Skip to main content
Hafan

Enforcement

Contents

At a glance

  • The ICO upholds information rights in the public interest.
  • The ICO aim to help you comply with the law and promote good practice by offering advice and guidance.
  • The ICO can take action if you breach the eIDAS Regulation, including the power to impose fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.

In brief

There are a number of tools available to the ICO for taking action to enforce eIDAS, which are set out in the UK eIDAS Regulations and Data Protection Act 2018. They include non-criminal enforcement, information gathering powers and audit. The ICO also has the power to serve a monetary penalty notice imposing a fine of:

  • £1000 for contravention of your obligations under eIDAS; or  
  • up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher, where you fail to comply with an enforcement notice, assessment notice, interview notice, information notice.

The ICO may take enforcement action during the course of its supervisory responsibilities in respect of qualified trust services or in instances where there is evidence that any trust service provider based in the UK has not complied with the regulations.

These powers are not mutually exclusive. The ICO will use them in combination where justified by the circumstances. The ICO can:

  • conduct an audit to check you are complying with your obligations as a trust service provider, and make recommendations;
  • issue an Interview Notice requiring you to attend at a specified place and answer questions relevant to its investigation;
  • serve an Enforcement Notice if there has been a breach, requiring an organisation to take specified steps to comply with the law; and
  • issue a Monetary Penalty Notice.

For more information, see the ICO’s regulatory action policy.