DORA is enforced by designated regulators in each EU member state, known as competent authorities. These competent authorities can request that financial organisations implement specific security measures and remediate vulnerabilities. Meanwhile, EU member states can impose penalties on organisations that fail to comply. The nature of these penalties is decided by each member state.
ICT service providers classified as critical by the European Commission are directly supervised by the European Supervisory Authorities (ESAs), which have similar powers to competent authorities (i.e., requesting the implementation of security measures and the remediation of vulnerabilities). ESAs also have the power to fine non-compliant ICT service providers up to 1% of their average daily worldwide turnover.
Achieve Full DORA Compliance with Confidence
Close your compliance gaps with expert support. We’ll deliver tailored, actionable recommendations to ensure you meet DORA requirements and protect your operations.
Find out more
related BLog
DORA - The Digital Operations Resilience Act
Published on
5 Jun
2025
URM’s blog discusses the EU’s Digital Operation’s Resilience Act (DORA), explaining who it will apply to, its requirements, how it will be enforced, and more.
Read more
"
We wanted to thank our QSA for his continued assistance with our PCI audit. It was a pleasure to meet and work with him over the course of the audit and we look forward to seeing him again when the next one comes around.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.