At a glance

  • The ICO upholds information rights in the public interest.
  • We aim to help you comply with the law and promote good practice by offering advice and guidance.
  • We can take action if you breach the eIDAS Regulation, including the power to impose fines of £1,000.

In brief

There are a number of tools available to the ICO for taking action to enforce eIDAS, set out in the UK eIDAS Regulations. They include non-criminal enforcement and audit. The Information Commissioner also has the power to serve a monetary penalty notice imposing a fine of £1,000.

These powers are not mutually exclusive. We will use them in combination where justified by the circumstances. We can:

  • conduct an audit to check you are complying with your obligations as a trust service provider, and make recommendations;
  • serve an Enforcement Notice order if there has been a breach, requiring an organisation to take specified steps to comply with the law;
  • issue a Monetary Penalty Notice requiring you to pay £1,000;
  • prosecute you if you fail to comply with an Enforcement Notice (except in Scotland, where the Procurator Fiscal brings prosecutions); and
  • report to Parliament on issues of concern.

If you fail to comply with an ICO enforcement notice, assessment notice (for a compulsory audit) or information notice (requiring you to provide us with information for our investigation) we also have the power to impose more substantial fines of up to €20 million, or 4% of your total worldwide annual turnover, whichever is higher.