FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage

23of23items

Across 5 modules • Updated May 9, 2026

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Back to sub-FAQs

How does proportionality work under EU DORA?

Who can use DORA's simplified ICT risk management framework?

DORA Article 16 replaces Articles 5 to 15 with a simplified ICT risk management framework for specified categories: small and non-interconnected investment firms, exempted payment institutions, specified exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision.

The simplified framework is still a real framework. These entities must maintain documented ICT risk management, monitor ICT systems, protect availability, authenticity, integrity, and confidentiality of data, detect and handle ICT incidents, identify key ICT third-party dependencies, ensure continuity of critical or important functions, regularly test continuity measures and controls, and feed test and incident lessons back into ICT risk assessment.

Use Article 16 only when the entity fits one of the listed categories; do not apply it merely because the entity is small or resource-constrained.
Keep one clear evidence file showing the Article 16 basis, the simplified ICT framework, the information security policy required by Delegated Regulation (EU) 2024/1774, and the periodic review report content where requested.
For microenterprises, do not assume there is no testing duty: DORA Article 25 still requires ICT testing using a risk-based approach balanced against resources, urgency, type of risk, criticality of information assets, and services provided.
When the entity relies on ICT third-party services, keep the register and contract evidence proportionate to the criticality or importance of the service, dependency complexity, and potential impact on continuity and availability.

Citations

Regulation (EU) 2022/2554 (DORA)

Article 16 lists the entities subject to the simplified ICT risk management framework and preserves core ICT risk, continuity, dependency, and testing obligations.

Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework

Specifies proportionality factors and detailed simplified-framework requirements for governance, information security, ICT risk assessment, controls, continuity, testing, and review reporting.

Jump to answer Open module

How does proportionality work under EU DORA?

What evidence supports a defensible DORA proportionality decision?

A defensible proportionality decision connects the scaled measure to the risk facts DORA names. The evidence should show why the selected control, test, policy, supplier-monitoring depth, or remediation timetable is adequate for the entity's size, risk profile, services, activities, operations, and ICT dependencies.

Delegated Regulation (EU) 2024/1774 gives useful evidence categories: the context of the entity's services and operations, identified critical functions, major projects or activities, relationships, dependence on in-house and outsourced ICT services and systems, the effect of severe degradation or loss, current and near-term ICT risk, threat landscape, control effectiveness, and security posture.

Entity and scope evidence: legal entity, DORA Article 2 category, any exclusion considered, and any Article 16 simplified-framework basis.
Risk profile evidence: ICT-supported critical or important functions, information and ICT asset classification, business impact analysis, current and near-term ICT risks, threat landscape, incident history, and testing findings.
Scaling evidence: what was made lighter or heavier, why the change remains adequate, who approved it, and what supervisory instruction, audit finding, incident, test, or supplier change would trigger review.
Third-party evidence: register entries, critical or important function classification, contract clauses, service-level monitoring, exit or continuity evidence, and a record that outsourcing does not transfer the financial entity's DORA responsibility.
Testing evidence: the risk basis for test type, frequency, scope, independence, remediation priorities, and any TLPT authority determination or attestation where advanced testing applies.

Citations

Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework

Article 1 and the review-report provisions identify the size, risk, complexity, dependency, threat, control-effectiveness, and security-posture evidence useful for proportionality records.

Regulation (EU) 2022/2554 (DORA)

Articles 6, 17, 19, 24, 25, 26, and 28 anchor evidence for ICT risk management, incidents, testing, TLPT, and ICT third-party risk.

Jump to answer Open module

How does proportionality work under EU DORA?

What cannot be waived by calling it proportional under DORA?

Proportionality does not erase DORA's core control points. It cannot be used to avoid having an ICT risk management framework, to ignore major ICT-related incidents, to skip required reporting, to transfer responsibility to a supplier, or to decline TLPT after the relevant authority identifies the entity as required to perform it.

It also cannot replace supervisory judgment. DORA says competent authorities consider how financial entities apply proportionality when reviewing ICT risk management framework reports submitted under Articles 6(5) and 16(2). For TLPT, competent authorities identify the financial entities required to perform advanced testing based on impact-related factors, financial stability concerns, and ICT risk profile, maturity, or technology features.

In-scope financial entities remain responsible for DORA compliance even when ICT services are outsourced or a third party assists with incident reporting.
Major ICT-related incidents must be reported to the relevant competent authority through the required notification and report sequence; proportionality does not turn mandatory reporting into an optional escalation.
ICT third-party risk remains part of the financial entity's own ICT risk management framework, including the register of information and contract evidence for ICT services.
TLPT is not self-selected by preference: DORA requires competent authorities to identify entities required to perform TLPT, and the TLPT RTS adds criteria and process requirements for scope, providers, risk management, findings, remediation, and attestation.
Simplified-framework entities and microenterprises receive lighter or different obligations in defined places, but they still need evidence that the lighter approach matches their ICT risk profile and does not leave critical or important functions unmanaged.

Citations

Regulation (EU) 2022/2554 (DORA)

Articles 17, 19, 26, and 28 show non-waivable incident, TLPT, and ICT third-party responsibility points despite proportional application.

Delegated Regulation (EU) 2025/1190 on DORA TLPT

Specifies TLPT identification, scope, testing methodology, provider requirements, remediation, attestation, and authority cooperation criteria.

Jump to answer Open module

Page 2 of 2

Previous12Next