The classic trap
Article 4 is deceptively reassuring: it suggests that small financial entities can apply DORA in a minimal way. That is wrong. Proportionality is not an exemption, it is an obligation to justify. The CSSF does not sanction the fact of having a lighter setup, it sanctions the inability to demonstrate why that setup is proportionate to your size, your risk profile and the complexity of your operations. A CSSF-regulated fintech or an AIFM that invokes proportionality without a documented analysis file ends up defenceless during the consistency review of the ICT risk management framework (Art. 6(5) and 16(2)).
The practical trap: proportionality is never a self-declaration
The recurring mistake is treating proportionality as a discretionary internal choice. The CSSF, which explicitly takes its application into account (Art. 4(3)), expects traceability. The following must be documented:
- The written justification of the overall risk profile adopted, with the quantitative and qualitative criteria used (asset volume, service criticality, ICT dependencies).
- The exact scope of the simplifications claimed under Chapters II, III, IV and V Section I, article by article.
- The distinction between rules that expressly allow proportionality and those that apply in full (the simplified framework of Art. 16 is reserved for eligible entities).
- The articulation with CSSF circulars 20/750 (amended by 25/881) on ICT risk management and 22/806 (amended by 25/883) on outsourcing, which set the local expected standard.
- The evidence of periodic review of this analysis, since a risk profile evolves as the entity grows.
Note: as DORA is lex specialis for the financial sector, it prevails over NIS 2 for the same entities (Art. 1). A financial entity cannot fall back on a lighter NIS 2 framework to escape the rigour of DORA.
How Luxgap automates this risk
Our Luxgap Proportionality Justifier turns proportionality from a fragile argument into a file that holds up before the CSSF. The tool computes your overall risk profile from your real data (ICT asset register, third-party provider mapping, criticality of important functions) and automatically generates the article-by-article justification of the simplifications you can legitimately claim, with no manual form to fill in.
- Computes an overall risk profile score from your connected systems (Active Directory, Microsoft Defender, outsourcing register, CMDB inventory) and matches it against the eligibility thresholds for the simplified framework of Article 16.
- Classifies each requirement of Chapters II to V according to whether it allows proportionality or applies in full, drawing on the DORA text and CSSF circulars 20/750 and 25/882.
- Generates the proportionality justification note per article, ready to annex to the ICT risk management framework submitted to the CSSF.
- Alerts in real time when your growth (new assets, new services, new ICT dependencies) shifts your risk profile and invalidates a previously claimed simplification.
- Produces a timestamped, sealed PDF report, usable during the consistency review under Articles 6(5) and 16(2), demonstrating that every proportionality choice rests on a dated analysis.
Available as a complement to a Luxgap CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real risk profile, with a free blind audit within 48h to measure your exposure before any commitment.