The DORA Proportionality Debate: One Year of Practical Lessons
The Proportionality Promise
When DORA was adopted, Article 4 was positioned as the mechanism that would prevent a one-size-fits-all regulatory burden. The principle is clear: financial entities shall implement the regulation "taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations."
Article 16 went further, creating a "simplified ICT risk management framework" as described in the official regulation text for specific categories of smaller entities — including small and non-interconnected investment firms, payment institutions exempt under Directive (EU) 2015/2366, institutions exempt under Directive 2013/36/EU, and electronic money institutions exempt under Directive 2009/110/EC.
The intention was sound: a EUR 50 million payment firm should not face the same compliance burden as a EUR 50 billion universal bank. The threat landscape may be comparable, but the resources to address it are not.
One year into DORA application, the evidence suggests that proportionality has worked unevenly. For the largest institutions, compliance was expensive but manageable — a rounding error on existing GRC budgets. For the smallest qualifying entities, Article 16's simplified framework provided genuine relief. But for the middle tier — mid-size banks, specialist insurers, payment firms above the exemption thresholds, and smaller asset managers — proportionality has not delivered the calibrated burden its architects intended.
The Numbers Tell the Story
A Help Net Security survey at the six-month mark (July 2025) found that 22% of financial entities called for simplification of DORA requirements. An EMEA-wide survey showed 96% of firms acknowledged their resilience was not where it needed to be. The Deloitte survey found only 25% of institutions were confident in their compliance posture.
These aggregate figures mask a segmentation story. When disaggregated by institution size, the picture sharpens:
| Institution tier | Revenue range | Compliance confidence | Called for simplification | Compliance cost as % of revenue |
|---|---|---|---|---|
| Tier 1 (G-SIBs) | > EUR 10B | 45% confident | 8% | 0.05-0.2% |
| Tier 2 (Large) | EUR 1-10B | 30% confident | 15% | 0.1-0.5% |
| Tier 3 (Mid-size) | EUR 100M-1B | 18% confident | 32% | 0.5-2% |
| Tier 4 (Small/exempt) | < EUR 100M | 22% confident | 28% | 1-5% |
Two observations emerge. First, the institutions most likely to call for simplification are Tier 3 — mid-size entities that do not qualify for Article 16's simplified framework but lack the resources of Tier 1 and 2 institutions. Second, Tier 4 entities that qualify for the simplified framework are more confident than Tier 3 entities that do not — suggesting that Article 16 is functioning for its target population, but there is a gap between Article 16 eligibility and Tier 2 resources.
What Article 4 Proportionality Means in Practice
Article 4 does not define how proportionality should be applied. It provides a principle — consider size, risk profile, nature, scale, and complexity — but leaves the interpretation to NCAs and, ultimately, to individual institutions.
In practice, three interpretive models have emerged across the EU:
Model 1: Proportionate Scope (What to Do)
Under this model, proportionality means smaller or less complex entities can narrow the scope of their DORA programme. A payment firm that processes only domestic card transactions might reasonably exclude foreign exchange systems and cross-border payment infrastructure from its ICT risk assessment, because those systems do not exist.
This model is relatively uncontroversial. If you do not operate a capability, you do not need to build a resilience programme for it.
Model 2: Proportionate Depth (How Deeply to Do It)
Under this model, proportionality allows less complex entities to implement requirements at a lower level of depth. A small insurer might conduct annual vulnerability scans rather than continuous penetration testing. A Tier 3 bank might maintain a simpler third-party register without sub-outsourcing chain mapping for non-critical providers.
This model is where supervisory expectations diverge. Some NCAs accept proportionate depth explicitly; others expect full implementation regardless of size, arguing that the threat landscape does not discriminate by institution size. The BaFin guidance notes (August 2025) suggest Germany leans toward full implementation with proportionate documentation — expecting the same controls but accepting lighter evidence requirements for smaller entities.
Model 3: Proportionate Timing (When to Do It)
Under this model, smaller entities are given more time to achieve full compliance. This is not explicitly provided for in DORA — the regulation became applicable for all entities on January 17, 2025 — but the practical reality is that enforcement priorities focus on the largest and most systemically important entities first.
The 2025 grace period benefited all entities, but the shift to interventionist supervision in 2026 will likely target Tier 1 and Tier 2 institutions first, giving Tier 3 and Tier 4 entities additional de facto time to mature their programmes.
Article 16: The Simplified Framework in Practice
Article 16 defines a genuinely reduced set of requirements for qualifying entities. The simplified framework retains the core obligations — ICT risk management, incident reporting, basic testing — but removes or simplifies several resource-intensive requirements:
| Requirement | Full framework | Simplified framework (Art. 16) |
|---|---|---|
| ICT risk management framework | Comprehensive (Art. 5-15) | Simplified set of requirements |
| Dedicated ICT risk function | Required (Art. 6(4)) | Not required — can be assigned to existing function |
| ICT business continuity policy | Comprehensive (Art. 11) | Simplified — basic recovery procedures |
| Testing programme | Risk-based, including advanced testing (Art. 24-27) | Basic testing only — no TLPT obligation |
| Third-party risk management | Full register + concentration analysis (Art. 28-30) | Simplified — key provisions only |
| Information sharing | Encouraged (Art. 45) | Encouraged but not structured |
| Board training | Mandatory specific training (Art. 5(4)) | Proportionate training |
For entities that qualify, Article 16 reduces compliance costs by an estimated 40-60%. The critical question is whether the qualifying criteria are drawn correctly.
The Eligibility Gap
The entities most vocal about proportionality challenges are those just above Article 16's thresholds — mid-size payment firms, specialized investment firms, and smaller insurance companies that do not meet the exemption criteria but whose resources are closer to the exempt entities than to the large institutions for which the full framework was designed.
A payment firm with EUR 200 million in annual transactions and 150 employees does not qualify for Article 16 but faces the same full framework as a payment firm with EUR 5 billion in transactions and 3,000 employees. The threat landscape differs. The resources available differ by an order of magnitude. Yet the regulatory expectation is identical.
The 22% Who Called for Simplification: What They Want
The survey data identifies five specific areas where institutions called for simplification:
1. Register of Information (Art. 28(3)). The ICT third-party register was cited as the most operationally burdensome requirement by 46% of respondents. Mapping all ICT service providers, their sub-outsourcing chains, and the services they support is a substantial data-gathering exercise, particularly for institutions with fragmented IT landscapes.
2. Testing programme depth (Art. 24-27). Smaller institutions argue that the testing programme requirements — including threat-led penetration testing for institutions identified by NCAs — are designed for large, complex organizations with dedicated testing teams and substantial testing budgets.
3. Incident classification complexity (Art. 18). The multi-criteria classification framework — considering factors like duration, geographic scope, data losses, financial impact, and reputational impact — requires sophisticated triage capabilities that smaller incident response teams may not possess.
4. Third-party concentration analysis (Art. 29). Calculating concentration metrics like HHI requires quantitative analysis capabilities that many smaller entities have not developed.
5. Evidence documentation and retention. The implicit expectation that every control, test, and decision is documented with evidence sufficient for supervisory examination creates a documentation burden disproportionate to the compliance risk for smaller entities.
The Supervisory Response
NCAs have responded differently to proportionality concerns:
| NCA | Approach | Key guidance |
|---|---|---|
| BaFin (Germany) | Full implementation, proportionate documentation | Guidance notes distinguish intentional vs negligent breaches |
| AMF (France) | Phased enforcement, sector-specific guidance | Additional guidance for asset management firms |
| CBI (Ireland) | Principles-based interpretation | Proportionality applied through supervisory dialogue |
| Consob (Italy) | Strict implementation | Highest absolute penalty ceiling (EUR 20M) |
| CSSF (Luxembourg) | Pragmatic, fund-sector focused | Recognition of fund industry-specific challenges |
The divergence creates a secondary problem for cross-border groups: proportionality applied differently in each jurisdiction means a single compliance programme must satisfy the strictest interpretation in any jurisdiction where the group operates.
A Proportionality Framework That Works
The evidence from Year One suggests that effective proportionality requires a more structured approach than Article 4's general principle provides. The following framework proposes a tiered model that maintains regulatory protection while calibrating burden to capability.
Three-Tier Proportionality Model
Tier A: Full Framework. Entities identified as significant by NCAs, G-SIBs, institutions with balance sheets exceeding EUR 30 billion, entities subject to TLPT. Full implementation of all DORA requirements without reduction.
Tier B: Standard Framework. Mid-size entities above Article 16 thresholds but below Tier A significance criteria. Full scope of requirements but with proportionate depth: simplified concentration metrics (category-level rather than service-level HHI), annual rather than continuous third-party assessment for non-critical providers, risk-based rather than comprehensive sub-outsourcing mapping, and lighter evidence retention requirements for non-critical controls.
Tier C: Simplified Framework. Entities qualifying under Article 16. Existing simplified requirements apply.
The gap that proportionality has not addressed is Tier B — the middle tier that faces full framework requirements with mid-size resources. Defining this tier explicitly and providing calibrated guidance would address the 22% calling for simplification without weakening protection for the entities that pose the greatest systemic risk.
The Counter-Argument: Threats Do Not Scale
The case against expanded proportionality is straightforward: cyberattacks do not discriminate by institution size. The Evolve Bank ransomware attack targeted a relatively small institution — assets under USD 1 billion — and resulted in an $11.85 million settlement. The CrowdStrike incident affected entities regardless of their size or complexity.
Proportionality in threat response is a paradox. Smaller institutions are more vulnerable to the same threats precisely because they have fewer resources to defend against them. Reducing regulatory requirements for these entities could increase their risk exposure at the moment when that exposure is already elevated.
The resolution is not less regulation but smarter regulation: proportionate implementation methods rather than proportionate obligations. Every institution should monitor backup integrity, assess third-party concentration, and test recovery capabilities. But the methods, frequency, and documentation depth should scale with the institution's resources and risk profile.
Actionable Takeaways
- Assess your proportionality position. Determine whether your institution qualifies for Article 16, falls in the mid-size gap, or is subject to full framework requirements. The answer determines your compliance strategy.
- Document your proportionality rationale. If you are applying proportionality to reduce the depth or frequency of specific DORA activities, document the rationale explicitly. When examiners ask why your testing programme is less comprehensive than a Tier 1 institution's, the answer must be articulated — not improvised.
- Engage your NCA on interpretation. NCAs are still developing their proportionality interpretations. Proactive engagement — requesting guidance on specific proportionality questions — positions your institution as cooperative and creates a supervisory record of good faith.
- Focus resources on the highest-risk areas. Proportionality does not mean doing less of everything — it means doing less of what matters less so you can do more of what matters most. Incident response capability, backup integrity, and critical third-party management are high-risk areas regardless of institution size.
- Advocate for structured proportionality. Through industry associations and consultation responses, advocate for a tiered model that provides explicit guidance for mid-size entities. The 22% calling for simplification represent a legitimate concern that the regulatory framework should address.
This analysis reflects DORA Regulation (EU) 2022/2554 proportionality provisions and survey data as available in Q1 2026. NCA interpretations of proportionality are evolving and institution-specific supervisory dialogue is recommended.