Proportionality principle

Article 4 introduces the proportionality principle that runs throughout DORA, recognizing that a one-size-fits-all approach would be neither practical nor effective for the diverse landscape of EU financial entities. This principle allows the calibration of requirements based on an entity's individual characteristics.

The key factors for proportionality assessment include the entity's size (measured by total assets, number of clients, transaction volumes), overall risk profile (considering the interconnectedness with the broader financial system), and the nature of its activities (whether it provides critical market infrastructure or operates in a limited capacity).

Importantly, proportionality does not mean exemption. Even the smallest in-scope entity must establish an ICT risk management framework, report significant incidents, and manage third-party risks. The calibration applies to the depth and sophistication of these measures. For instance, a small payment institution may not need a dedicated CISO but must still designate a person responsible for ICT security.

Article 4 also acknowledges that competent authorities play a role in applying proportionality through their supervisory approaches. This built-in flexibility allows national supervisors to account for local market conditions while maintaining the harmonized minimum standards established by the regulation.