DORA Article 16: the simplified regime is lighter, not optional¶
So far this series has walked the full ICT risk management framework, Articles 5 to 15. Article 16 is for the entities that do not have to do all of that. It is proportionality written into the regulation. It is also widely misread as an exemption, which it is not. Today, who qualifies for the simplified framework, and what they still have to do.
Who Article 16 is for¶
Article 16(1) is precise about scope. Articles 5 to 15 "shall not apply to" a defined list: small and non-interconnected investment firms, payment institutions exempted under Directive (EU) 2015/2366, certain exempted credit institutions, electronic money institutions exempted under Directive 2009/110/EC, and small institutions for occupational retirement provision. If you are not on that list, this article is not your door. If you are, you move from the full framework to a simplified one, not to nothing.
The distinction matters because "we are small, DORA is lighter for us" is only true if you actually fall inside 16(1). Plenty of firms assume they qualify and do not. Check the list against your own authorisation before you scope anything down.
What "simplified" actually requires¶
Article 16 still demands a sound ICT risk management framework. It lists the obligations in compressed form: a framework with the mechanisms and tools to protect systems, continuous monitoring, minimising impact, prompt detection of anomalous activity, mapping ICT third-party dependencies, business continuity and recovery measures, testing, and follow-up on the conclusions from tests and incidents. Read that list next to Articles 5 to 15 and you see the same skeleton, fewer bones.
The detail lives in RTS 2024/1774 Title III, Articles 28 to 41. It is a parallel, scaled-down version of the full RTS: Article 28 governance and organisation, Article 29 information security policy, Article 30 classification of assets, Article 31 ICT risk management, on through operations security, business continuity and a review report. The simplified framework has its own structure, and it is worth reading Title III directly rather than trying to shrink Title II in your head.
The detail worth knowing¶
Here is the part that catches people. RTS Article 28 brings governance, and it also carries internal audit and follow-up obligations into the simplified regime, even though the Level 1 text of Article 16 does not spell those out in the same way. Proportionality reduces the volume of controls. It does not remove the discipline of governing them, auditing them, and acting on what the audit finds.
So the honest summary of Article 16 is: a smaller entity does less, documents less, and tests less, but it still has to be able to show a supervisor a governed, reviewed, tested framework. Lighter is not absent.
The artefact: am I in the simplified regime?¶
A first-pass scoping check. Any yes to the first question sends you to Title III, not out the door.
| Question | Where it points |
|---|---|
| Are you on the Article 16(1) list (small non-interconnected investment firm, exempted PI or EMI, etc.)? | If yes, simplified regime (RTS Title III) |
| If no | Full framework, Articles 5 to 15, RTS Title II |
| Simplified: do you have governance and a named risk owner? | RTS Art. 28 |
| Simplified: asset classification in place? | RTS Art. 30 |
| Simplified: continuity plan and testing? | RTS Arts. 39 to 40 |
| Simplified: internal audit and follow-up running? | RTS Art. 28, do not skip |
The official Title III text is linked from the DORA resource library.
Next in this series: Chapter III, incident management and reporting, where the clocks start and the deadlines are measured in hours.