Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 4 Proportionality principle
Summary What does Article 4 of the DORA regulation say?
This article establishes the proportionality principle as it applies throughout DORA.
It makes clear that financial entities are not expected to apply the regulation's requirements in a one-size-fits-all manner; instead, compliance must be calibrated to each entity's size, risk profile, and the nature and complexity of its operations.
This principle runs across the ICT risk management rules in Chapter II, as well as the requirements in Chapters III, IV, and the first section of Chapter V.
Competent authorities are also brought into the picture, as they must factor in proportionality when reviewing an entity's ICT risk management framework.
Important points:
- Implement the rules of Chapters II, III, IV, and V, Section I in a manner proportionate to your size, overall risk profile, and the nature, scale, and complexity of your services, activities, and operations.
- Competent authorities are required to consider the proportionality principle when reviewing the consistency of a financial entity's ICT risk management framework.
- This article acts as a cross-cutting interpretive lens for how obligations throughout the regulation should be applied.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
In addition, the application by financial entities of Chapters III, IV and V, Section I, shall be proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations, as specifically provided for in the relevant rules of those Chapters.
The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2).
Relevant recitals
Recital 21 Baseline requirements with proportional application and supervision
In order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. The digital operational resilience baseline for financial entities should be increased while also allowing for a proportionate application of requirements for certain financial entities, particularly microenterprises, as well as financial entities subject to a simplified ICT risk management framework. To facilitate an efficient supervision of institutions for occupational retirement provision that is proportionate and addresses the need to reduce administrative burdens on the competent authorities, the relevant national supervisory arrangements in respect of such financial entities should take into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations even when the relevant thresholds established in Article 5 of Directive (EU) 2016/2341 of the European Parliament and of the Council(10) are exceeded. In particular, supervisory activities should focus primarily on the need to address serious risks associated with the ICT risk management of a particular entity.
Competent authorities should also maintain a vigilant but proportionate approach in relation to the supervision of institutions for occupational retirement provision which, in accordance with Article 31 of Directive (EU) 2016/2341, outsource a significant part of their core business, such as asset management, actuarial calculations, accounting and data management, to service providers.
Recital 36 Proportionality principle
Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resilience rules should take into account the significant differences between financial entities in terms of their size and overall risk profile. As a general principle, when distributing resources and capabilities for the implementation of the ICT risk management framework, financial entities should duly balance their ICT-related needs to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations, while competent authorities should continue to assess and review the approach of such distribution.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
central counterparty
Definition
ICT risk
Definition
ICT third-party service provider
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
institution for occupational retirement provision
Definition
microenterprise
Definition
major ICT-related incident
Definition
digital operational resilience
Definition
ICT services
Definition
ICT third-party risk
Definition
ICT-related incident
Definition
critical or important function
Definition
central securities depository
Footnote 10