DORA: What Is the Proportionality Principle?

According to Article 4 of DORA (the EU Digital Operational Resilience Act):

1. Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.
2. In addition, the application by financial entities of Chapters III, IV and V, Section I, shall be proportionate to their size and overall risk profile, and to the nature, scale and complexity of their services, activities and operations, as specifically provided for in the relevant rules of those Chapters.
3. The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2). [Emphasis added.]

But what does that mean in practice? Andrew Pattison, who leads our product development relating to DORA, explains.

In this interview

• What is the proportionality principle?
• How do you know whether what you’re doing is proportionate?
• Is the proportionality principle a ‘get out of jail free’ card?
• Next steps

What is the proportionality principle?

What does ‘proportionality’ mean under DORA?

The proportionality principle is so short that it’s easy to gloss over, but it’s fundamental to DORA.

It says that financial entities need to implement reasonable measures only – measures that are proportionate to the organisation’s size, business activities, and so on.

Could you be more specific?

Financial entities must manage their ICT risks in a way that’s proportionate to their:

• Size
• Overall risk profile
• Services, activities and operations

The same applies to the rules around ICT-related incident management and reporting, digital operational resilience testing, and managing ICT third-party risk – entities must comply with them in a way proportionate to their size, overall risk profile, etc.

How do you know whether what you’re doing is proportionate?

How can financial entities determine whether what they’re doing is ‘reasonable’ or ‘proportionate’ under DORA?

Good question – and one that’s difficult to answer right now.

The key is that the organisation’s measures mitigate its risks, but the details are down to the competent authority’s interpretation of this principle. As the Regulation says:

“The competent authorities shall consider the application of the proportionality principle by financial entities when reviewing the consistency of the ICT risk management framework on the basis of the reports submitted upon the request of competent authorities pursuant to Article 6(5) and Article 16(2).”

In other words, the competent authorities will evaluate whether the financial entity’s ICT risk management framework is effective and proportionate. And since there are 27 authorities – 1 for each member state – there’s every chance that we’re going to see 27 different interpretations.

Furthermore, we won’t really know how this principle is going to be interpreted by any authority until organisations start getting things wrong, and authorities take enforcement action.

Whether or not you like it, that’s how these things work.

Is the proportionality principle a ‘get out of jail free’ card?

Can organisations decide to not comply with DORA on grounds of proportionality?

No, you can’t decide to not do an activity required by DORA by pointing to proportionality.

‘Proportionality’ in DORA means you still have to do the things required – like that ICT risk management framework – but it’s got to be proportionate to your organisation’s size and risk.

Suppose, for example, that you have just one ICT supplier. You can’t then go: “Well, I only have one supplier, so I’m not going to bother putting them on my register of information.”

You still need to include them on your register and share it with the competent authority, but it’s a far smaller job than for an organisation with, say, 200 ICT suppliers. That’s what proportionality really means – it’s not a ‘get out of jail free’ card.

It’s not unlike control selection in ISO 27001: you can exclude controls from Annex A that don’t apply to you, but you can’t exclude a control on the basis that implementing it is ‘too difficult’.

What if you’re a microenterprise? Or subject to the simplified ICT risk management framework [Article 16]?

That’s a perfect example of proportionality: you still have to comply with DORA, but can do so in a simpler way than, say, a multinational bank.

With the simplified ICT risk management framework, for example, which applies to exempt entities – mostly based on size – Article 16(1) says those organisations must:

put in place and maintain a sound and documented ICT risk management framework that details the mechanisms and measures aimed at a quick, efficient and comprehensive management of ICT risk, including for the protection of relevant physical components and infrastructures

Compare that to the ‘main’ ICT risk management framework required by Article 6(1):

Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.

Again, it’s very much like ISO 27001: you still have to implement applicable controls, but in a proportionate way.

Next steps

So, until we start seeing enforcement action, what should financial entities do today?

For the time being, the best thing organisations can do is document their decisions and decision-making processes so they can justify them later, should they be subject to an audit or investigation.

That’s for proportionality. What about DORA compliance in general?

The key to DORA is risk management – which is also crucial to standards and laws like ISO 27001, NIS 2 [the Network and Information Systems 2 Directive], the GDPR [General Data Protection Regulation], and many others.

But compliance aside, most organisations literally couldn’t do business if their ICT wasn’t working properly or they lost access to critical services or data.

That means protecting those ICT assets is critical. And regardless of what drives your information security project, risk management is easier to achieve when based on a best-practice framework like ISO 27001.

So, that’s the starting point I’d recommend.

Need help implementing ISO 27001?

Trust a company that has mastered information security.

Having led the world’s first ISO 27001 certification project, we’ve been at the forefront of information security from the onset.

If you’re looking for guidance, practical advice or consultation, we can help.

About Andrew Pattison

Andrew has 30 years’ experience in information security and risk management, having worked in GRC since 1994. He also holds an MSc in Information Systems Management, as well as CISM^® and CRISC^® certifications. Now, he’s our global head of GRC and PCI consultancy, where among other responsibilities he leads product development relating to DORA, as well as the organisation’s ISO 27001 training courses.