Source: OJ L 333, 27.12.2022, p. 1–79

Current language: EN

Article 4 Proportionality principle


Summary What does Article 4 of the DORA regulation say?

This article establishes the proportionality principle as it applies throughout DORA.

It makes clear that financial entities are not expected to apply the regulation's requirements in a one-size-fits-all manner; instead, compliance must be calibrated to each entity's size, risk profile, and the nature and complexity of its operations.

This principle runs across the ICT risk management rules in Chapter II, as well as the requirements in Chapters III, IV, and the first section of Chapter V.

Competent authorities are also brought into the picture, as they must factor in proportionality when reviewing an entity's ICT risk management framework.

Important points:

  • Implement the rules of Chapters II, III, IV, and V, Section I in a manner proportionate to your size, overall risk profile, and the nature, scale, and complexity of your services, activities, and operations.
  • Competent authorities are required to consider the proportionality principle when reviewing the consistency of a financial entity's ICT risk management framework.
  • This article acts as a cross-cutting interpretive lens for how obligations throughout the regulation should be applied.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.

    1. In addition, the application by financial entities of Chapters III, IV and V, Section I, shall be proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations, as specifically provided for in the relevant rules of those Chapters.

    1. The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2).

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod