Proportionality & Exemptions
Proportionality Principle
DORA takes the proportionality principle into account: requirements shall be proportionate to the size, risk profile, and complexity of financial entities.
Simplified ICT Risk Management Framework (Art. 16)
Microenterprises may apply a simplified ICT risk management framework. This includes:
- Documentation of all ICT-supported business functions and associated risks
- Protection of all ICT systems against the most common cyber threats
- Ensuring physical security and environmental protection
- Access control for ICT systems
- Mechanisms for timely detection of anomalous activities
- Business continuity measures and backup strategies
- Review and lessons learned following ICT incidents
Exemptions by Entity Type
| Entity Size | Exemptions |
|---|---|
| Microenterprise (≤ 10 employees, ≤ EUR 2 million) | Simplified risk framework (Art. 16), no TLPT; third-party risk (Chapter V) still applies in full |
| Art. 16 entities (specifically named in Art. 16(1)) | Simplified risk framework, no TLPT; eligibility is entity-type-specific, not purely size-based |
| Art. 16 entities (specifically named in Art. 16(1)) | Simplified framework, limited testing obligations |
| All others | Full scope |
BaFin Supervisory Communication (21.08.2025)
BaFin has published guidance on implementing the simplified ICT risk management framework, including specific documentation requirements for eligible entities.
BAUER GROUP Classification
BAUER GROUP as an ICT service provider does not directly benefit from the proportionality principle, as the requirements are imposed indirectly through client contracts. However: clients subject to the simplified framework impose less demanding contractual requirements – this is addressed through tiered contract modules.
Contractual Tiering
Recommendation: Prepare two contract modules:
- Standard module – For microenterprises and simplified framework
- Premium module – For systemically important financial entities with full DORA scope