DORA Proportionality & Simplified Framework

DORA Proportionality: A Risk-Based Approach

DORA (EU Regulation 2022/2554) recognises that a one-size-fits-all approach to digital operational resilience is neither practical nor appropriate. The regulation embeds the principle of proportionality throughout, allowing requirements to be applied in a manner that is proportionate to the size, business profile, nature, scale, and complexity of the financial entity's services, activities, and operations.

Most significantly, Art. 16 establishes a simplified ICT risk management framework for qualifying entities. This is a substantial concession that materially reduces the compliance burden for smaller financial entities.

Who Qualifies for the Simplified Framework?

Art. 16(1) specifies the entity types that may apply the simplified framework. These are entities that fall below defined thresholds of size, interconnectedness, or systemic importance:

• Small and non-interconnected investment firms as defined in Art. 12(1) of Regulation (EU) 2019/2033
• Payment institutions exempted under Directive (EU) 2015/2366
• Institutions exempted under Directive 2013/36/EU (CRD exemptions for certain small credit institutions)
• Electronic money institutions exempted under Directive 2009/110/EC
• Small institutions for occupational retirement provision (IORPs) below defined thresholds

The qualification is determined by entity type and regulatory status, not by a simple size threshold. If you are unsure whether your entity qualifies, consult your competent authority or legal advisor. The determination must be documented.

What Is Different Under the Simplified Framework

The simplified framework (Art. 16) replaces the full requirements of Art. 5-15 with a streamlined set of obligations. While the lifecycle approach (identify, protect, detect, respond, recover) remains the same, the documentation, governance, and process requirements are reduced:

Governance (Simplified)

Qualifying entities must still designate a person or function responsible for ICT risk management, but the formal three-lines-of- defence model with independent control and audit functions is not required. The management body retains responsibility for defining and implementing the ICT risk management framework.

ICT Risk Management (Simplified)

Under Art. 16(2), qualifying entities must maintain an ICT risk management framework that is sound and documented but may be simpler in structure. The framework must still cover:

• ICT systems, protocols, and tools that are appropriate, reliable, and have sufficient capacity
• Identification and documentation of ICT-supported business functions and ICT assets
• Mechanisms for detecting and responding to ICT-related incidents
• Key elements of ICT business continuity planning
• Regular testing, proportionate to the entity's risk profile
• ICT security awareness and training for staff

Resilience Testing (Simplified)

Entities under the simplified framework are exempt from the full resilience testing programme under Art. 24-25 and entirely exempt from TLPT requirements (Art. 26-27). However, they must still conduct basic security assessments and testing proportionate to their risk profile. The frequency and depth of testing can be adjusted to the entity's size and complexity.

Full Framework vs. Simplified Framework

Important: What Is NOT Simplified

It is critical to understand that the simplified framework only reduces requirements for Pillar 1 (ICT risk management) and Pillar 3 (resilience testing). The following obligations apply in full, regardless of whether the entity uses the simplified framework:

• Incident reporting (Art. 17-23): All classification, reporting, and notification requirements apply unchanged. The 4h/72h/30d deadlines are the same. See our Incident Reporting guide.
• Third-party risk (Art. 28-44): The information register, contractual requirements, concentration risk assessment, and exit strategies all apply in full. See our Third-Party Risk page.
• Information sharing (Art. 45): Voluntary participation in information sharing arrangements is equally available to simplified-framework entities.

This means even small entities must invest in incident reporting processes, the information register, and third-party contract review. The simplified framework does not exempt entities from the most operationally demanding aspects of DORA.

Proportionality Beyond the Simplified Framework

Even for entities that do not qualify for the Art. 16 simplified framework, proportionality is embedded throughout DORA. Recital 4 and Art. 4 establish that all requirements must be applied proportionate to the entity's size, overall risk profile, and the nature, scale, and complexity of its services, activities, and operations.

In practice, this means:

• A small payment institution does not need the same depth of BIA as a globally systemically important bank
• The testing programme can be scaled to the entity's risk profile, not every test type needs to be conducted every year
• Documentation can be proportionate: comprehensive for critical areas, lighter for lower-risk areas
• The ICT risk strategy can be simpler for entities with less complex ICT landscapes

When applying proportionality, document your rationale. If a supervisor questions why certain requirements were implemented with reduced intensity, you need evidence that the decision was risk-based, not arbitrary.

Practical Recommendations

• Assess your qualification: Check whether your entity type is listed in Art. 16(1). Document the assessment.
• Do not over-interpret proportionality: Proportionality means scaled requirements, not optional requirements. All five pillars must still be addressed.
• Focus on incident reporting and third-party risk: These apply in full to all entities and are often the most resource-intensive. Allocate budget accordingly.
• Use a GRC tool even for simplified compliance: The information register alone justifies tooling investment. Managing it in spreadsheets is error-prone and creates audit risk.

For cost estimates tailored to smaller entities, see our DORA Costs and Timeline page. For a step-by-step compliance guide, see our DORA Checklist.