Article 48 Digital Operational Resilience Act (DORA), Publication Of Administrative Penalties
Under Article 48 of the Digital Operational Resilience Act (DORA), competent authorities are required to publish any decision imposing an administrative penalty on their official websites without undue delay. This publication must occur once the addressee of the sanction has been notified and when there is no possibility of appeal. The goal is to ensure transparency and public awareness of regulatory enforcement actions.
Details Included in the Publication
The information published by the competent authority must be comprehensive, providing the public with a clear understanding of the breach and the enforcement actions taken. Specifically, the publication should include:
- Type and Nature of the Breach: This refers to the specific violation of DORA that led to the imposition of the penalty, allowing the public to understand the nature of the non-compliance.
- Identity of Responsible Persons: The names or identities of the individuals or legal entities responsible for the breach must be disclosed, providing accountability and deterrence against future breaches.
- Penalties Imposed: Details of the penalties imposed, such as fines or remedial actions, must be included in the publication, ensuring that the public is aware of the consequences faced by the responsible parties.
Considerations For Non-Publication or Anonymization
In certain circumstances, the competent authority may decide not to fully disclose the identities involved or may delay publication. Such decisions are made following a careful, case-by-case assessment. The reasons for limiting or deferring publication include:
- Disproportionate Impact: If revealing the identity of the responsible party (particularly in cases involving natural persons) is deemed disproportionate or if it might cause undue harm to the individual, the authority may opt to protect the identity.
- Financial Market Stability: If the publication of the breach and penalty could destabilize financial markets, the competent authority might delay or anonymize the publication.
- Ongoing Criminal Investigations: If the publication could interfere with ongoing criminal investigations, authorities may choose to delay or anonymize the details to avoid jeopardizing the investigation.
- Damage to the Person Involved: If the publication might result in disproportionate damage to the individual or entity involved, the authority may decide to take protective measures.
Given these considerations, the competent authority has three options:
- Deferred Publication: The publication may be deferred until the reasons for non-publication no longer exist.
- Anonymous Publication: The information can be published anonymously, in accordance with national laws, to protect the identities involved.
- Non-Publication: In cases where deferred or anonymous publication is insufficient to protect financial market stability or would not be proportional to the leniency of the sanction, the authority may choose not to publish the information at all.
Postponement of Anonymous Publication
When a decision is made to publish the penalty on an anonymous basis, the authority may also postpone the publication of relevant data. This postponement allows the authority to manage the timing of disclosure carefully, ensuring that the publication does not compromise any sensitive circumstances.
Handling Appeals and Judicial Decisions
If an administrative penalty is published and an appeal is lodged with the relevant judicial authorities, the competent authority must immediately update the information on their official website to reflect this. The website must also be updated with any subsequent information regarding the outcome of the appeal. Should a judicial authority annul the decision to impose a penalty, this annulment must be published as well, ensuring that the public record accurately reflects the current status of the enforcement action.
Duration of Publication
Competent authorities are required to ensure that any publication regarding administrative penalties remains on their official websites for a minimum of five years. This extended publication period helps maintain public awareness and serves as a deterrent against non-compliance. However, any personal data included in the publication is to be retained only for as long as necessary, in accordance with applicable data protection regulations. This balance between transparency and data protection ensures that the rights of individuals are respected while still upholding regulatory integrity.
Conclusion
Article 48 of DORA establishes a clear framework for the publication of administrative penalties, emphasizing transparency, public accountability, and the protection of sensitive information. The provisions ensure that the public is informed of regulatory actions while also safeguarding individuals and the stability of financial markets where necessary.