--- title: "How does proportionality work under EU DORA?" canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/proportionality" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/proportionality" author: "Sorena AI" description: "A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU DORA proportionality" - "DORA ICT risk management" - "DORA simplified framework" - "DORA microenterprise" - "DORA TLPT" - "ICT third-party risk" - "EU DORA" - "DORA proportionality" - "ICT risk management" - "simplified ICT risk framework" - "TLPT" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # How does proportionality work under EU DORA? A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived. *FAQ* *EU DORA* ## EU DORA Proportionality FAQ DORA proportionality lets financial entities calibrate ICT risk management, testing, incident handling, and third-party oversight to their size, risk profile, and business complexity. It is not a blanket exemption. Use this FAQ to separate scalable controls from mandatory DORA duties, including simplified-framework entities, microenterprises, management-body accountability, ICT incident reporting, and TLPT selection. DORA uses proportionality to calibrate how in-scope financial entities implement digital operational resilience duties. The practical question is not whether DORA can be ignored, but how the entity's size, overall ICT risk profile, services, activities, operations, and dependencies justify the chosen level of governance, controls, testing, incident process, and supplier oversight. ## What does proportionality mean under EU DORA? DORA Article 4 says financial entities must implement ICT risk management rules proportionately, taking into account their size and overall risk profile and the nature, scale, and complexity of their services, activities, and operations. The same proportionality lens also applies to ICT-related incident management, digital operational resilience testing, and ICT third-party risk management where the relevant chapters provide for it. That means a smaller, lower-complexity entity can justify simpler governance, fewer layers of documentation, narrower testing depth, or less complex supplier oversight than a large systemic entity. The justification must still be tied to real ICT risk facts, not to a preference for lighter compliance. - Start with DORA scope: confirm the entity is a financial entity or ICT third-party service provider covered by Article 2, and check whether any Article 2 exclusion applies. - For an in-scope financial entity, record the proportionality factors: size, overall ICT risk profile, nature of services, scale of operations, complexity, critical or important functions, outsourced ICT services, and exposure to disruption. - Map what is being scaled: governance detail, control depth, documentation, testing frequency, remediation sequencing, supplier monitoring, or evidence retained for supervisory review. - Do not treat proportionality as a waiver of the core obligation to manage ICT risk, handle incidents, report major ICT-related incidents, maintain required third-party records, or meet TLPT requirements when identified by the competent authority. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Article 4 defines DORA proportionality and Article 2 defines covered financial entities and exclusions. ## Who can use DORA's simplified ICT risk management framework? DORA Article 16 replaces Articles 5 to 15 with a simplified ICT risk management framework for specified categories: small and non-interconnected investment firms, exempted payment institutions, specified exempted institutions under Directive 2013/36/EU, exempted electronic money institutions, and small institutions for occupational retirement provision. The simplified framework is still a real framework. These entities must maintain documented ICT risk management, monitor ICT systems, protect availability, authenticity, integrity, and confidentiality of data, detect and handle ICT incidents, identify key ICT third-party dependencies, ensure continuity of critical or important functions, regularly test continuity measures and controls, and feed test and incident lessons back into ICT risk assessment. - Use Article 16 only when the entity fits one of the listed categories; do not apply it merely because the entity is small or resource-constrained. - Keep one clear evidence file showing the Article 16 basis, the simplified ICT framework, the information security policy required by Delegated Regulation (EU) 2024/1774, and the periodic review report content where requested. - For microenterprises, do not assume there is no testing duty: DORA Article 25 still requires ICT testing using a risk-based approach balanced against resources, urgency, type of risk, criticality of information assets, and services provided. - When the entity relies on ICT third-party services, keep the register and contract evidence proportionate to the criticality or importance of the service, dependency complexity, and potential impact on continuity and availability. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Article 16 lists the entities subject to the simplified ICT risk management framework and preserves core ICT risk, continuity, dependency, and testing obligations. - [Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Specifies proportionality factors and detailed simplified-framework requirements for governance, information security, ICT risk assessment, controls, continuity, testing, and review reporting. ## What evidence supports a defensible DORA proportionality decision? A defensible proportionality decision connects the scaled measure to the risk facts DORA names. The evidence should show why the selected control, test, policy, supplier-monitoring depth, or remediation timetable is adequate for the entity's size, risk profile, services, activities, operations, and ICT dependencies. Delegated Regulation (EU) 2024/1774 gives useful evidence categories: the context of the entity's services and operations, identified critical functions, major projects or activities, relationships, dependence on in-house and outsourced ICT services and systems, the effect of severe degradation or loss, current and near-term ICT risk, threat landscape, control effectiveness, and security posture. - Entity and scope evidence: legal entity, DORA Article 2 category, any exclusion considered, and any Article 16 simplified-framework basis. - Risk profile evidence: ICT-supported critical or important functions, information and ICT asset classification, business impact analysis, current and near-term ICT risks, threat landscape, incident history, and testing findings. - Scaling evidence: what was made lighter or heavier, why the change remains adequate, who approved it, and what supervisory instruction, audit finding, incident, test, or supplier change would trigger review. - Third-party evidence: register entries, critical or important function classification, contract clauses, service-level monitoring, exit or continuity evidence, and a record that outsourcing does not transfer the financial entity's DORA responsibility. - Testing evidence: the risk basis for test type, frequency, scope, independence, remediation priorities, and any TLPT authority determination or attestation where advanced testing applies. Sources for this answer: - [Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Article 1 and the review-report provisions identify the size, risk, complexity, dependency, threat, control-effectiveness, and security-posture evidence useful for proportionality records. - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Articles 6, 17, 19, 24, 25, 26, and 28 anchor evidence for ICT risk management, incidents, testing, TLPT, and ICT third-party risk. ## What cannot be waived by calling it proportional under DORA? Proportionality does not erase DORA's core control points. It cannot be used to avoid having an ICT risk management framework, to ignore major ICT-related incidents, to skip required reporting, to transfer responsibility to a supplier, or to decline TLPT after the relevant authority identifies the entity as required to perform it. It also cannot replace supervisory judgment. DORA says competent authorities consider how financial entities apply proportionality when reviewing ICT risk management framework reports submitted under Articles 6(5) and 16(2). For TLPT, competent authorities identify the financial entities required to perform advanced testing based on impact-related factors, financial stability concerns, and ICT risk profile, maturity, or technology features. - In-scope financial entities remain responsible for DORA compliance even when ICT services are outsourced or a third party assists with incident reporting. - Major ICT-related incidents must be reported to the relevant competent authority through the required notification and report sequence; proportionality does not turn mandatory reporting into an optional escalation. - ICT third-party risk remains part of the financial entity's own ICT risk management framework, including the register of information and contract evidence for ICT services. - TLPT is not self-selected by preference: DORA requires competent authorities to identify entities required to perform TLPT, and the TLPT RTS adds criteria and process requirements for scope, providers, risk management, findings, remediation, and attestation. - Simplified-framework entities and microenterprises receive lighter or different obligations in defined places, but they still need evidence that the lighter approach matches their ICT risk profile and does not leave critical or important functions unmanaged. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Articles 17, 19, 26, and 28 show non-waivable incident, TLPT, and ICT third-party responsibility points despite proportional application. - [Delegated Regulation (EU) 2025/1190 on DORA TLPT](https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj/eng?ref=sorena.io) - Specifies TLPT identification, scope, testing methodology, provider requirements, remediation, attestation, and authority cooperation criteria. ## Primary sources - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary DORA text for scope, proportionality, ICT risk management, incident handling, reporting, testing, TLPT, simplified framework, and ICT third-party risk responsibilities. - Quote: "Proportionality principle" - [Delegated Regulation (EU) 2024/1774 on ICT risk management tools and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - RTS source for proportional ICT security policies, procedures, controls, simplified-framework governance, ICT risk assessment, testing, continuity, and review-report evidence. - Quote: "simplified ICT risk management framework" - [Delegated Regulation (EU) 2025/1190 on DORA TLPT](https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj/eng?ref=sorena.io) - RTS source for TLPT identification criteria, authority involvement, scope documents, scenario selection, active testing duration, remediation, and attestation. - Quote: "threat-led penetration testing" ## Topic Guides - [DORA Critical or Important Functions: mapping ICT dependencies and evidence](/artifacts/eu/digital-operational-resilience-act/critical-and-important-functions.md): How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence. - [DORA deadlines and compliance calendar for financial entities](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones. - [DORA ICT Third-Party Contract Remediation Workflow](/artifacts/eu/digital-operational-resilience-act/contract-remediation-workflow.md): A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence. - [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md): What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence. - [DORA ICT third-party risk and contract clauses guide](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight. - [DORA incident classification forms: criteria, fields, and reporting clocks](/artifacts/eu/digital-operational-resilience-act/incident-classification-forms.md): Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records. - [DORA incident clock workflow: classification, reports, deadlines, and evidence](/artifacts/eu/digital-operational-resilience-act/incident-clock-workflow.md): Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence. - [DORA major ICT incident reporting: classification, reports, and timing](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications. - [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md): FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts. - [DORA Register of Information FAQ: ICT Third-Party Arrangements](/artifacts/eu/digital-operational-resilience-act/faq/register-of-information.md): FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence. - [DORA Register of Information Import and Build Workflow](/artifacts/eu/digital-operational-resilience-act/roi-import-and-build-workflow.md): Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks. - [DORA Register of Information Template: ICT Provider Fields and Evidence](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence. - [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md): FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep. - [DORA vs EBA outsourcing guidelines: ICT third-party risk comparison](/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines.md): Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence. - [DORA vs ISO 22301: ICT resilience and business continuity compared](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-22301.md): Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements. - [DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps. - [DORA vs NIS2: financial-sector obligations, overlap, and evidence](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence. - [DORA vs PSD2 incident reporting: major ICT and payment incidents](/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting.md): Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence. - [EU DORA Applicability Test for Financial Entities and ICT Providers](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence. - [EU DORA Compliance Checklist for Financial Entities](/artifacts/eu/digital-operational-resilience-act/checklist.md): A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence. - [EU DORA Compliance Obligations and Evidence Guide](/artifacts/eu/digital-operational-resilience-act/compliance.md): A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence. - [EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence](/artifacts/eu/digital-operational-resilience-act/faq.md): Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence. - [EU DORA ICT risk management control baseline](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence. - [EU DORA ICT subcontracting chain controls for critical functions](/artifacts/eu/digital-operational-resilience-act/subcontracting-chain-controls.md): DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence. - [EU DORA penalties and fines: enforcement powers and limits](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers. - [EU DORA Register of Information Data Model: templates, fields, and evidence](/artifacts/eu/digital-operational-resilience-act/register-of-information-data-model.md): Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence. - [EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk](/artifacts/eu/digital-operational-resilience-act/requirements.md): A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence. - [EU DORA Scope and Covered Entities: financial entities and ICT providers](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency. - [EU DORA Scope and Proportionality Workflow](/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow.md): Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals. - [EU DORA testing and TLPT readiness guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence. - [EU DORA TLPT eligibility workflow for financial entities](/artifacts/eu/digital-operational-resilience-act/tlpt-eligibility-workflow.md): Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance. - [EU DORA TLPT Runbook: scope, providers, reports, and remediation](/artifacts/eu/digital-operational-resilience-act/tlpt-runbook.md): Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation. - [How to build a DORA register of information](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks. *Recommended next step* *Placement: before sources* ## Use proportionality without losing the mandatory DORA control points Sorena can help connect a DORA proportionality position to entity scope, ICT risk evidence, simplified-framework status, incident and supplier records, testing scope, and supervisory-ready review notes. - [Open Research Copilot for EU DORA](/solutions/research-copilot.md): Ask source-grounded questions about DORA proportionality, simplified-framework status, ICT risk evidence, incident duties, and TLPT selection. - [Talk through implementation](/contact.md): Review whether a proposed DORA proportionality position is supported by the entity's scope, risk profile, services, controls, suppliers, and testing evidence. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/faq/proportionality