--- title: "EU DORA Scope and Proportionality Workflow" canonical_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow" source_url: "https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow" author: "Sorena AI" description: "Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU DORA scope" - "DORA proportionality" - "DORA simplified ICT risk management" - "DORA critical important functions" - "DORA ICT third-party risk" - "EU DORA" - "Digital Operational Resilience Act" - "scope" - "proportionality" - "simplified ICT risk management" - "critical or important functions" - "ICT third-party risk" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU DORA Scope and Proportionality Workflow Classify DORA covered entities, simplified-framework status, critical or important functions, ICT dependencies, evidence records, and governance approvals. *Workflow* *EU DORA* ## EU DORA Scope and Proportionality Workflow A source-grounded workflow for deciding whether an entity is covered by DORA, whether the simplified ICT risk management framework is available, and how proportionality changes the evidence expected. Use it to connect covered-entity classification, critical or important functions, ICT service dependencies, register-of-information evidence, TLPT considerations, and management-body approvals. DORA scope work should not stop at naming a licence category. A durable assessment records whether the organisation is a financial entity listed in DORA Article 2, whether an exclusion or Member State option is relevant, whether Article 16 simplified ICT risk management applies, and how the size, risk profile, services, activities, operations, ICT assets, third-party services, and critical or important functions affect implementation. ## 1. Classify the entity before classifying the controls Start with the legal perimeter. DORA applies to the financial-entity categories listed in Article 2, including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, fund managers, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and securitisation repositories. Article 2 also lists ICT third-party service providers separately from the financial-entity categories. Then record exclusions and boundary questions. Article 2 excludes several categories, including certain AIFMs, certain insurance and reinsurance undertakings, IORPs operating pension schemes with no more than 15 members in total, persons exempted under MiFID II Articles 2 and 3, insurance intermediaries that are microenterprises or SMEs, and post office giro institutions. It also lets Member States exclude specified CRD-exempt entities located in their territory. - Evidence fields: legal entity name, LEI where available, authorisation or registration category, Member State, competent authority, group position, and the DORA Article 2 paragraph relied on. - Decision output: covered financial entity, excluded entity, ICT third-party service provider, group-level dependency requiring further assessment, or unresolved legal classification. - Escalate when an entity has more than one regulated role, operates through branches, relies on intra-group ICT services, or may fall under a Member State exclusion. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the covered financial-entity list, separate ICT third-party service provider listing, Article 2 exclusions, Member State exclusion option, Article 4 proportionality rule, and management-body responsibility for ICT risk. ## 2. Decide whether the simplified ICT risk management framework applies After the entity is in scope, check whether it belongs to the Article 16 simplified-framework population. DORA lists small and non-interconnected investment firms, exempted payment institutions, certain CRD-exempt institutions where the Member State has not excluded them under Article 2(4), exempted electronic money institutions, and small institutions for occupational retirement provision. Do not treat simplified as no work. Article 16 still requires a documented ICT risk management framework, monitoring of ICT systems, resilient and updated ICT tools, prompt detection and handling of incidents, identification of key ICT third-party dependencies, continuity of critical or important functions, testing of continuity measures and controls, and use of test and incident conclusions in ICT risk assessment. - Evidence fields: Article 16 category, reason the entity qualifies, management-body approval date, simplified framework owner, information security policy reference, ICT asset/function inventory reference, and date of last framework review. - Simplified-framework output: one approved scope note that states which Article 16 obligations apply and which full-framework obligations were not selected because the entity is in the simplified population. - Reopen the decision if the entity changes authorisation category, group status, scale, service complexity, ICT dependency, critical or important functions, or supervisory instruction. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the Article 16 list of entities subject to the simplified ICT risk management framework and the minimum obligations those entities still retain. - [Delegated Regulation (EU) 2024/1774 on ICT risk management and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Supports the practical simplified-framework evidence: internal governance, management-body responsibility, information security policy, classification of critical or important functions, ICT assets, interdependencies, testing, continuity plans, and review reports. ## 3. Apply proportionality to evidence depth, not to legal status Article 4 makes proportionality a method for implementing DORA obligations, not a shortcut for avoiding them. The assessment should explain how size, overall risk profile, and the nature, scale and complexity of services, activities and operations affect the detail, frequency, testing depth, audit focus, and management reporting used for Chapters II, III, IV and Chapter V Section I. Use proportionality consistently. If the organisation uses a lighter control, shorter report, less frequent review, or smaller evidence sample, the record should explain the risk-based reason and identify which critical or important functions, ICT assets, information assets, and ICT third-party dependencies were considered. - Assessment dimensions: entity size, services and licensed activities, customer and market impact, ICT risk profile, complexity of ICT architecture, critical or important functions, outsourcing and subcontracting chain complexity, incident history, and supervisory expectations. - Governance decision: the management body should approve the ICT risk tolerance, digital operational resilience strategy, ICT third-party policy where required, continuity and response plans, audit plans, and material scope decisions. - Evidence standard: proportionality decisions should be understandable to a competent authority without relying on project history or undocumented assumptions. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the Article 4 proportionality criteria and the management-body duties in Article 5 for approving, overseeing, and reviewing ICT risk arrangements. - [Delegated Regulation (EU) 2024/1774 on ICT risk management and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Supports proportional implementation details for ICT policies, risk assessment, asset management, change management, continuity testing, and review reporting. ## 4. Identify critical or important functions and ICT dependencies The workflow should classify functions before it classifies suppliers. DORA defines a critical or important function as one whose disruption would materially impair the financial entity's financial performance, soundness or continuity of services and activities, or continuing compliance with authorisation and financial-services-law obligations. For each critical or important function, identify the supporting business owner, ICT systems, information assets, ICT assets, direct ICT third-party service providers, intra-group ICT service providers, subcontractors that effectively underpin the service, locations where services and data are provided or processed, concentration risks, substitutability, exit options, and continuity impact. - Function fields: function identifier, function name, licensed activity, criticality or importance assessment, reason for classification, date of last assessment, and impact of discontinuing the function. - ICT service fields: type of ICT service, provider identifier, contract reference, whether the service supports a critical or important function, substitutability, reason for difficult substitution, last audit date, impact of discontinuing the ICT service, and whether alternatives have been identified. - Supplier-chain fields: direct provider, intra-group provider, first extra-group provider where relevant, subcontractors that effectively underpin critical or important ICT services, service and data locations, permitted subcontracting, notice and approval requirements, and termination triggers. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports the DORA definition of critical or important function and the Article 8 requirement to identify, classify, document, and review ICT-supported business functions, assets, roles, responsibilities, and dependencies. - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Supports the register-of-information fields for functions, ICT services, criticality assessment, impact of discontinuance, provider identifiers, substitutability, alternatives, audits, and subcontractors underpinning critical or important services. - [Delegated Regulation (EU) 2025/532 on subcontracting ICT services supporting critical or important functions](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Supports the subcontracting assessment for ICT services supporting critical or important functions, including chain complexity, locations, data, due diligence, monitoring, material changes, approval, objection, and termination conditions. ## 5. Close with governance approvals and reopen triggers The final output should be a scope and proportionality record that can be reused for the ICT risk management framework, incident process, testing programme, third-party risk strategy, register of information, contract policy, subcontracting approvals, and TLPT scoping where applicable. Where TLPT is relevant, do not self-designate only from internal preference. DORA and the TLPT RTS rely on competent-authority identification and consider impact on the financial sector, financial stability concerns, ICT risk profile, ICT maturity, and technology features. The entity's internal record should therefore identify critical or important functions and supporting ICT systems clearly enough for TLPT scoping and supervisory validation. - Approval record: covered-entity conclusion, simplified-framework conclusion, proportionality rationale, critical or important function inventory, ICT dependency summary, register-of-information update status, unresolved legal or supervisory questions, approver, approval date, and next review trigger. - Reopen triggers: new regulated activity, merger or group restructuring, new or changed critical or important function, major ICT architecture change, new ICT third-party service supporting a critical or important function, material subcontracting change, major ICT-related incident, failed resilience test, supervisory request, or register-data inconsistency. - Evidence location: store the source citations, Article 2 and Article 16 classification rationale, Article 4 proportionality factors, function and asset inventories, ICT service and provider records, contract references, approval notes, and register template extracts together. Sources for this answer: - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Supports management-body responsibility, review of ICT risk arrangements, ICT third-party risk strategy, register-of-information maintenance, and TLPT identification criteria in DORA. - [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports governance and lifecycle expectations for the policy on ICT services supporting critical or important functions, including management-body review, responsibility assignment, risk assessment, due diligence, monitoring, audit, and exit. - [Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria](https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj/eng?ref=sorena.io) - Supports the TLPT scoping connection: authorities identify entities for TLPT using impact, financial stability, ICT risk profile, ICT maturity, and technology features, and TLPT documentation lists critical or important functions and supporting ICT systems. *Recommended next step* *Placement: before sources* ## Use this workflow before finalising DORA control scope Sorena can help structure covered-entity classifications, simplified-framework conclusions, critical-function inventories, ICT dependency records, and governance approvals against the cited DORA sources. - [Open Research Copilot for EU DORA](/solutions/research-copilot.md): Ask source-linked questions about DORA scope, proportionality, simplified ICT risk management, ICT third-party dependencies, and evidence records. - [Talk through implementation](/contact.md): Review DORA entity scope, critical or important functions, ICT dependency evidence, and management approvals with Sorena. ## Primary sources - [Regulation (EU) 2022/2554 (DORA)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&ref=sorena.io) - Primary source for DORA covered entities, exclusions, proportionality, management-body responsibility, ICT risk management, critical or important functions, third-party risk, register duties, and TLPT baseline rules. - Quote: "digital operational resilience for the financial sector" - [Delegated Regulation (EU) 2024/1774 on ICT risk management and the simplified framework](https://eur-lex.europa.eu/eli/reg_del/2024/1774/oj/eng?ref=sorena.io) - Supports evidence expectations for the full and simplified ICT risk management frameworks, including governance, information security policy, asset and function classification, continuity, testing, and framework review reports. - Quote: "simplified ICT risk management framework" - [Implementing Regulation (EU) 2024/2956 on DORA register templates](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R2956&ref=sorena.io) - Supports register-of-information fields for ICT services, contractual arrangements, provider identifiers, function identifiers, criticality assessments, discontinuance impact, substitutability, alternatives, audits, and subcontractors. - Quote: "standard templates for the register of information" - [Delegated Regulation (EU) 2024/1773 on ICT third-party contract policy](https://eur-lex.europa.eu/eli/reg_del/2024/1773/oj/eng?ref=sorena.io) - Supports the lifecycle policy for ICT services supporting critical or important functions, including planning, risk assessment, due diligence, approval, monitoring, audit access, exit, and termination. - Quote: "contractual arrangements on the use of ICT services supporting critical or important functions" - [Delegated Regulation (EU) 2025/532 on subcontracting ICT services supporting critical or important functions](https://eur-lex.europa.eu/eli/reg_del/2025/532/oj/eng?ref=sorena.io) - Supports subcontracting assessment criteria for critical or important ICT services, including chain complexity, locations, data, suitability, monitoring, material changes, objection rights, and termination triggers. - Quote: "subcontracting ICT services supporting critical or important functions" - [Delegated Regulation (EU) 2025/1190 on DORA TLPT criteria](https://eur-lex.europa.eu/eli/reg_del/2025/1190/oj/eng?ref=sorena.io) - Supports the TLPT-related part of the workflow, including authority identification criteria, scope documents, critical or important functions, supporting ICT systems, providers, and supervisory validation. - Quote: "threat-led penetration testing" ## Related Topic Guides - [DORA Critical or Important Functions: mapping ICT dependencies and evidence](/artifacts/eu/digital-operational-resilience-act/critical-and-important-functions.md): How DORA critical or important functions affect ICT service mapping, third-party contracts, register-of-information records, incidents, testing, and evidence. - [DORA deadlines and compliance calendar for financial entities](/artifacts/eu/digital-operational-resilience-act/deadlines-and-compliance-calendar.md): Calendar the grounded DORA dates and recurring evidence: 17 January 2025 application, incident reporting clocks, register updates, annual reporting, TLPT cadence, and CTPP oversight milestones. - [DORA ICT Third-Party Contract Remediation Workflow](/artifacts/eu/digital-operational-resilience-act/contract-remediation-workflow.md): A DORA workflow for remediating ICT third-party contracts covering critical or important functions, subcontracting, audit rights, exits, register updates, and evidence. - [DORA ICT Third-Party Contracts FAQ](/artifacts/eu/digital-operational-resilience-act/faq/ict-third-party-contracts.md): What DORA requires in ICT third-party contracts, including critical or important functions, audit and access rights, termination, exit, subcontracting, register updates, and evidence. - [DORA ICT third-party risk and contract clauses guide](/artifacts/eu/digital-operational-resilience-act/third-party-risk-and-contract-clauses.md): Source-grounded DORA guide for financial entities in scope, ICT third-party risk, contract clauses, subcontracting controls, register evidence, audit rights, exit planning, and oversight. - [DORA incident classification forms: criteria, fields, and reporting clocks](/artifacts/eu/digital-operational-resilience-act/incident-classification-forms.md): Grounded guide to DORA ICT incident classification forms: major-incident criteria, significant cyber-threat notifications, report fields, time limits, evidence, and reclassification records. - [DORA incident clock workflow: classification, reports, deadlines, and evidence](/artifacts/eu/digital-operational-resilience-act/incident-clock-workflow.md): Grounded DORA workflow for starting the major-incident reporting clock, classifying ICT incidents, submitting initial, intermediate, and final reports, and preserving authority evidence. - [DORA major ICT incident reporting: classification, reports, and timing](/artifacts/eu/digital-operational-resilience-act/major-incident-reporting.md): Source-grounded DORA guide to major ICT-related incident classification, initial notifications, intermediate and final reports, competent authority routing, and significant cyber threat notifications. - [DORA major ICT incident thresholds: what triggers reporting?](/artifacts/eu/digital-operational-resilience-act/faq/major-incident-thresholds.md): FAQ on DORA major ICT-related incident classification thresholds, recurring incidents, reporting triggers, and evidence inputs grounded in EU DORA RTS and ITS texts. - [DORA Register of Information FAQ: ICT Third-Party Arrangements](/artifacts/eu/digital-operational-resilience-act/faq/register-of-information.md): FAQ on the DORA register of information: who maintains it, which ICT third-party arrangements it covers, template fields, critical functions, reporting, data quality, and evidence. - [DORA Register of Information Import and Build Workflow](/artifacts/eu/digital-operational-resilience-act/roi-import-and-build-workflow.md): Build a DORA register of information from procurement, vendor, contract, service, function, and subcontractor data using the official register templates and validation checks. - [DORA Register of Information Template: ICT Provider Fields and Evidence](/artifacts/eu/digital-operational-resilience-act/dora-register-of-information-template.md): A grounded DORA register of information template for ICT third-party contracts, provider hierarchy, critical functions, dates, statuses, reporting, and evidence. - [DORA TLPT selection: who can be required to test?](/artifacts/eu/digital-operational-resilience-act/faq/tlpt-selection.md): FAQ on DORA threat-led penetration testing selection: who identifies financial entities, what criteria are used, what the TLPT authority validates, and what evidence to keep. - [DORA vs EBA outsourcing guidelines: ICT third-party risk comparison](/artifacts/eu/digital-operational-resilience-act/dora-vs-eba-outsourcing-guidelines.md): Compare binding DORA ICT third-party risk duties with the EBA/ESA outsourcing baseline for registers, critical functions, contracts, subcontracting, exit, incident reporting, and evidence. - [DORA vs ISO 22301: ICT resilience and business continuity compared](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-22301.md): Compare DORA's binding ICT operational resilience duties for financial entities with ISO 22301's business continuity management system requirements. - [DORA vs ISO/IEC 27001: legal ICT resilience obligations and ISMS controls](/artifacts/eu/digital-operational-resilience-act/dora-vs-iso-27001.md): Compare EU DORA and ISO/IEC 27001 across scope, governance, incident reporting, testing, ICT third-party risk, certification, evidence, overlap, and gaps. - [DORA vs NIS2: financial-sector obligations, overlap, and evidence](/artifacts/eu/digital-operational-resilience-act/dora-vs-nis2.md): Compare DORA and NIS2 for financial entities, ICT providers, incident reporting, management accountability, third-party risk, supervisory routes, and reusable evidence. - [DORA vs PSD2 incident reporting: major ICT and payment incidents](/artifacts/eu/digital-operational-resilience-act/dora-vs-psd2-incident-reporting.md): Compare DORA major ICT-related incident reporting with PSD2 major operational or security payment incident reporting, including scope, triggers, report stages, recipients, and evidence. - [EU DORA Applicability Test for Financial Entities and ICT Providers](/artifacts/eu/digital-operational-resilience-act/applicability-test.md): A source-grounded DORA applicability test for financial-entity scope, ICT third-party services, critical or important functions, exclusions, proportionality, and evidence. - [EU DORA Compliance Checklist for Financial Entities](/artifacts/eu/digital-operational-resilience-act/checklist.md): A source-grounded DORA checklist covering ICT risk governance, major incident reporting, resilience testing, TLPT, ICT third-party contracts, register-of-information records, and audit evidence. - [EU DORA Compliance Obligations and Evidence Guide](/artifacts/eu/digital-operational-resilience-act/compliance.md): A source-grounded DORA compliance guide covering ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, registers, governance, oversight, and evidence. - [EU DORA FAQ: scope, incidents, ICT contracts, testing, and evidence](/artifacts/eu/digital-operational-resilience-act/faq.md): Concise DORA FAQ covering who is in scope, proportionality, ICT third-party contracts, register-of-information records, major ICT incident thresholds and reporting, TLPT, testing, enforcement, and evidence. - [EU DORA ICT risk management control baseline](/artifacts/eu/digital-operational-resilience-act/ict-risk-management-control-baseline.md): A source-grounded DORA control baseline for ICT risk governance, asset and dependency mapping, protection, detection, response, recovery, testing, third-party risk, and evidence. - [EU DORA ICT subcontracting chain controls for critical functions](/artifacts/eu/digital-operational-resilience-act/subcontracting-chain-controls.md): DORA guide to ICT subcontracting chains for critical or important functions: prior assessment, contract conditions, register fields, monitoring, exit rights, and evidence. - [EU DORA penalties and fines: enforcement powers and limits](/artifacts/eu/digital-operational-resilience-act/penalties-and-fines.md): Grounded guide to DORA enforcement: competent-authority powers, administrative penalties, remedial measures, publication rules, and Lead Overseer penalty payments for critical ICT third-party providers. - [EU DORA Register of Information Data Model: templates, fields, and evidence](/artifacts/eu/digital-operational-resilience-act/register-of-information-data-model.md): Field-level guide to the EU DORA register of information data model: templates B_01 to B_07, provider identifiers, contract links, subcontracting chains, critical-function assessments, dates, and export evidence. - [EU DORA Requirements Overview: ICT risk, incidents, testing, and third-party risk](/artifacts/eu/digital-operational-resilience-act/requirements.md): A grounded overview of the main EU DORA requirements for financial entities: governance, ICT risk management, incident reporting, resilience testing, TLPT, ICT third-party risk, register of information, oversight, proportionality, and evidence. - [EU DORA Scope and Covered Entities: financial entities and ICT providers](/artifacts/eu/digital-operational-resilience-act/scope-and-covered-entities.md): Classify whether DORA applies to a financial entity, ICT third-party provider, group arrangement, branch, or critical ICT service dependency. - [EU DORA testing and TLPT readiness guide](/artifacts/eu/digital-operational-resilience-act/testing-and-tlpt-readiness.md): A grounded DORA guide for resilience testing, TLPT eligibility, authority interaction, test evidence, remediation plans, and avoiding unsupported testing cadence. - [EU DORA TLPT eligibility workflow for financial entities](/artifacts/eu/digital-operational-resilience-act/tlpt-eligibility-workflow.md): Check how DORA TLPT authorities identify financial entities for threat-led penetration testing and what evidence supports scope, readiness, providers, and governance. - [EU DORA TLPT Runbook: scope, providers, reports, and remediation](/artifacts/eu/digital-operational-resilience-act/tlpt-runbook.md): Build a DORA threat-led penetration testing runbook around authority coordination, scope validation, provider controls, active testing, closure reports, remediation, and attestation. - [How does proportionality work under EU DORA?](/artifacts/eu/digital-operational-resilience-act/faq/proportionality.md): A grounded FAQ on DORA proportionality: what can be scaled, who may use the simplified ICT risk framework, what evidence supports the decision, and which duties cannot be waived. - [How to build a DORA register of information](/artifacts/eu/digital-operational-resilience-act/register-of-information-how-to-build.md): Build a DORA register of information from contracts, ICT services, providers, functions, subcontractors, risk assessments, audit evidence, exit plans, and export checks. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/digital-operational-resilience-act/scope-and-proportionality-workflow