Article 46 Digital Operational Resilience Act (DORA), Criminal Penalties

Sep 12, 2024

Article 46 of the Digital Operational Resilience Act (DORA) provides guidance on the intersection of administrative penalties, remedial measures, and criminal penalties within the framework of the regulation. The article addresses the discretion given to Member States regarding the imposition of penalties and outlines the procedures for cooperation between competent authorities and judicial bodies when criminal penalties are involved.

Article 46 Digital Operational Resilience Act (DORA), Criminal Penalties

Discretion of Member States Regarding Penalties

The first key provision in Article 46 grants Member States the discretion to choose whether to establish rules for administrative penalties or remedial measures in cases where breaches of the regulation are already subject to criminal penalties under national law. This allows Member States to avoid duplicating penalties for the same offense, ensuring that the legal framework remains streamlined and efficient. By allowing Member States to focus on either administrative or criminal penalties, DORA provides flexibility in how breaches of the regulation are addressed, depending on the specific legal traditions and enforcement mechanisms of each Member State.

Establishing Criminal Penalties

When a Member State opts to enforce criminal penalties for breaches of DORA, they are required to ensure that the appropriate measures are in place to facilitate effective communication and cooperation between competent authorities and the relevant judicial bodies. This is a crucial aspect of the regulation, as it ensures that breaches of DORA, which may involve complex digital and financial crimes, are handled with the necessary rigor and oversight.

To achieve this, Member States must empower competent authorities with the ability to liaise directly with judicial, prosecuting, or criminal justice authorities. This liaison capability is essential for the competent authorities to obtain specific information related to ongoing criminal investigations or proceedings that have been initiated due to breaches of DORA. The information exchanged can include details on the nature of the breach, the entities involved, and any ongoing investigative actions.

Cooperation Among Competent Authorities and Supervisory Bodies

In addition to ensuring cooperation within their own jurisdictions, Member States must also facilitate the sharing of relevant information with other competent authorities across the European Union. This includes providing information to European Supervisory Authorities (ESAs) such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). These supervisory bodies play a key role in overseeing the implementation of DORA and ensuring a consistent approach to digital operational resilience across the EU.

The exchange of information between national competent authorities and ESAs is vital for maintaining the integrity of the financial system and preventing regulatory arbitrage, where entities might exploit differences in enforcement across Member States. By ensuring that information about criminal investigations or proceedings is shared promptly and efficiently, Article 46 supports a unified and effective enforcement of DORA, reinforcing the EU’s broader financial stability objectives.

DORA Compliance Framework

Balancing Administrative and Criminal Penalties

Article 46 highlights the importance of striking a balance between administrative and criminal penalties within the context of DORA. While administrative penalties and remedial measures are typically designed to correct behavior and ensure future compliance, criminal penalties serve a more punitive function, deterring serious breaches of the regulation. Member States must carefully consider how these two types of penalties interact and ensure that their legal frameworks are designed to prevent overlaps or gaps in enforcement.

For instance, in cases where a breach is subject to both administrative and criminal penalties, Member States need to ensure that the two processes complement rather than contradict each other. This might involve coordinating timelines, ensuring that the imposition of one type of penalty does not undermine the effectiveness of the other, and providing clear guidelines on how cases should be escalated from administrative to criminal enforcement.

Ensuring Effective Implementation

Ultimately, the provisions in Article 46 are designed to ensure that DORA is implemented effectively across the European Union, regardless of the specific legal and regulatory frameworks in place within each Member State. By allowing for flexibility in the choice between administrative and criminal penalties, while also mandating robust cooperation between competent authorities and judicial bodies, DORA aims to create a resilient and secure financial system capable of withstanding digital threats.

Conclusion

Article 46 of DORA emphasizes the critical role of Member States in determining the appropriate balance between administrative and criminal penalties for breaches of the regulation. It requires Member States to establish clear mechanisms for cooperation between competent authorities and judicial bodies, ensuring that breaches of DORA are addressed effectively, whether through administrative measures, criminal prosecution, or a combination of both.

DORA Compliance Framework