FAQEU DORA

EU DORA Proportionality FAQ

DORA proportionality lets financial entities calibrate ICT risk management, testing, incident handling, and third-party oversight to their size, risk profile, and business complexity. It is not a blanket exemption.

Use this FAQ to separate scalable controls from mandatory DORA duties, including simplified-framework entities, microenterprises, management-body accountability, ICT incident reporting, and TLPT selection.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

DORA uses proportionality to calibrate how in-scope financial entities implement digital operational resilience duties. The practical question is not whether DORA can be ignored, but how the entity's size, overall ICT risk profile, services, activities, operations, and dependencies justify the chosen level of governance, controls, testing, incident process, and supplier oversight.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What does proportionality mean under EU DORA?

DORA Article 4 says financial entities must implement ICT risk management rules proportionately, taking into account their size and overall risk profile and the nature, scale, and complexity of their services, activities, and operations. The same proportionality lens also applies to ICT-related incident management, digital operational resilience testing, and ICT third-party risk management where the relevant chapters provide for it.

That means a smaller, lower-complexity entity can justify simpler governance, fewer layers of documentation, narrower testing depth, or less complex supplier oversight than a large systemic entity. The justification must still be tied to real ICT risk facts, not to a preference for lighter compliance.

  • Start with DORA scope: confirm the entity is a financial entity or ICT third-party service provider covered by Article 2, and check whether any Article 2 exclusion applies.
  • For an in-scope financial entity, record the proportionality factors: size, overall ICT risk profile, nature of services, scale of operations, complexity, critical or important functions, outsourced ICT services, and exposure to disruption.
  • Map what is being scaled: governance detail, control depth, documentation, testing frequency, remediation sequencing, supplier monitoring, or evidence retained for supervisory review.
  • Do not treat proportionality as a waiver of the core obligation to manage ICT risk, handle incidents, report major ICT-related incidents, maintain required third-party records, or meet TLPT requirements when identified by the competent authority.
Citations
Question 2

Who can use DORA's simplified ICT risk management framework?

DORA Article 16 replaces Articles 5 to 15 with a simplified ICT risk management framework for specified categories: small and non-interconnected investment firms, exempted payment institutions, specified exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision.

The simplified framework is still a real framework. These entities must maintain documented ICT risk management, monitor ICT systems, protect availability, authenticity, integrity, and confidentiality of data, detect and handle ICT incidents, identify key ICT third-party dependencies, ensure continuity of critical or important functions, regularly test continuity measures and controls, and feed test and incident lessons back into ICT risk assessment.

  • Use Article 16 only when the entity fits one of the listed categories; do not apply it merely because the entity is small or resource-constrained.
  • Keep one clear evidence file showing the Article 16 basis, the simplified ICT framework, the information security policy required by Delegated Regulation (EU) 2024/1774, and the periodic review report content where requested.
  • For microenterprises, do not assume there is no testing duty: DORA Article 25 still requires ICT testing using a risk-based approach balanced against resources, urgency, type of risk, criticality of information assets, and services provided.
  • When the entity relies on ICT third-party services, keep the register and contract evidence proportionate to the criticality or importance of the service, dependency complexity, and potential impact on continuity and availability.
Citations
Regulation (EU) 2022/2554 (DORA)

Article 16 lists the entities subject to the simplified ICT risk management framework and preserves core ICT risk, continuity, dependency, and testing obligations.

Question 3

What evidence supports a defensible DORA proportionality decision?

A defensible proportionality decision connects the scaled measure to the risk facts DORA names. The evidence should show why the selected control, test, policy, supplier-monitoring depth, or remediation timetable is adequate for the entity's size, risk profile, services, activities, operations, and ICT dependencies.

Delegated Regulation (EU) 2024/1774 gives useful evidence categories: the context of the entity's services and operations, identified critical functions, major projects or activities, relationships, dependence on in-house and outsourced ICT services and systems, the effect of severe degradation or loss, current and near-term ICT risk, threat landscape, control effectiveness, and security posture.

  • Entity and scope evidence: legal entity, DORA Article 2 category, any exclusion considered, and any Article 16 simplified-framework basis.
  • Risk profile evidence: ICT-supported critical or important functions, information and ICT asset classification, business impact analysis, current and near-term ICT risks, threat landscape, incident history, and testing findings.
  • Scaling evidence: what was made lighter or heavier, why the change remains adequate, who approved it, and what supervisory instruction, audit finding, incident, test, or supplier change would trigger review.
  • Third-party evidence: register entries, critical or important function classification, contract clauses, service-level monitoring, exit or continuity evidence, and a record that outsourcing does not transfer the financial entity's DORA responsibility.
  • Testing evidence: the risk basis for test type, frequency, scope, independence, remediation priorities, and any TLPT authority determination or attestation where advanced testing applies.
Citations
Question 4

What cannot be waived by calling it proportional under DORA?

Proportionality does not erase DORA's core control points. It cannot be used to avoid having an ICT risk management framework, to ignore major ICT-related incidents, to skip required reporting, to transfer responsibility to a supplier, or to decline TLPT after the relevant authority identifies the entity as required to perform it.

It also cannot replace supervisory judgment. DORA says competent authorities consider how financial entities apply proportionality when reviewing ICT risk management framework reports submitted under Articles 6(5) and 16(2). For TLPT, competent authorities identify the financial entities required to perform advanced testing based on impact-related factors, financial stability concerns, and ICT risk profile, maturity, or technology features.

  • In-scope financial entities remain responsible for DORA compliance even when ICT services are outsourced or a third party assists with incident reporting.
  • Major ICT-related incidents must be reported to the relevant competent authority through the required notification and report sequence; proportionality does not turn mandatory reporting into an optional escalation.
  • ICT third-party risk remains part of the financial entity's own ICT risk management framework, including the register of information and contract evidence for ICT services.
  • TLPT is not self-selected by preference: DORA requires competent authorities to identify entities required to perform TLPT, and the TLPT RTS adds criteria and process requirements for scope, providers, risk management, findings, remediation, and attestation.
  • Simplified-framework entities and microenterprises receive lighter or different obligations in defined places, but they still need evidence that the lighter approach matches their ICT risk profile and does not leave critical or important functions unmanaged.
Citations
Regulation (EU) 2022/2554 (DORA)

Articles 17, 19, 26, and 28 show non-waivable incident, TLPT, and ICT third-party responsibility points despite proportional application.

Recommended next step

Use proportionality without losing the mandatory DORA control points

Sorena can help connect a DORA proportionality position to entity scope, ICT risk evidence, simplified-framework status, incident and supplier records, testing scope, and supervisory-ready review notes.

Research workflow
Open Research Copilot for EU DORA

Ask source-grounded questions about DORA proportionality, simplified-framework status, ICT risk evidence, incident duties, and TLPT selection.

Explore next step
Talk to Sorena
Talk through implementation

Review whether a proposed DORA proportionality position is supported by the entity's scope, risk profile, services, controls, suppliers, and testing evidence.

Explore next step
Primary sources

References and citations

Delegated Regulation (EU) 2025/1190 on DORA TLPT
eur-lex.europa.eu
Referenced sections
  • Specifies TLPT identification, scope, testing methodology, provider requirements, remediation, attestation, and authority cooperation criteria.
"criteria used for identifying financial entities"
Regulation (EU) 2022/2554 (DORA)
eur-lex.europa.eu
Referenced sections
  • Articles 17, 19, 26, and 28 show non-waivable incident, TLPT, and ICT third-party responsibility points despite proportional application.
"remain fully responsible"
Related guides

Explore more topics

DORA Critical or Important Functions: mapping ICT dependencies and evidence
How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence.
DORA deadlines and compliance calendar for financial entities
Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones.
DORA ICT Third-Party Contract Remediation Workflow
A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence.
DORA ICT Third-Party Contracts FAQ
What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence.
DORA ICT third-party risk and contract clauses guide
Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight.
DORA incident classification forms: criteria, fields, and reporting clocks
Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records.
DORA incident clock workflow: classification, reports, deadlines, and evidence
Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence.
DORA major ICT incident reporting: classification, reports, and timing
Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications.
DORA major ICT incident thresholds: what triggers reporting?
FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts.
DORA Register of Information FAQ: ICT Third-Party Arrangements
FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence.
DORA Register of Information Import and Build Workflow
Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks.
DORA Register of Information Template: ICT Provider Fields and Evidence
A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence.
DORA TLPT selection: who can be required to test?
FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep.
DORA vs EBA outsourcing guidelines: ICT third-party risk comparison
Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence.
DORA vs ISO 22301: ICT resilience and business continuity compared
Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements.
DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls
Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps.
DORA vs NIS2: financial-sector obligations, overlap, and evidence
Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence.
DORA vs PSD2 incident reporting: major ICT and payment incidents
Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence.
EU DORA Applicability Test for Financial Entities and ICT Providers
A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence.
EU DORA Compliance Checklist for Financial Entities
A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence.
EU DORA Compliance Obligations and Evidence Guide
A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence.
EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence
Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence.
EU DORA ICT risk management control baseline
A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence.
EU DORA ICT subcontracting chain controls for critical functions
DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence.
EU DORA penalties and fines: enforcement powers and limits
Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers.
EU DORA Register of Information Data Model: templates, fields, and evidence
Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence.
EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk
A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence.
EU DORA Scope and Covered Entities: financial entities and ICT providers
Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency.
EU DORA Scope and Proportionality Workflow
Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals.
EU DORA testing and TLPT readiness guide
A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence.
EU DORA TLPT eligibility workflow for financial entities
Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance.
EU DORA TLPT Runbook: scope, providers, reports, and remediation
Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation.
How to build a DORA register of information
Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks.