Recital 36

Proportionality principle

Notwithstanding the broad coverage envisaged by this Regulation, the application of the digital operational resiliencethe ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions rules should take into account the significant differences between financial entitiesas defined in Article 2, points (a) to (t) in terms of their size and overall risk profile. As a general principle, when distributing resources and capabilities for the implementation of the ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment management framework, financial entitiesas defined in Article 2, points (a) to (t) should duly balance their ICT-related needs to their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations, while competent authoritiesas defined in Article 46 should continue to assess and review the approach of such distribution.