Simplified ICT risk management framework

Article 16 provides the practical application of the proportionality principle (Article 4) by establishing a simplified ICT risk management framework for eligible entities. This recognizes that applying the full weight of DORA's requirements to a small investment advisor or a niche payment institution would be disproportionate and counterproductive.

The simplified framework maintains the core structure of the full framework — identification, protection, detection, response, and recovery — but with reduced depth and complexity. Eligible entities must still know their ICT assets, protect them appropriately, monitor for threats, and have recovery plans, but the level of documentation, governance formality, and technical sophistication expected is calibrated to their risk profile.

Eligibility for the simplified framework depends on specific criteria defined in DORA and the related RTS. Generally, it applies to entities that are smaller in size, less interconnected with the broader financial system, and not performing critical market infrastructure functions. However, even eligible entities may be required to apply the full framework if their competent authority determines that their ICT risk profile warrants it.

It is important to note that "simplified" does not mean "optional." Entities using the simplified framework are still subject to regulatory oversight and must demonstrate compliance with the applicable requirements. The simplification is in the implementation approach, not in the commitment to operational resilience.