Article 16: Simplified ICT risk management framework

Article 16 says Articles 5–15 of DORA do not apply to certain low-impact financial entities, so your job is to (1) confirm you qualify, (2) document that determination, and (3) implement a right-sized ICT risk framework anyway to meet the remaining DORA duties. This is a scoping and evidence discipline requirement. (Regulation (EU) 2022/2554, Article 16)

Key takeaways:

• Treat Article 16 as a formal applicability decision that must be defensible, documented, and kept current. (Regulation (EU) 2022/2554, Article 16)
• “Simplified” does not mean “no ICT risk management”; it means you are carved out of Articles 5–15, not out of DORA entirely. (Regulation (EU) 2022/2554, Article 16)
• Your core artifacts are an eligibility memo, an applicability matrix, and a lightweight control set mapped to what still applies to you. (Regulation (EU) 2022/2554, Article 16)

If you are a small or exempt financial entity, Article 16 is the clause you want to get right early because it dictates whether you must implement the full ICT risk management framework in Articles 5–15 or whether you can operate with a simplified approach. Operationally, this becomes a gating decision that affects your program scope, your board reporting load, your policy set, your control testing plan, and how you respond to regulator questions about DORA readiness. (Regulation (EU) 2022/2554, Article 16)

Most teams fail Article 16 in only two ways: they assume they qualify without a documented basis, or they treat the carve-out as permission to avoid ICT governance basics (asset inventory, incident handling, third-party oversight). Examiners rarely care that you used the word “simplified”; they care that you can show a clear, current, evidence-backed determination and that the controls you kept are appropriate to your ICT footprint and third-party dependencies. (Regulation (EU) 2022/2554, Article 16)

This page focuses on fast operationalization: what to decide, who must sign off, what to build, and what evidence to retain so you can defend your “simplified” posture under supervisory review.

Regulatory text

What the law says (excerpt): Article 16 states that Articles 5 to 15 of DORA “shall not apply” to the following categories: small and non-interconnected investment firms; certain exempt payment institutions; certain exempt credit institutions (depending on Member State choices under DORA’s scope mechanics); exempt electronic money institutions; and small institutions for occupational retirement provision. (Regulation (EU) 2022/2554, Article 16)

What an operator must do with this text

1. Determine whether your legal entity (or entities) falls into one of the listed categories. (Regulation (EU) 2022/2554, Article 16)
2. If yes, record that Articles 5–15 are out of scope for you, and define what “simplified ICT risk management framework” means in your environment so you still manage ICT risk credibly. (Regulation (EU) 2022/2554, Article 16)
3. If no, treat Articles 5–15 as in scope and do not claim simplification under Article 16. (Regulation (EU) 2022/2554, Article 16)

Source: (Regulation (EU) 2022/2554, Article 16); full context in (Regulation (EU) 2022/2554).

Plain-English interpretation (requirement-level)

Article 16 is a scope carve-out: if you qualify as one of the listed small/exempt entity types, you are not required to implement the full DORA ICT risk management framework described in Articles 5–15. (Regulation (EU) 2022/2554, Article 16)

Your practical obligation is to:

• Prove eligibility (entity classification + exemption status + “small and non-interconnected” where relevant). (Regulation (EU) 2022/2554, Article 16)
• Document the resulting program scope (an applicability matrix that shows what you consider in scope and out of scope). (Regulation (EU) 2022/2554, Article 16)
• Run a minimal-but-real ICT risk framework sized to your technology and third-party dependencies, so you can show disciplined governance even under a simplified posture. (Regulation (EU) 2022/2554, Article 16)

Who it applies to (entity + operational context)

Article 16 applies if you are one of these:

• Small and non-interconnected investment firms. (Regulation (EU) 2022/2554, Article 16)
• Payment institutions exempted under Directive (EU) 2015/2366 (PSD2). (Regulation (EU) 2022/2554, Article 16)
• Certain exempt credit institutions under Directive 2013/36/EU (CRD), where a Member State has decided not to apply the option referenced in Article 2(4) of DORA. (Regulation (EU) 2022/2554, Article 16)
• Electronic money institutions exempted under Directive 2009/110/EC (EMD). (Regulation (EU) 2022/2554, Article 16)
• Small institutions for occupational retirement provision. (Regulation (EU) 2022/2554, Article 16)

Operational contexts where Article 16 decisions matter most:

• You are implementing DORA and need to know whether to build the full governance stack (multi-policy suite, full control testing cadence, expanded reporting) or a reduced set. (Regulation (EU) 2022/2554, Article 16)
• You rely heavily on third parties (cloud, core banking/portfolio platforms, managed security), and you need a defensible rationale for how your simplified posture still controls outsourced ICT risk. (Regulation (EU) 2022/2554, Article 16)
• You operate multiple EU entities and need entity-by-entity scoping. One group-level assumption is a common failure mode. (Regulation (EU) 2022/2554, Article 16)

What you actually need to do (step-by-step)

Step 1: Make an eligibility determination you can defend

Create an “Article 16 Eligibility Memo” with:

• Legal entity list in scope for DORA assessment (by name). (Regulation (EU) 2022/2554, Article 16)
• Entity type mapping to the Article 16 categories above. (Regulation (EU) 2022/2554, Article 16)
• Evidence of exemption status where relevant (PSD2/EMD/CRD exemptions). (Regulation (EU) 2022/2554, Article 16)
• For investment firms, your rationale for “small and non-interconnected” status, stated plainly and backed by internal records. (Regulation (EU) 2022/2554, Article 16)

Governance: have Compliance draft, Legal validate, and the accountable executive sign (often the CCO plus the operational owner of ICT risk). Keep version history. (Regulation (EU) 2022/2554, Article 16)

Step 2: Build a DORA applicability matrix (one page, but precise)

Create a table with rows for key DORA themes and columns:

• “In scope (Yes/No)”
• “Basis (Article 16 carve-out or other)”
• “Owner”
• “Evidence location”

Explicitly mark: “Articles 5–15: Not applicable due to Article 16 eligibility” for qualifying entities. (Regulation (EU) 2022/2554, Article 16)

Step 3: Define your simplified ICT risk framework (minimum viable, operator-ready)

Even if Articles 5–15 do not apply, you still need a credible internal framework. Use an established control structure to avoid inventing one:

• ISO/IEC 27001 control domains for information security governance and risk treatment, scaled down.
• NIST CSF functions (Identify, Protect, Detect, Respond, Recover) as a simple organizing model.

Keep the framework lightweight:

• A short ICT risk policy (scope, roles, risk appetite statement at a high level, exception handling).
• A risk register covering key ICT services and critical third parties.
• A small control set with owners (patching, access control, backups, incident handling, change management, third-party reviews).
  Tie each control to evidence you can produce quickly.

Step 4: Put accountability and operating rhythm on paper

Supervisors look for clear ownership because ambiguity kills execution. Establish:

• RACI for ICT risk decisions (security, IT operations, third-party owner, compliance).
• A recurring risk review forum with minutes and action tracking (even if small).
• A remediation workflow: issue, owner, due date, validation evidence, closure approval.

This aligns with common supervisory expectations around traceability and remediation discipline, and it directly addresses the common risk factors of unclear accountability and fragmented evidence. (Regulation (EU) 2022/2554, Article 16)

Step 5: Evidence-readiness drills (tabletop, not theater)

Run periodic internal “regulator-ready” checks:

• Can you produce your eligibility memo in one request?
• Can you show your simplified framework, top ICT risks, and the last remediation closures?
• Can you show third-party oversight artifacts for key providers?

Daydream can help here without forcing a heavyweight program: use it to maintain a single register that maps Article 16 scoping decisions to owners and evidence pointers, and to run readiness drills with tracked corrective actions.

Required evidence and artifacts to retain (exam-ready list)

Minimum set to keep centrally stored and version-controlled:

• Article 16 Eligibility Memo (signed, dated, with version history). (Regulation (EU) 2022/2554, Article 16)
• DORA Applicability Matrix (entity-by-entity). (Regulation (EU) 2022/2554, Article 16)
• Simplified ICT risk framework document (policy + roles + exceptions).
• ICT risk register (top risks, inherent/residual view if you use it, treatment decisions).
• Third-party inventory for ICT-relevant providers and a record of due diligence depth decisions.
• Remediation tracker with closure evidence (tickets, test results, approvals).
• Readiness drill outputs (agenda, minutes, issues list, closure evidence).

Common exam/audit questions and hangups

Expect these lines of questioning:

• “Show me why you believe Articles 5–15 do not apply to you.” Bring the memo and exemption support. (Regulation (EU) 2022/2554, Article 16)
• “Which entities in your group rely on Article 16, and which do not?” Auditors dislike blanket assertions. (Regulation (EU) 2022/2554, Article 16)
• “What controls did you keep, and why are they appropriate to your ICT footprint and third parties?” Your simplified framework must still look intentional. (Regulation (EU) 2022/2554, Article 16)
• “How do you know the framework is operating?” Provide meeting minutes, remediation closures, and recent evidence.

Hangups that slow audits:

• The exemption basis is “known in the business” but not documented.
• Evidence is spread across IT, security, procurement, and legal drives with no index.

Frequent implementation mistakes (and how to avoid them)

1. Treating Article 16 as a one-time decision.
   Fix: add a trigger-based review (entity change, licensing change, new product line, new interconnected dependency). Keep a dated re-validation note. (Regulation (EU) 2022/2554, Article 16)

2. Assuming “small” equals eligible.
   Fix: eligibility hinges on the legal category and exemption status, not just headcount or revenue. Anchor everything to the Article 16 list. (Regulation (EU) 2022/2554, Article 16)

3. No entity-by-entity scoping.
   Fix: publish an applicability matrix per regulated entity. Group-level statements belong in an appendix only. (Regulation (EU) 2022/2554, Article 16)

4. Simplified framework with no proof of operation.
   Fix: keep minutes, action logs, and closure evidence. Small programs still need a control trail.

5. Third-party risk ignored because “Articles 5–15 don’t apply.”
   Fix: maintain a third-party inventory and a due diligence standard proportional to the services’ criticality to your operations.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 16, so you should plan for examination-style scrutiny rather than case-law pattern matching.

Risk implications that matter in practice:

• If you claim Article 16 incorrectly, you may under-build your DORA program and face remediation orders or supervisory findings tied to gaps in governance and evidence. (Regulation (EU) 2022/2554, Article 16)
• If you qualify but cannot prove it, you will still spend time and credibility in supervisory interactions defending scope.

A practical 30/60/90-day execution plan (without calendar promises)

First 30 days (Immediate)

• Identify candidate entities that might rely on Article 16; assign an owner for the determination. (Regulation (EU) 2022/2554, Article 16)
• Draft the Eligibility Memo and collect exemption documentation from Legal/Regulatory Affairs. (Regulation (EU) 2022/2554, Article 16)
• Publish a first-pass DORA Applicability Matrix and store it in a controlled repository. (Regulation (EU) 2022/2554, Article 16)

Next 60 days (Near-term)

• Write the simplified ICT risk policy and define RACI across IT/Security/Compliance/Third-party owners.
• Stand up a lightweight risk register covering key services and critical third parties.
• Implement a regulatory-response workflow: intake, assignment, escalation, approvals, evidence packaging.

By 90 days (Operationalize and prove)

• Run an evidence-readiness drill: produce memo, matrix, risk register, third-party inventory, and remediation examples on request.
• Create a remediation tracker with clear closure criteria and validation evidence requirements.
• Move the program into an operating rhythm: recurring review forum, minutes, and action tracking.

If you need to keep this tight across many entities and third parties, Daydream is a practical system of record for mapping Article 16 scoping decisions to controls, owners, and evidence pointers, and for running readiness drills with tracked corrective actions.

Frequently Asked Questions

Do we have to do anything if we qualify for Article 16?

Yes. You must document that you qualify and keep an applicability record showing Articles 5–15 are out of scope for your entity. You still need a simplified ICT risk framework that is real and demonstrably operating. (Regulation (EU) 2022/2554, Article 16)

Can we claim Article 16 at a group level?

Treat it as an entity-by-entity decision. Groups often contain mixed regulated entities, and auditors will ask which legal entities rely on Article 16 and why. (Regulation (EU) 2022/2554, Article 16)

What evidence best supports “small and non-interconnected” for an investment firm?

Keep internal records that support the classification and a clear written rationale in your eligibility memo. Make it reproducible: a reviewer should be able to follow your logic without interviewing staff. (Regulation (EU) 2022/2554, Article 16)

If Articles 5–15 don’t apply, can we skip third-party oversight?

Don’t. Your operational resilience still depends on third parties, and examiners will still expect you to understand and manage outsourced ICT risk even under a simplified posture. (Regulation (EU) 2022/2554, Article 16)

How do we keep the Article 16 decision current?

Add review triggers tied to licensing changes, mergers, new regulated activities, or major ICT architecture shifts. Each review should result in a dated re-validation note or an updated memo. (Regulation (EU) 2022/2554, Article 16)

What’s the fastest way to get “audit-ready” for Article 16?

Produce three items: a signed eligibility memo, an applicability matrix, and a single index that points to evidence for your simplified controls (risk register, third-party inventory, remediation tracker). Store them in one controlled location. (Regulation (EU) 2022/2554, Article 16)