guide

Who Qualifies for DORA's Simplified Framework? Understanding Proportionality

DORA Atlas Editorial8 min read
Who Qualifies for DORA's Simplified Framework? Understanding Proportionality

The Proportionality Promise — and Its Limits

DORA's preamble and Article 4 recognize a fundamental reality: a global systemically important bank and a small regional insurance broker do not have the same ICT risk profile, the same technology complexity, or the same capacity to implement comprehensive governance frameworks. The proportionality principle ensures that regulatory requirements scale with risk — preventing small entities from bearing disproportionate compliance costs while maintaining adequate resilience standards across the financial sector.

But proportionality in DORA is not a blanket exemption. It is a calibration mechanism. And the institutions most likely to misapply it are the ones operating in the uncertain middle ground — large enough to have significant ICT dependencies, small enough to hope they qualify for lighter requirements.

Article 4: The Proportionality Principle

Art. 4(1) states that financial entities shall implement the DORA requirements "in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations."

Three factors determine where an entity falls on the proportionality spectrum:

Size. Total assets, headcount, revenue, and market share. Larger entities face more intensive requirements because their failure has wider systemic implications.

Overall risk profile. The entity's ICT dependency, its exposure to cyber threats, the criticality of its services to the financial system and to consumers, and its interconnectedness with other financial entities and infrastructure.

Nature, scale and complexity. A fintech with a single cloud-native product has a different complexity profile from a universal bank with legacy core banking, multiple data centers, and hundreds of ICT third-party arrangements. The nature of the services — whether payment-critical, market-critical, or supporting basic retail banking — also factors in.

Proportionality is assessed by national competent authorities, not self-declared. An entity that treats itself as proportionally lighter without NCA validation risks a supervisory finding — and a requirement to remediate to the full framework standard.

Article 16: The Simplified ICT Risk Management Framework

Art. 16 establishes a distinct, simplified framework for entities that meet specific criteria. The simplified framework is not a different regulation — it is a lighter implementation of the same principles, with reduced documentation, testing, and governance requirements.

Who Qualifies

Art. 16(1) identifies the entity types eligible for the simplified framework:

  • Small and non-interconnected investment firms (as defined in Art. 12(1) of Regulation (EU) 2019/2033)
  • Payment institutions exempted under Directive (EU) 2015/2366 (PSD2 Art. 32(1))
  • Institutions exempted under Directive 2013/36/EU (CRD exemptions)
  • Electronic money institutions exempted under Directive 2009/110/EC (Art. 9(1))
  • Small institutions for occupational retirement provision (below applicable thresholds)

The common thread is size and systemic significance. These are entities whose failure, while consequential for their customers, would not trigger cascading effects across the financial system. They have simpler technology landscapes, fewer ICT third-party dependencies, and lower volumes of sensitive data processing.

Critically, qualifying for the simplified framework is based on regulatory classification, not self-assessment. An entity must fall within the defined categories in Art. 16(1) or be explicitly designated by its NCA.

What "Simplified" Actually Means

The simplified framework under Art. 16(2) reduces the depth and formality of several requirements, but maintains the core obligations:

ICT risk management framework (Art. 16(2)(a)): Simplified entities must still maintain a framework for ICT risk management, but with lighter documentation requirements. The framework must cover identification of risks, protection measures, detection capabilities, response procedures, and recovery plans — but the level of formal governance (committees, multi-tier approval) is proportionally reduced.

Governance (Art. 16(2)(b)): The management body retains responsibility for ICT risk management (the Art. 5 principle applies regardless of proportionality), but the reporting frequency and depth can be reduced. Annual reporting rather than quarterly may be sufficient. However, major incident notification to the board remains mandatory and immediate.

ICT systems documentation (Art. 16(2)(c)): Simplified entities must document their ICT systems but with less granularity than the full asset register required under Art. 8. A simplified inventory focusing on critical systems, key dependencies, and essential security controls may suffice — but it must still be maintained and current.

Business continuity (Art. 16(2)(d)): Continuity plans are still required, but proportionate to the entity's complexity. An entity with a single office and cloud-based infrastructure has different continuity requirements than one with multiple data centers and on-premises legacy systems.

Testing (Art. 16(2)(e)): Simplified entities are subject to lighter testing requirements. They are not expected to conduct threat-led penetration testing (TLPT) under Art. 26 or maintain comprehensive testing programmes. However, basic testing of critical systems and recovery procedures remains expected.

Third-party risk (Art. 16(2)(f)): The register of information (Art. 28(3)) obligation applies regardless of proportionality. Even simplified entities must maintain a record of their ICT third-party arrangements. The concentration risk assessment may be lighter, but the register itself is non-negotiable.

What Is NOT Simplified

Several DORA requirements apply in full regardless of proportionality status:

  • Incident reporting (Art. 17-23): Major ICT incident classification and reporting obligations are identical for simplified and full-framework entities. A major incident at a small payment institution triggers the same four-hour notification requirement as one at a G-SIB.
  • Register of information (Art. 28(3)): All financial entities must maintain the ICT third-party register.
  • Management body accountability (Art. 5): The board's responsibility for ICT risk management is not proportionally reduced. Board members of simplified entities must still maintain adequate knowledge and skills.
  • Information sharing (Art. 45): Participation in information-sharing arrangements is encouraged regardless of entity size.

The Risk of Over-Reliance on Simplified Status

The simplified framework is a proportionate starting point, not a safe harbor. Several dynamics can erode its applicability:

Growth and Complexity Creep

An entity that qualified for simplified status at DORA's application date may outgrow it. Acquisition of a competitor, expansion into new markets, adoption of complex technology (AI-driven risk assessment, real-time payment processing), or significant growth in customer base can shift the entity's risk profile beyond the simplified framework's appropriateness.

Art. 4(2) explicitly empowers NCAs to require "a level of ICT risk management that goes beyond what is laid down in Article 16" if the entity's risk profile warrants it. This is a discretionary supervisory power — the NCA does not need the entity's agreement to upgrade its requirements.

Supervisory Expectations

Even within the simplified framework, supervisors may hold expectations that exceed the minimum text of Art. 16. If an NCA observes that a simplified entity has experienced repeated ICT incidents, has significant cloud dependencies, or processes high volumes of sensitive personal data, it may conclude that the simplified framework is insufficient and require enhanced measures.

The proportionality principle works in both directions. Requirements must be proportionate to risk — but if risk is higher than the entity's classification suggests, proportionality demands more, not less.

Third-Party Contagion

A small institution operating under the simplified framework may have a critical dependency on a single cloud provider. If that provider also serves dozens of other financial entities, the small institution's ICT risk has systemic implications that its simplified classification does not capture. NCAs are increasingly aware of this concentration dynamic and may adjust proportionality assessments accordingly.

Practical Guidance: Navigating Proportionality

Step 1: Confirm your classification. Verify with your NCA whether your entity qualifies for the simplified framework under Art. 16(1). Do not self-classify — regulatory status must be validated.

Step 2: Implement the simplified framework fully. Being eligible for simplified requirements does not mean doing the minimum imaginable. Implement Art. 16(2) requirements comprehensively within their simplified scope. A well-implemented simplified framework demonstrates maturity; a poorly implemented one invites supervisory escalation.

Step 3: Monitor your risk profile. If your entity's size, complexity, or ICT dependencies are growing, proactively assess whether the simplified framework remains appropriate. Voluntary adoption of full-framework elements before NCA direction demonstrates proactive governance.

Step 4: Invest in fundamentals. Regardless of proportionality status, invest in the capabilities that matter most: a current ICT asset inventory, tested recovery procedures, structured incident management, and a maintained third-party register. These are the foundations of any resilience framework, simplified or full.

Step 5: Document your proportionality rationale. Maintain a documented assessment of why the simplified framework is appropriate for your entity, including the factors considered (size, risk profile, nature of services) and the date of last review. This document will be valuable during supervisory dialogue.

Step 6: Prepare for escalation. Build your governance and operational processes with the awareness that your NCA can upgrade your requirements at any time under Art. 4(2). Using a purpose-built platform like Valendir that supports both simplified and full-framework implementations ensures that escalation from simplified to full compliance is an operational adjustment, not a crisis.

The Strategic View

Proportionality is a feature of DORA, not a loophole. It exists to prevent small entities from being crushed by compliance costs designed for global systemically important institutions. But it also exists to ensure that every financial entity — regardless of size — maintains a baseline of digital operational resilience that protects its customers, its counterparts, and the financial system.

The institutions that navigate proportionality well will be those that implement the simplified framework with the same rigor that large institutions apply to the full framework — just at a proportionate scale. The institutions that treat simplified status as permission to do the bare minimum will find that supervisory expectations have a way of rising to meet the risks that the entity has chosen to ignore.

This guide reflects DORA Regulation (EU) 2022/2554 and the ESA RTS on simplified ICT risk management as applicable in Q1 2026. Readers should consult their NCA for jurisdiction-specific proportionality assessments and thresholds.

Share