Article 51, Exercise Of The Power To Impose Administrative Penalties And Remedial Measures, Digital Operational Resilience Act (DORA)

Overview

1. Competent authorities shall exercise the powers to impose administrative penalties and remedial measures referred to in Article 50 in accordance with their national legal frameworks, where appropriate, as follows:

(a) directly;

(b) in collaboration with other authorities;

(c) under their responsibility by delegation to other authorities; or

(d) by application to the competent judicial authorities.

2. Competent authorities, when determining the type and level of an administrative penalty or remedial measure to be imposed under Article 50, shall take into account the extent to which the breach is intentional or results from negligence, and all other relevant circumstances, including the following, where appropriate:

(a) the materiality, gravity and the duration of the breach;

(b) the degree of responsibility of the natural or legal person responsible for the breach;

(c) the financial strength of the responsible natural or legal person;

(d) the importance of profits gained or losses avoided by the responsible natural or legal person, insofar as they can be determined;

(e) the losses for third parties caused by the breach, insofar as they can be determined;

(f) the level of cooperation of the responsible natural or legal person with the competent authority, without prejudice to the need to ensure disgorgement of profits gained or losses avoided by that natural or legal person;

(g) previous breaches by the responsible natural or legal person.

Summary Of Article 51

Article 51 of the Digital Operational Resilience Act (DORA) outlines how competent authorities must exercise their powers to impose administrative penalties and remedial measures. These powers can be exercised in various ways, such as directly by the authorities, in collaboration with other authorities, through delegation, or by application to judicial authorities. When determining the type and severity of penalties or remedial actions, authorities are required to consider several factors. These include whether the breach was intentional or due to negligence, the gravity, duration, and materiality of the breach, and the level of responsibility of the entity or individual at fault. Other relevant considerations include the financial strength of the responsible party, the extent of profits gained or losses avoided, and the impact on third parties. 

The degree of cooperation with the authorities and any previous breaches by the responsible party are also taken into account. This ensures that penalties are proportionate to the breach and that they account for both the severity of the action and the circumstances surrounding it. The goal is to create an effective deterrent while ensuring fair enforcement of DORA's operational resilience regulations.