Contact sales

Leave your details and we'll get back to you shortly.

Stay informed about Hy5 features, compliance insights, and regulatory updates.

We'll use your details solely to respond to your enquiry.

What does non-compliance with DORA actually cost?

A question that comes up often in our customer dialogues is not "what happens if we miss a requirement?" but rather "what actually triggers a supervisory review?" It is a more useful question, and it reveals something important: most organisations that come to us have already established that they are affected by DORA. What they want to understand is how to avoid drawing regulatory attention — and what happens if they do anyway.

This article covers what non-compliance with DORA actually costs, what triggers a review, and what it means for how a compliance programme needs to be structured.

The sanctions are significant — but that is not the whole picture

DORA gives supervisory authorities the power to impose administrative sanctions of up to one percent of global average daily turnover, calculated on the previous year. For financial entities of any meaningful size, that is a substantial figure. For critical ICT third-party providers designated as systemically important, sanctions can reach one percent of global turnover per day — for a period of up to six months.

But the sanction amount is rarely what concerns organisations most. It is the process that leads there.

What actually triggers a review

Supervisory authorities do not review at random. There are a number of concrete triggers:

Incidents reported late or incorrectly. DORA requires that major ICT incidents are reported within four hours of classification. A delayed or incomplete report is itself a breach — and one that immediately signals that the internal process is not functioning.

Gaps in the register of information. Supervisory authorities have access to the registers of information submitted by financial entities. Incomplete data, inconsistent classifications, or visibly outdated information are red flags.

Complaints and external signals. Complaints from customers, counterparties, or vendors can initiate a review. So can negative media coverage linked to an incident.

Sector-wide supervisory initiatives. The European Supervisory Authorities (EBA, ESMA, EIOPA) conduct thematic reviews across entire sectors. Being included in such a review is not necessarily a sign of suspicion — but it requires documentation to be in order.

The hidden cost: the process, not the fine

Organisations that go through a supervisory review consistently report that the direct cost of any fine is lower than the indirect cost of managing the process itself.

A review demands internal time from legal, compliance, IT, and senior management — often over an extended period. External consultants are brought in to compile documentation that should have been readily available. Management attention shifts from the business to the supervisory dialogue.

Then there is the reputational risk. DORA sanctions are public. A published sanction against a financial entity signals to customers, counterparties, and investors that operational governance has failed.

Misconception: the fine is the biggest risk. Reality: it is the review process and its consequences that cost the most.

What this means for system design

This is where the design of compliance support matters.

An organisation that relies on manual processes — spreadsheets, email chains, periodic reviews — has no realistic ability to meet DORA's requirements for continuous documentation and rapid reporting. That is not a resource problem. It is a structural one.

Supervisory authorities are not primarily looking for perfect compliance. They are looking for evidence of governance and control: that the organisation knows what it has, that it monitors it continuously, and that it can produce a traceable history when asked to do so.

That places specific demands on how a compliance system needs to be configured: automated update triggers tied to contract lifecycle events, role-based access, complete audit logs, and the ability to generate regulatory reports without manual data processing.

An organisation that can demonstrate this — regardless of whether an incident occurs — is in a fundamentally stronger position with its supervisory authority.

Hy5 and DORA compliance

Concerned about what a supervisory review would reveal about your current compliance process?

Hy5 automates ongoing DORA compliance for financial organisations — from the register of information and incident reporting to third-party monitoring and audit logs. Everything in one platform, without manual administration.

Book a demonstration of how Hy5 handles DORA compliance

Hy5 dramatically increases speed and reliability in compliance work. Across the entire company.

See solutions for DORA Compliance

Related content

DORA and third-party risk: what does the regulation actually require?

DORA sets clear requirements for how financial entities manage their ICT providers. We break down what the regulation actually demands — and what it means for how the work needs to be organised.

How to build a structured DORA compliance programme

Most organisations know what DORA requires. The challenge is operationalisation. Here is how to build a DORA programme that holds up over time.