consequences for companies, so paying attention to appropriate security measures is important.
Sanctions for a financial entity resulting from non-compliance with DORA
DORA provides for severe penalties for non-compliance with its provisions. Competent authorities have a range of tools at their disposal to use against non-compliant entities. The least severe is the possibility of a public reprimand, which can damage a brand’s credibility and lead to a loss of customers and revenue. Another tool is the option to impose a fine of up to 1% of daily turnover for each day of non-compliance. Ultimately, in extreme cases, non-compliance can result in the withdrawal of a supervised activity license, which can eliminate a company from the market.
Although DORA is an EU regulation, it has a global impact. This means that financial institutions operating in the EU or working with EU customers must comply with DORA, regardless of their location. ICT service providers should note that DORA extends compliance requirements to third-party providers. This means companies are responsible for their own compliance and the compliance of their suppliers. External ICT service providers designated as “key” by the European Supervisory Authorities may face penalties of up to €5,000,000 or maximum fines of €500,000 for failing to comply with the Act’s requirements.
Local law adjustments on digital operational resilience
EU countries are adjusting their laws to ensure the operational resilience of the financial sector. Whether they have implemented the specific regulations or intend to, penalties will result from NIS2 anyway. The supervisory authority may impose penalties for not complying with DORA. These include:
- an order to cease the conduct in question and to refrain from such conduct in the future;
- a ban on serving as a member of the management board or supervisory board or other managerial function of an entity for a period of between one month and one year for a person managing an enterprise, in particular a person performing a managerial function or being a member of the management body, who, in the course of performing their function, committed an act or omission that resulted in a violation of the regulations;
- a financial penalty not exceeding:
- in the case of a legal person or an organizational unit without legal personality:
a) 10% of net revenue from the sale of goods and
services and financial operations, and in the case of an insurance or
reinsurance undertaking, 10% of the gross written premium, as shown in the
latest financial statements for the financial year approved by the approving
authority, or
b) twice the amount of benefits gained or losses avoided as a result of the infringement, where it is possible to determine them,
- in the case of a natural person, including the person responsible for the infringement, who during that period performed the duties of a member of the management board of that entity.
In addition to financial penalties, the regulations also provide for an order to cease activities that are not in compliance with the regulation. Another possibility is to impose a ban on holding a position as a member of the management board or a managerial position. It is important to note the term “managerial position.” This means that administrative responsibility is not imposed solely on the management board but may also be imposed on directors or specific managers who are responsible for actions that are not in compliance with DORA.
Sanctions under NIS2
Like DORA, NIS2 regulates cybersecurity issues. Therefore, financial entities that are not compliant with DORA are also likely to be non-compliant with NIS2. The financial penalties for non-compliance with the NIS2 directive vary depending on the entity’s category and are subject to each EU member state’s individual discretion within the framework specified by the directive. NIS2 distinguishes between critical and important entities. Critical sectors are listed in Annex I, and important sectors are listed in Annex II. Critical entities include public and private companies in sectors such as transportation, finance, energy, water, air and space, health, public administration, and digital infrastructure. Important entities include public and private companies in sectors such as food, digital services, chemicals, postal services, waste management, research, and manufacturing.
One of the sanctions for non-compliance with the regulation is financial penalties. For critical entities, penalties can amount to €10,000,000 or 2% of global annual revenue, whichever is greater. For important entities, the maximum financial penalty is €7,000,000 or 1.4% of global annual revenue, whichever is greater.
In addition to financial penalties, the NIS2 Directive grants supervisory authorities administrative powers to ensure compliance, including:
- informing users, customers, or legal entities about security risks or breaches,
- ordering the discontinuance of activities that do not comply with the directive,
- issuing warnings in connection with non-compliance with the regulation,
- issuing cybersecurity instructions that must be implemented,
- requiring the introduction of specific risk management measures or reporting obligations,
- publicizing information about aspects of non-compliance, if necessary,
- appointing a monitoring officer to oversee compliance,
- suspending relevant certificates or authorizations for important entities if corrective action deadlines are not met,
- temporarily suspending management functions until issues are resolved.
How to mitigate the risk of non-compliance?
Navigating the maze of regulations is no easy task. Compliance with DORA and NIS2 increases your digital operational resilience and ensures a high level of information security within your organization. For this reason, organizations should treat the above regulations as an opportunity, not a threat. Implementing DORA and NIS2 can provide a high return on investment by reducing the risk of costly security incidents. However, it should be noted that this task is complex and involves many aspects. The implementation of the regulations is the first step toward compliance, followed by periodic audits that must account for changes in circumstances. For this reason, automated tools that simplify this task and save time are worth using. RIG DORA assists with DORA and NIS2 implementation and subsequent compliance maintenance. It is a simple tool that guides you through the process step by step.
What are the potential consequences of not complying with the regulations?
Generally, the consequences can vary depending on the type of violation, the degree of awareness of the violation, and the jurisdiction. One common penalty is a fine, which may include returning retained funds and an additional financial penalty. For example, this could occur in the case of incorrectly declared taxes. Individuals found to have violated these regulations may be imprisoned for several months to several years, depending on the jurisdiction and the nature of the offense. Entities that lead to non-compliance may be at risk of reputational damage, which can make it difficult to attract customers and business partners. Serious violations may result in immediate closure by regulatory authorities.
