Understanding the Proportionality Principle in DORA:

Applying the Right Level of Resources

One key challenge for organisations is understanding how much resource allocation is required to meet DORA’s requirements. Some organisations may assume they need to dedicate extensive resources to compliance when, under the proportionality principle, they may fall into a category that demands a more measured approach. The thresholds outlined in DORA ensure that smaller or less complex organisations are not overburdened but instead apply a level of security and resilience appropriate to their specific risk landscape.

Conversely, organisations must also avoid underestimating their obligations. While proportionality provides flexibility, it does not mean minimal compliance. Each entity must carefully assess its position within the regulatory framework and ensure that its resource allocation is justified, efficient, and aligned with its true risk exposure.

For Mature Governance and Risk Functions

The subjectivity in DORA’s proportionality principle should be manageable for financial entities with well-established governance and risk management approaches. Many larger organisations already have the methodologies in place to assess risks in a structured manner – and to implement controls that are aligned with their risk profiles. These organisations will naturally integrate DORA’s requirements into their risk frameworks without much friction.

For Less Mature Organisations: No Easy Escape

However, for less experienced organisations or those without robust risk governance structures, the proportionality principle might seem like a loophole for a ‘light-touch’ approach. Some may attempt to use Article 4 as a justification for minimal compliance, arguing that they are tailoring their strategy according to their size and risk profile. In the long run, this approach won’t hold up under scrutiny.

Why? Because any decisions made under the proportionality principle (Article 4) will require backing up with sound logic and evidence. And to provide that evidence, organisations must:

• Conduct thorough risk assessments
• Apply reasoned judgment about security decisions
• Develop clear documentation detailing exactly how they arrived at their conclusions.

Without these elements, regulatory bodies will likely challenge whether an organisation genuinely applies DORA’s proportionality principle in good faith.

Best Endeavours vs. Reasonable Endeavours

A helpful way to think about DORA compliance is in terms of best endeavours versus reasonable endeavours, a concept often seen in legal compliance. Regulators won’t necessarily expect perfection, but they will expect an organisation to demonstrate that it has taken its obligations seriously. This means that even if some aspects of an organisation’s approach are later deemed to be flawed, they must show that they acted with diligence, applied the right level of resources based on their risk environment, and made informed decisions throughout the process.

Failing to provide evidence of effort and structured thinking will make it challenging to claim proportionality as a defence in the event of an audit. Organisations must ensure they can substantiate their decision-making processes, proving that they acted in good faith and aligned their approach to the risk profile they determined.

The Opportunity within DORA

DORA is more than just another regulatory requirement—it represents a real opportunity. If approached correctly, it can act as a catalyst for significant improvements in:

• Operational resilience
• Cyber security and risk governance
• Risk management effectiveness
• An organisation’s ability to withstand external scrutiny.

When treated with care and respect, the proportionality principle allows organisations to implement DORA efficiently and in accordance with their unique risk landscape. However, it should never be misinterpreted as an excuse to do the bare minimum.

Different Approaches for Different Organisations

How an organisation reacts to DORA will depend heavily on its nature and business model. Large multinational financial entities with complex infrastructures will inevitably need a more rigorous and layered approach than smaller, more niche firms. However, regardless of size, the fundamental expectation remains the same:

Assess criticality and risk. Document your decisions. Be prepared to justify them.

The proportionality principle within DORA offers flexibility, but with flexibility comes responsibility. Organisations that properly leverage this principle will find themselves in a stronger position—not just for compliance but overall operational resilience. Conversely, those who see it as an easy way out may face increased regulatory scrutiny.

DORA challenges financial entities to prove they have taken a structured, risk-based approach to ICT and cyber security resilience. Whether you are a large or small entity, you must navigate the subjectivity of proportionality with diligence, thus ensuring that your security measures are appropriate, evidence-based, and defensible in the face of evolving threats and regulatory oversight.