The EU’s Digital Operational Resilience Act (DORA) aims to manage digital risks in the financial sector and build financial institutions’ resilience against IT-related disruptions, threats and cyberattacks. DORA applies to a wide range of financial entities, including occupational pension schemes having more than 15 members. Trustees of these schemes will need to implement several changes ahead of the compliance deadline of 17 January 2025.
Application
DORA places responsibility for ensuring a financial entity’s compliance with the legislation on that entity’s management body – in the case of an occupational pension scheme, its trustees. Trustees will bear ultimate responsibility for compliance, including where their scheme’s Information and Communications Technology (ICT) functions are outsourced to a third-party provider.
Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework. These schemes will be exempt from the requirement to perform advanced testing of ICT systems and the requirement to adopt a strategy on ICT third-party risk.
Risk assessment framework
DORA requires trustees to design and maintain an ICT risk management framework for their scheme and put in place comprehensive internal governance to support this framework. This includes:
- Building disaster recovery procedures and continuity plans
- Creating communication policies
- Carrying out adequate reviews to ensure improvements are made following significant issues
- Periodically testing ICT risk frameworks and addressing any deficiencies
The first step to designing an ICT risk management framework will be identifying the scheme’s ICT risks. Trustees will already be familiar with carrying out own-risk assessments, which should include cyber security risks, under the requirements of the European Union (Occupational Pension Schemes) Regulations 2021 (IORP II). However, it is worth noting that DORA risk assessment frameworks will require an uplift of a scheme’s existing frameworks to meet the new legislation’s requirements.
ICT services contracts and outsourcing
Trustees will need to review any outsourcing contracts with third-party ICT providers. DORA requires outsourcing contracts to contain certain provisions with the aim of standardising terms and conditions to manage third party risk where this is practicable. Trustees should bear in mind, in this context, the requirements laid down in IORP II in relation to the content and notification of outsourcing arrangements.[1] However, DORA’s scope is wider in that it includes the use of ICT Services, broadly defined, and may cover the procurement of services not previously thought to come under the definition of “outsourced”.
Digital operational resilience testing
Under DORA, pensions trustees will be required to carry out testing to assess the effectiveness of their preventive, detection, response and recovery capabilities and to uncover and address potential ICT vulnerabilities. Testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements to more advanced testing by means of threat-led penetration testing for pensions schemes having more than 100 members.
Incident management and reporting
Trustees are required to establish a robust incident management policy that includes adopting early warning mechanisms and ensuring the suitable classification of issues. Trustees will have to report major incidents to the Pensions Authority.
Conclusion
DORA will require the trustees of occupational pension schemes to take a number of actions in advance of the 17 January 2025 deadline. Trustees should familiarise themselves with the requirements under DORA, considering their new obligations alongside the pre-existing IORP II framework. Trustees should identify their ICT risks and review their existing ICT risk management framework, uplifting it to meet the DORA requirements. A review of existing contractual arrangements with third-party ICT service suppliers will also be necessary to ensure that DORA standards are met.
For more information and expert guidance, contact a member of our Pensions team.
People also ask
What is DORA? |
DORA is the EU’s Digital Operational Resilience Act. It deals with digital operational resilience for the financial sector. |
Who needs to comply with DORA? |
DORA applies to all financial entities, which includes occupational pension schemes having more than 15 members. |
What are DORA requirements? |
DORA imposes requirements for financial entities regarding risk assessment frameworks, ICT incident management and reporting, information exchange, outsourcing contract arrangements, and digital operational resilience testing. |
[1] European Union (Occupational Pension Schemes) Regulations 2021 (SI No. 128/2021), section 64AM; Pensions Authority guidance note: ‘Own-risk assessment guidance for trustees’, para 7.
