Sanctions & Liability
Sanctions Regime
DORA (Art. 50–52) and FinmadiG provide for a graduated sanctions regime. DORA delegates the determination of specific sanction amounts to Member States – the following figures refer to the German implementation (FinmadiG).
Against Financial Entities (Art. 50–52 DORA, FinmadiG)
| Sanction | Details |
|---|---|
| Fines | Effective, proportionate and dissuasive (Art. 50(3) DORA); specific amounts per FinmadiG |
| Periodic penalty payments | Up to EUR 2.5 million (FinmadiG) |
| Appointment of special commissioner | BaFin may appoint a special commissioner |
| Business restrictions | Restriction or prohibition of business activities |
| Contract termination requirement | BaFin may require termination of service provider relationships |
| Personal liability | Management personally liable for material deficiencies |
| Removal from office | Removal of management members possible |
Against Critical ICT Third-Party Service Providers (CTPPs, Art. 35(8) DORA)
| Sanction | Details |
|---|---|
| Periodic penalty payments | Up to 1% of average global daily turnover – per day (Art. 35(8)) |
| Lead Overseer recommendations | Binding requests for action |
| Public disclosure | Publication of violations |
| Last resort | Financial entities may be required to cease use |
Against ICT Service Providers (non-CTPP)
Non-critical ICT service providers like BAUER GROUP are not subject to direct DORA sanctions. The consequences are indirect:
| Risk | Impact |
|---|---|
| Contract termination | Financial entities can/must terminate contracts |
| Exclusion | Financial entities may not enter contracts with non-compliant providers (Art. 28(5)) |
| Reputational damage | Audit findings become known to the market |
| Liability | Civil damages claims for breach of duty |
Practical Liability Scenarios for BAUER GROUP
| Scenario | Consequence | Prevention |
|---|---|---|
| Incident not reported to client within 1h | Client cannot meet DORA reporting deadline (4h) → fine | Automated incident pipeline |
| No audit access granted | Breach of contract → termination + damages | Ensure audit readiness |
| Subcontracting without approval | Violation of Art. 30, RTS 2025/532 → contractual penalty | Implement approval process |
| Data loss without exit strategy | Client cannot migrate → damages | Document exit strategy |
| Missing certification evidence | Client loses compliance → both affected | Maintain annual certification |