Article 45 Digital Operational Resilience Act (DORA), Exercise Of The Power To Impose Administrative Penalties And Remedial Measures

Sep 12, 2024

Under Article 45 of the Digital Operational Resilience Act (DORA), competent authorities are entrusted with the authority to impose administrative penalties and implement remedial measures. These powers, as outlined in Article 44, are exercised within the boundaries of each authority's national legal framework. The enforcement of these penalties and measures can take place through various approaches.

Article 45 Digital Operational Resilience Act (DORA), Exercise Of The Power To Impose Administrative Penalties And Remedial Measures

Enforcement Mechanisms Under DORA

  • Direct Action: Competent authorities can directly impose penalties and implement remedial measures without external assistance. This direct approach allows authorities to take immediate and independent action to address breaches of DORA.
  • Collaboration with Other Authorities: In some cases, competent authorities may collaborate with other national or international authorities to impose penalties and implement measures. This collaborative approach ensures that the enforcement actions are comprehensive and align with broader regulatory frameworks.
  • Delegation to Other Authorities: Competent authorities may delegate the responsibility of imposing penalties and implementing remedial measures to other authorities. However, the delegation must occur under the supervision and responsibility of the competent authority. This approach allows for specialized expertise or local knowledge to be applied while maintaining overall accountability.
  • Application to Judicial Authorities: Competent authorities can also seek the involvement of judicial authorities to enforce penalties and measures. This legal route ensures that enforcement actions are carried out with judicial oversight, particularly in complex or contentious cases.
DORA Compliance Framework

Determining The Type And Level Of Penalties

When determining the appropriate type and level of administrative penalties or remedial measures, competent authorities must consider a range of factors to ensure that the penalties are proportionate and effective. The determination process involves evaluating several key aspects:

  • Intentionality or Negligence: Authorities assess whether the breach was intentional or the result of negligence. The degree of intent behind the breach can significantly impact the severity of the penalty, with intentional breaches typically attracting harsher penalties.
  • Materiality, Gravity, and Duration: The materiality and gravity of the breach, along with its duration, are crucial factors in determining the penalty. A breach that has a significant impact or persists over a long period may warrant a more severe penalty to reflect the seriousness of the violation.
  • Responsibility of the Breaching Party: The level of responsibility held by the natural or legal person responsible for the breach is also considered. This factor helps in assessing the extent of culpability and the appropriate level of penalty for the responsible party.
  • Financial Strength of the Breaching Party: The financial strength of the natural or legal person responsible for the breach is a key consideration. Authorities may impose penalties that are proportionate to the financial capacity of the breaching party, ensuring that the penalties are impactful without being excessively punitive.
  • Profits Gained or Losses Avoided: Authorities assess the extent of profits gained or losses avoided by the breaching party as a result of the breach. If these financial benefits can be determined, they play a significant role in the calculation of the penalty. The goal is to ensure that the breach does not result in undue financial advantage for the responsible party.
  • Losses for Third Parties: The losses incurred by third parties due to the breach are also considered, insofar as they can be determined. This factor highlights the broader impact of the breach and the need for penalties that address the harm caused to others.
  • Cooperation with Authorities: The level of cooperation demonstrated by the responsible party during the investigation and enforcement process is taken into account. However, this factor does not override the necessity to ensure that profits gained or losses avoided are disgorged, ensuring that the breach does not result in a net gain for the responsible party.
  • Previous Breaches: The history of previous breaches by the responsible party is another important consideration. A pattern of repeated violations may result in more severe penalties to deter future breaches and uphold the integrity of the regulatory framework.

Conclusion

Article 45 of DORA provides a structured approach for competent authorities to impose administrative penalties and remedial measures. By considering a wide range of factors, authorities ensure that the penalties are fair, proportionate, and effective in addressing breaches, thereby reinforcing the resilience of the digital financial ecosystem.

DORA Compliance Framework