
The cost of regulatory non-compliance in EU financial services
Non-compliance with EU financial regulation carries fines, licence revocations, and operational restrictions that dwarf the cost of the compliance programme that would have prevented them. This article sets out the fine structures, enforcement trends, and reputational consequences that make regulatory intelligence a business-critical function.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for advice specific to your situation.
Why the cost conversation matters now
EU financial regulators are not in a grace period. The volume of binding legislation that entered into force between 2023 and 2026 is unprecedented, and national competent authorities across the bloc are moving into active enforcement postures after multi-year implementation phases. DORA became fully applicable in January 2025. MiCA’s CASP regime applied from December 2024. The AI Act’s high-risk provisions apply from August 2026. AIFMD II transposition completed in April 2026.
For compliance teams and executives arguing internally for investment in regulatory monitoring and compliance infrastructure, the conversation often stalls on cost. The compliance programme costs money that is visible on a budget line. The cost of non-compliance is contingent, invisible until it materialises, and then catastrophic. This article makes the contingent cost concrete.
The relevant costs are not only fines. They include licence revocation, operational restrictions imposed during investigation, the cost of remediation programmes run under supervisory direction, reputational damage that reduces client acquisition and retention, and the personal liability exposure of senior individuals. A firm that has mapped only the headline fine structures has mapped a fraction of the actual exposure.
How EU financial enforcement works
EU financial regulation operates on a two-tier enforcement model. The substantive rules are set at the EU level, but enforcement is carried out by national competent authorities (NCAs) in each member state. This means that the same regulation can be enforced with very different levels of aggression depending on where a firm is authorised. The Central Bank of Ireland, the Autorité des marchés financiers (AMF) in France, the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Germany, and the Commissione Nazionale per le Società e la Borsa (CONSOB) in Italy have meaningfully different enforcement cultures and track records.
At the EU level, the European Supervisory Authorities, ESMA, EBA, and EIOPA, do not directly fine most financial firms. Their role is to develop technical standards, issue guidelines, conduct peer reviews of NCA enforcement, and in some cases take direct action against specific categories of firm. ESMA has direct supervisory authority over credit rating agencies, trade repositories, and certain benchmark administrators. Under DORA, the ESAs have direct oversight authority over designated critical ICT third-party providers regardless of their place of establishment.
The practical implication is that enforcement risk is not uniform across the EU. A firm authorised in a jurisdiction with an active enforcement culture faces materially higher enforcement risk for the same compliance gap than a firm in a jurisdiction with historically lighter touch supervision. This is one of the factors that should inform home member state selection, alongside processing speed and supervisory expertise.
The direction of travel is convergence upward. ESMA’s peer review programme systematically identifies member states where NCA enforcement is below the bloc-wide standard and creates pressure to raise it. The combination of harmonised rules and peer review pressure means that enforcement cultures that were historically light are being pushed toward the more active end of the spectrum.
Fine structures under the main EU financial regulations
MiFID II
Under MiFID II (Directive 2014/65/EU, as implemented in national law), the maximum administrative sanctions for legal persons are:
- For the most serious violations, the higher of EUR 5 million or 10 percent of total annual turnover
- For market manipulation and other serious market integrity offences, the higher of EUR 15 million or 15 percent of total annual turnover
These are maximum figures. NCAs have discretion in determining the actual sanction based on the seriousness of the infringement, the degree of responsibility, the financial strength of the firm, the benefit gained from the infringement, and the level of cooperation with the investigation.
MiFID II also permits sanctions against natural persons, including members of management bodies. The maximum fine for natural persons for the most serious offences is EUR 5 million. Disgorgement of profits derived from the infringement is available in addition to fines.
The categories of conduct that attract the highest MiFID II sanctions include: providing investment services without authorisation, serious failures in the conduct of business rules (suitability, conflicts of interest, best execution), and market manipulation.
DORA
DORA (Regulation (EU) 2022/2554) operates a two-tier penalty structure that is often mischaracterised in secondary sources. The two tiers apply to different categories of entity and it is important to keep them distinct.
Financial entities (banks, investment firms, CASPs, payment institutions, and all other Article 2 in-scope entities): DORA does not set a single EU-wide penalty cap for financial entities. Article 50 requires member states to implement national rules providing for penalties that are effective, proportionate, and dissuasive, but leaves the specific maxima to national law. Member states have implemented this with considerable variation. Turnover-based ceilings range from 5 percent (Spain) to 10 percent (Sweden) of the preceding year’s turnover. Absolute ceilings range from EUR 2 million (Czech Republic) to EUR 20 million (Italy). Several member states, including Germany and the Netherlands, differentiate between intentional and negligent breaches and reflect this in the calculation. Individual members of the management body face personal fines of up to EUR 1 million in most jurisdictions, though the precise cap varies by member state. In some jurisdictions, including Germany, the maximum individual fine is EUR 5 million.
Critical ICT third-party providers (CTPPs) designated under Article 31: This is the category to which the per-day penalty applies. The lead ESA overseeing a designated CTPP can impose periodic penalty payments of up to EUR 5 million or 1 percent of average daily worldwide turnover, per day of non-compliance, for up to six months. Critically, these penalties can be imposed regardless of where the CTPP is incorporated, including for non-EU providers. For a large cloud provider generating EUR 30 billion in annual revenue, 1 percent of daily turnover is approximately EUR 800,000 per day.
The practical significance of the two-tier structure is that financial entities face national-law penalties administered by their NCA, while the providers they depend on face direct ESA enforcement with a specific per-day penalty mechanism. A firm with inadequate third-party risk management therefore faces NCA enforcement on its own compliance, while its critical technology providers face separate ESA enforcement on theirs. Both can run simultaneously.
MiCA
MiCA (Regulation (EU) 2023/1114) establishes separate penalty frameworks for crypto-asset service providers and for issuers of asset-referenced tokens and e-money tokens.
For CASPs, the maximum administrative penalty is EUR 700,000 for natural persons and the higher of EUR 5 million or 3 percent of annual turnover for legal persons. For serious infringements, including providing CASP services without authorisation, the maximum fine rises to the higher of EUR 15 million or 15 percent of annual turnover.
For issuers of asset-referenced tokens, the maximum fine is the higher of EUR 5 million or 3 percent of annual turnover for most infringements, and the higher of EUR 12.5 million or 10 percent of annual turnover for the most serious violations.
MiCA also permits NCAs to impose temporary or permanent bans on operating as a CASP, which for a firm whose business model depends on that activity is a more severe consequence than any financial penalty.
GDPR and its intersection with financial regulation
Many EU financial regulation obligations generate personal data that is subject to the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679. Regulatory reporting obligations, KYC and AML processes, and client communication records all involve personal data. Non-compliance with GDPR in financial services contexts therefore generates dual exposure.
GDPR fines for the most serious violations are the higher of EUR 20 million or 4 percent of global annual turnover. The combination of GDPR and financial services enforcement actions has resulted in some of the largest regulatory penalties in EU history. The two enforcement regimes operate in parallel and can both apply to the same underlying conduct.
AML penalties
Anti-money laundering obligations under the successive AML directives (currently transitioning to the AML Regulation and the new AML Authority, AMLA) carry some of the highest financial penalties in EU financial regulation. Under the existing directive framework, maximum penalties for serious AML infringements reach the higher of EUR 5 million or 10 percent of total annual turnover. The new AML framework, which is being established through Regulation (EU) 2024/1624 and the AMLA Regulation, is expected to raise and harmonise penalty levels further.
AML failures have historically attracted both the largest fines and the most severe non-financial sanctions, including forced business sales, licence revocations, and senior management removals. The concentration of large AML enforcement actions in a small number of EU jurisdictions reflects divergent enforcement cultures, but the AMLA’s establishment as a direct supervisor of certain high-risk obliged entities will reduce that divergence over time.
Non-financial sanctions: the costs that are harder to quantify
Fines are the most visible component of enforcement outcomes, but for most firms, the non-financial consequences of regulatory action are more consequential.
Licence revocation and restriction
NCAs have the power to revoke authorisation entirely or to impose conditions or restrictions on a licence during an investigation or enforcement process. A firm that cannot operate while a regulatory process plays out faces revenue losses that may be multiples of any eventual fine. For firms where the regulated activity is the entire business model, a temporary operating restriction can be existential before a final decision is made.
MiCA, DORA, and MiFID II all provide explicitly for licence suspension or revocation as a sanction. NCAs in several member states have used licence revocation in recent enforcement actions, particularly in the payment services and crypto-asset spaces.
Remediation programmes
When a regulatory investigation results in a finding of systematic non-compliance, the firm is typically required to implement a remediation programme under supervisory direction. This means engaging external compliance consultants approved by the regulator, conducting gap analyses and root cause reviews, implementing new controls, and demonstrating improvement to the regulator’s satisfaction. The cost of these programmes is borne entirely by the firm and frequently exceeds the fine imposed in the same action.
Remediation programmes also impose substantial management time costs. Senior individuals who should be running the business spend months on regulatory remediation instead. The opportunity cost of this diversion is real and significant.
Senior management and individual liability
Most EU financial regulatory frameworks permit sanctions against natural persons, including members of the management body. Under MiFID II, MiCA, and DORA, senior individuals can be personally fined, prohibited from holding management roles in regulated firms, and publicly named in enforcement decisions.
Public naming of individuals in NCA enforcement decisions is standard practice in several EU jurisdictions. A senior executive who is named in an NCA enforcement notice faces career consequences that extend beyond the financial penalty. The effect on employment prospects in the regulated sector is significant and long-lasting.
Reputational damage
Financial firms operate on trust. An NCA enforcement action that becomes public, whether through mandatory disclosure, a press release from the authority, or media coverage, signals to existing and prospective clients that the firm has regulatory problems. The client response to that signal varies by firm type and client sophistication, but the research on reputational damage in financial services is consistent: firms that face public enforcement action experience elevated client attrition and reduced new business conversion in the period following the action.
For firms competing on trust credentials, including custody, fund administration, and compliance-adjacent services, the reputational cost of an enforcement action can exceed the financial penalty by an order of magnitude.
Enforcement trends: what is attracting regulatory attention in 2026
DORA third-party risk
Third-party ICT risk under DORA is the area attracting the most active supervisory attention in 2026. NCAs are reviewing the adequacy of firms’ third-party registers, the sufficiency of contractual provisions with ICT providers, and the robustness of exit plans. Firms that built their outsourcing and vendor management frameworks before DORA applied and have not yet updated them are the primary enforcement target in this area.
The concentration risk provisions of DORA are also being examined, particularly for firms with heavy reliance on a small number of cloud service providers. Supervisors have noted publicly that the depth of financial sector dependence on a handful of hyperscale cloud providers creates systemic exposure that individual firm-level compliance does not address.
MiCA authorisation backlogs and enforcement
The transition from national crypto-asset regimes to the unified MiCA framework has created enforcement complexity. CASPs operating under transitional provisions that expire on 1 July 2026 are in scope for enforcement action after that date if they have not obtained MiCA authorisation. NCAs in member states with large numbers of transitional period applicants are under pressure to process applications, but the hard deadline creates enforcement risk for firms that have not submitted complete applications in time to be processed.
Non-EU CASPs that never held authorisation under a pre-MiCA national regime and have been providing services to EU clients without MiCA authorisation are in the clearest enforcement position: they are operating in violation of MiCA with no transitional protection. ESMA has communicated that NCAs should treat unlicensed CASP activity as an enforcement priority.
AI Act readiness
The August 2026 deadline for high-risk AI system obligations is creating examination pressure from supervisors who are asking financial firms how they have assessed their AI systems against the AI Act’s high-risk classification criteria. Firms that have not conducted that assessment, or whose assessment is superficial, are creating risk of being found in violation of obligations that applied from the general AI Act application date of August 2024 (for prohibited practices) and August 2026 (for high-risk systems).
For a full account of how the AI Act applies to financial services, see the AI Act and financial services: what banks and fintechs need to know.
ESG disclosure and SFDR
Enforcement of SFDR, the Sustainable Finance Disclosure Regulation (Regulation (EU) 2019/2088), has increased substantially following ESMA’s publication of guidelines on fund naming and the increased attention on greenwashing as a supervisory priority across multiple EU jurisdictions. Fund managers with Article 8 or Article 9 designations that are not supported by the investment policies and disclosures required by the SFDR RTS are in an increasingly exposed position.
Building the business case for regulatory investment
The cost comparison that compliance teams and executives need to make explicit is not “what does compliance infrastructure cost” versus “what might a fine cost.” It is the total expected cost of non-compliance, including the probability-weighted financial penalties, the estimated cost of remediation under supervisory direction, the revenue impact of licence restriction or reputational damage, and the individual liability exposure of senior management, compared against the annual cost of a compliance programme that addresses the most material risk areas.
When the cost of non-compliance is presented in these terms, the investment case for adequate regulatory monitoring and compliance infrastructure typically becomes clear. The problem is that the cost comparison is rarely made explicit, because the cost of non-compliance is contingent and the cost of the compliance programme is certain. The mental accounting effect that makes people underweight contingent costs is well-documented. The enforcement trends described above are designed to make the contingent cost more salient.
For organisations with limited compliance team capacity, the question is not whether to invest in regulatory monitoring but where to direct that investment to address the areas of highest enforcement risk. Horizon scanning, as distinct from point-in-time compliance assessment, is what enables that prioritisation. A compliance team that knows what is coming has more options than one that is responding to what has already happened.
For an account of how regulatory horizon scanning works in practice and why most available tools do not serve it well, see what is regulatory horizon scanning and why compliance teams need it.
Frequently asked questions
What are the largest fines available under EU financial regulation?
The highest maximum fines in EU financial regulation are under GDPR (EUR 20 million or 4 percent of global annual turnover), AML regulations (EUR 5 million or 10 percent of total annual turnover, with the new AML framework expected to raise these levels), and MiFID II for market integrity offences (EUR 15 million or 15 percent of total annual turnover). MiCA’s most serious violations carry fines of up to EUR 15 million or 15 percent of annual turnover. These are maxima; actual sanctions depend on the specific facts of each case.
Can individuals be fined for regulatory breaches in EU financial services?
Yes. Most EU financial regulatory frameworks permit sanctions against natural persons, including members of management bodies. Under MiFID II, MiCA, and DORA, senior individuals can be personally fined and prohibited from holding management roles in regulated firms. Several EU NCAs routinely name individuals in public enforcement decisions.
Is enforcement risk the same across all EU member states?
No. Enforcement cultures vary significantly across EU member states. However, ESMA’s peer review programme creates systematic pressure on NCAs to raise enforcement standards toward the bloc-wide norm. The direction of travel is convergence upward. The establishment of AMLA as a direct supervisor of certain high-risk AML obliged entities will also reduce divergence in AML enforcement.
What non-financial sanctions can EU financial regulators impose?
NCAs can impose licence conditions, operating restrictions, licence suspension, and licence revocation. They can require firms to implement remediation programmes at the firm’s own cost. They can prohibit individuals from holding senior management positions. They can require disgorgement of profits from infringements. They can make enforcement decisions public, with the consequent reputational impact.
Which areas are attracting the most enforcement attention in 2026?
The areas generating the most supervisory attention in 2026 are DORA third-party risk management, MiCA authorisation and the end of transitional provisions, AI Act high-risk system assessment ahead of August 2026, and SFDR disclosure and fund classification. AML enforcement continues at a sustained level across the bloc.
Forseti monitors EU financial regulatory enforcement developments, supervisory guidance, and upcoming deadline risk continuously, so your compliance programme addresses current priorities rather than last year’s reading. Start for free.
Subscribe for news updates.
The EU Deforestation Regulation covers timber and a wide range of wood-derived products. For exporters in Southeast Asia, Brazil, and other major producing regions, compliance requires plot-level traceability and deforestation verification that most supply chains were not designed to provide. This article explains what is required and where the practical difficulties lie.