Article 4: Proportionality principle

To meet the article 4: proportionality principle requirement, you must scale DORA Chapter II ICT risk management controls to your institution’s size, overall risk profile, and the nature, scale, and complexity of your services, activities, and operations, and be able to prove why your design choices are appropriate (Regulation (EU) 2022/2554, Article 4). Operationalize it by documenting a proportionality rationale, mapping it to control scope, and retaining evidence that controls run as designed.

Key takeaways:

• Proportionality is a documented design and scoping decision, not a justification for missing controls (Regulation (EU) 2022/2554, Article 4).
• Supervisors will test your rationale against your risk profile, service criticality, and operational complexity, then ask for evidence.
• Build a single register that ties Article 4 scoping to Chapter II controls, accountable owners, and the artifacts you can produce on demand.

Article 4 sets the tone for how competent authorities expect you to implement DORA’s ICT risk management obligations in Chapter II: with rigor, but scaled to your reality (Regulation (EU) 2022/2554, Article 4). For a Compliance Officer, CCO, or GRC lead, the practical problem is predictable: teams either overbuild controls “just in case,” or underbuild and try to defend gaps as “proportionate.” Both approaches create supervisory risk.

Proportionality should function like a control-scoping method that you can defend. You decide what “good” looks like for your organization based on size, overall risk profile, and the nature, scale, and complexity of what you do, then you show your work (Regulation (EU) 2022/2554, Article 4). That “show your work” component is where many programs fail: decisions happen informally, across security and operations, without a consolidated rationale or an evidence plan.

This page gives requirement-level guidance to operationalize Article 4 quickly: who must comply, how to translate the principle into scoping rules, what to document, what artifacts to retain, and how to prepare for exam questions with defensible, repeatable evidence.

Regulatory text

DORA Article 4(1) requires financial entities to implement the rules in Chapter II in accordance with the proportionality principle, considering (a) size and overall risk profile, and (b) the nature, scale, and complexity of services, activities, and operations (Regulation (EU) 2022/2554, Article 4).

What the operator must do

You must:

1. Implement Chapter II controls (you cannot treat proportionality as optionality) (Regulation (EU) 2022/2554, Article 4).
2. Define how you scale control design, depth, frequency, and governance based on the factors in Article 4(1) (Regulation (EU) 2022/2554, Article 4).
3. Document and retain a rationale that links your scaling decisions to your risk profile and operational complexity, and keep evidence that the scaled controls operate (Regulation (EU) 2022/2554, Article 4).

Plain-English interpretation (what “proportionality” means in practice)

Article 4 is a “how” requirement. It does not add a new control by itself; it forces you to justify the intensity and scope of your Chapter II ICT risk management program.

A defensible proportionality position usually includes:

• Non-negotiable baseline: controls you implement across the organization because they are foundational to ICT risk management (e.g., governance, incident handling workflow, access management expectations).
• Risk-based scaling: stronger requirements for higher-impact services, sensitive data flows, critical processes, and higher reliance on third parties.
• Operational fit: controls are feasible to run; where you simplify, you compensate with monitoring, guardrails, or targeted assurance.

Supervisors tend to react badly to proportionality arguments that read like “we are small, so we skipped it.” A stronger argument reads like “we implemented the objective, but adjusted the method, scope, and frequency; here is the rationale and the evidence.”

Who it applies to (entity + operational context)

Entity scope

Article 4 applies to financial entities implementing DORA Chapter II ICT risk management rules (Regulation (EU) 2022/2554, Article 4). If you sit in a regulated group, treat proportionality as a group-wide method with local tailoring, so you can answer why one entity differs from another.

Operational scope (where it bites)

You will apply proportionality decisions across:

• ICT risk governance: committee structures, reporting depth, policy stack complexity, and management involvement.
• Control coverage: which systems/services are in scope, including outsourced and cloud services.
• Testing and assurance: how you test controls, validate remediation, and run readiness drills.
• Third-party risk management: how you segment third parties and scale diligence, contracting, and monitoring to concentration and criticality.

What you actually need to do (step-by-step)

Step 1: Define your proportionality factors and scoring method

Build a simple, repeatable rubric using the exact Article 4(1) factors as the spine (Regulation (EU) 2022/2554, Article 4):

• Size (organizational footprint relevant to ICT operations)
• Overall risk profile (business model risk, technology risk, threat exposure, reliance on third parties)
• Nature/scale/complexity of services, activities, operations (criticality, volume, heterogeneity, change rate)

Operator tip: Keep the rubric auditable. If two assessors score the same service, they should land in roughly the same tier.

Step 2: Create proportionality tiers tied to control depth

Define tiers such as “baseline / enhanced / critical.” For each tier, specify how you scale:

• Governance cadence and reporting granularity
• Control strictness (e.g., segregation requirements, approval gates)
• Testing depth (what “good evidence” means)
• Third-party diligence depth and ongoing monitoring intensity

Do not write tiers that result in “no control.” Write tiers that result in “simpler control” or “less frequent control,” and document compensating controls where needed.

Step 3: Map Chapter II obligations to controls, owners, and evidence

Create a single “DORA Chapter II control register” that includes:

• The control objective and control statement
• Accountable owner (named function, with a single accountable role)
• Systems/services in scope by tier
• Evidence artifacts (what you will show an examiner)
• How issues are tracked and closed

This is where Daydream typically earns its place: it can act as the system of record that ties the Article 4 proportionality rationale to control scope, accountable owners, and an evidence checklist you can produce under time pressure.

Step 4: Decide and document “what’s in scope” with a defensible rationale

For each major service line and each critical business process, document:

• Assigned proportionality tier and why
• Key ICT dependencies (including third parties)
• Control deltas from baseline and why those deltas are acceptable
• Approval path (who signed off)

Step 5: Implement a regulatory-response workflow

Stand up an internal workflow that covers:

• Intake of supervisory requests and deadlines
• Evidence gathering responsibilities
• Legal/compliance review and sign-off
• Escalation path for missing evidence and control gaps
• CAPA tracking and closure validation

This directly addresses a common Article 4 failure mode: “we have controls, but we can’t produce coherent evidence quickly.”

Step 6: Prove it operates: drills, remediation discipline, and evidence hygiene

Run periodic readiness drills and require:

• A finding log with owners and due dates
• Root-cause notes for repeat issues
• Validation evidence when items are closed (screenshots, tickets, test results, approvals)

Tie readiness drill results back to proportionality: higher tiers should show deeper testing and faster remediation expectations.

Required evidence and artifacts to retain

Keep artifacts that prove (1) your proportionality method exists, (2) it was applied consistently, and (3) controls operate.

Minimum evidence set

• Proportionality policy/standard (Article 4 rubric + tier definitions) (Regulation (EU) 2022/2554, Article 4)
• Service/system tiering decisions with rationale and approvals
• Chapter II control register with owners and mapped evidence
• Meeting minutes or governance packs showing oversight and decisions
• Evidence of control operation (samples): access reviews, incident runbooks, change approvals, backup test results, monitoring alerts, third-party due diligence packs
• CAPA log with closure validation evidence
• Regulatory-response playbook and request log

Common exam/audit questions and hangups

Expect questions that test whether proportionality is real or post-hoc:

• “Show me how you determined proportionality tiers, and who approved them.” (Regulation (EU) 2022/2554, Article 4)
• “Why is Service A tested less than Service B? Show the risk basis.”
• “Which third parties support your highest-tier services, and how did diligence scale?”
• “Produce evidence that scaled controls ran over time, not just a policy.”
• “Show remediation closure evidence and how you prevent recurrence.”

Hangup to plan for: teams can explain the rubric verbally, but cannot produce a traceable trail from rubric → tier decision → control scope → evidence.

Frequent implementation mistakes (and how to avoid them)

1. Treating proportionality as a waiver.
   Fix: define a baseline control set that applies everywhere, then scale upward.

2. No documented rationale for scoping choices.
   Fix: require written tiering justifications and approvals for each critical service/process.

3. Fragmented evidence across tools and teams.
   Fix: maintain an evidence index per control with “source of truth” locations and an owner accountable for evidence completeness.

4. Inconsistent tiering across similar services.
   Fix: use calibration sessions and periodic re-tiering when services change materially (new integrations, acquisitions, major outsourcing).

5. Weak linkage to third-party risk.
   Fix: tier third parties based on the tier of the services they support and concentration risk, then align diligence depth.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied sources, so you should assume supervisory scrutiny will focus on demonstrability: documented decisions and operating evidence (Regulation (EU) 2022/2554, Article 4). The risk is not only “missing controls,” but also “controls you cannot evidence,” and “scaling choices that contradict your actual risk profile” (for example, high outsourcing and complex operations paired with lightweight assurance).

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and method)

• Publish a proportionality rubric and tier definitions aligned to Article 4(1) factors (Regulation (EU) 2022/2554, Article 4).
• Inventory key services, critical processes, and major ICT dependencies (include third parties).
• Stand up a Chapter II control register skeleton: control, owner, evidence placeholder.

By 60 days (apply tiers and make it auditable)

• Tier your top services/processes and document rationale + approvals.
• Populate the register with required evidence artifacts and where they live.
• Implement the regulatory-response workflow and a CAPA log with validation steps.

By 90 days (prove operation)

• Run a readiness drill: pick high-tier services, request evidence, time-box response, record gaps.
• Close gaps with tracked remediation and validation evidence.
• Produce an “exam pack” export (Daydream or equivalent): rubric, tiering decisions, control register, evidence index, and CAPA status.

Frequently Asked Questions

How do I prove we applied proportionality instead of making exceptions?

Keep a documented rubric based on Article 4(1) factors and show tiering decisions with approvals for each major service/process (Regulation (EU) 2022/2554, Article 4). Pair that with control evidence that matches the tier depth.

Can a small financial entity implement “lighter” controls?

Yes, scaling is permitted, but you still need to implement Chapter II rules in a proportionate way and retain rationale and evidence (Regulation (EU) 2022/2554, Article 4). “Lighter” should mean simpler methods, narrower scope, or reduced frequency, not missing objectives.

What’s the fastest way to operationalize Article 4 across multiple teams?

Build a single control register that includes owners and an evidence checklist, then require every team to map their controls and artifacts into it. A workflow tool like Daydream helps keep the mapping, request intake, and remediation tracking in one place.

How should proportionality affect third-party risk management?

Tier third parties based on the criticality of the services they support and your reliance on them, then scale diligence and monitoring accordingly. Document the linkage so your third-party approach matches your overall proportionality rationale (Regulation (EU) 2022/2554, Article 4).

What evidence is most often missing during audits?

Programs often have policies but lack operating evidence: control test results, remediation closure validation, and a clean trail from tiering decisions to control scope. Build an evidence index per control and run readiness drills to find gaps early.

How often should we revisit proportionality tiers?

Revisit tiers when there is material change: new outsourcing, acquisitions, major technology migrations, or changes in critical services. Also review tiers on a scheduled cadence tied to your governance rhythm so decisions do not go stale.