Article 54, Publication Of Administrative Penalties, Digital Operational Resilience Act (DORA)

Overview

1. Competent authorities shall publish on their official websites, without undue delay, any decision imposing an administrative penalty against which there is no appeal after the addressee of the penalty has been notified of that decision. 

2. The publication referred to in paragraph 1 shall include information on the type and nature of the breach, the identity of the persons responsible and the penalties imposed.

3. Where the competent authority, following a case-by-case assessment, considers that the publication of the identity, in the case of legal persons, or of the identity and personal data, in the case of natural persons, would be disproportionate, including risks in relation to the protection of personal data, jeopardise the stability of financial markets or the pursuit of an ongoing criminal investigation, or cause, insofar as these can be determined, disproportionate damages to the person involved, it shall adopt one of the following solutions in respect of the decision imposing an administrative penalty:

(a) defer its publication until all reasons for non-publication cease to exist;

(b) publish it on an anonymous basis, in accordance with national law; or

(c) refrain from publishing it, where the options set out in points (a) and (b) are deemed either insufficient to guarantee a lack of any danger for the stability of financial markets, or where such a publication would not be proportionate to the leniency of the imposed penalty.

4. In the case of a decision to publish an administrative penalty on an anonymous basis in accordance with paragraph 3, point (b), the publication of the relevant data may be postponed.

5. Where a competent authority publishes a decision imposing an administrative penalty against which there is an appeal before the relevant judicial authorities, competent authorities shall immediately add on their official website that information and, at later stages, any subsequent related information on the outcome of such appeal. Any judicial decision annulling a decision imposing an administrative penalty shall also be published.

6. Competent authorities shall ensure that any publication referred to in paragraphs 1 to 4 shall remain on their official website only for the period which is necessary to bring forth this Article. This period shall not exceed five years after its publication.

Summary Of Article 54

Article 54 of the Digital Operational Resilience Act (DORA) establishes rules for the publication of administrative penalties imposed by competent authorities. Once a penalty decision is final and not subject to appeal, it must be published promptly on the authority's official website, including details about the breach, the responsible individuals or entities, and the penalties.

If publication could risk personal data protection, financial market stability, or affect ongoing investigations, the authority may delay, publish anonymously, or avoid publication. In cases of anonymous publication, it may be postponed until it’s safe to release.

If the decision is appealed, authorities must update their website with the appeal’s progress and final outcome. Judicial decisions annulling penalties must also be published.

The published penalty information must remain on the website for no longer than necessary, with a maximum retention period of five years. This ensures transparency and accountability while safeguarding privacy, personal data, and market stability. Article 54 emphasizes the balance between public disclosure and the protection of individuals’ rights and the stability of financial markets.