News

Occupational retirement provision update: One more year to implement DORA

31.01.2024

Starting from 17 January 2025, the European Union’s Digital Operational Resilience Act (DORA) will also apply to institutions for occupational retirement provision (IORPs). DORA aims to enhance the operational resilience of financial entities by setting high security standards for network and information systems that support their business processes. This is part of a broader effort to strengthen the EU financial market against cyber risks.

As a regulation, DORA does not require further transposition into national law. The requirements of DORA, which now must be implemented within a year, are quite extensive. IORPs are already subject to several guidelines on governance issues under the Federal Financial Supervisory Authority’s (BaFin) Minimum Requirements on the System of Governance of Institutions for Occupational Retirement Provision (“Minimum Requirements on Governance Systems for IORPs”). DORA will further consolidate the regulatory network regarding cybersecurity-related organisational obligations.

Scope of application

DORA applies to the financial entities named in its Article 2(1). These include traditional credit institutions, payment institutions and insurance and reinsurance undertakings. However, in principle IORPs also fall within DORA’s scope of application. An exception applies if the IORP in question operates retirement schemes with fewer than 15 members in total.

For the definition of an IORP, DORA refers to Directive (EU) 2016/2341 (IORP Directive). Accordingly, pension funds and pension schemes are generally included in DORA’s scope of application. If insurers provide occupational retirement benefits, they are as insurance undertakings subject to DORA.

Requirements under DORA

DORA is characterised by the need for further specification through Implementing Technical Standards (ITS) and Regulatory Technical Standards (RTS). These standards are developed by the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA). The ESMA website provides further information on current and previous consultations. These legal acts will provide further legal clarity. Irrespective of this, however, IORPs can already prepare for the following DORA requirements:

ICT (information and communication technology) risk management: The addressees must introduce appropriate governance and organisation, which ultimately must be approved, monitored and accounted for by the management body. This governance should include strategies, guidelines and policies, procedures, ICT protocols and tools. There are simplifications for small IORPs (those with pension schemes with fewer than 100 members in total).
ICT third-party risk management: As the procurement of ICT services from third parties, such as cloud services or managed services, is increasing, DORA provides detailed requirements for this procurement process. Some of these requirements may already be familiar from the Minimum Requirements on Governance Systems for IORPs in relation to spin-offs. However, we expect that contracts will have to be renegotiated.
ICT incident reporting: As already known from legislation such as the Federal Office for Information Security Act (Bundesamt für Sicherheit in der Informationstechnik Gesetz, BSIG) or the GDPR, ICT-related incidents must be reported. As there is often uncertainty about who should do what in an emergency, we recommend having a clear and comprehensive emergency plan.
Digital operational resilience testing, including threat-led penetration testing: Financial organisations must establish and maintain a resilience testing programme. This programme should primarily include vulnerability assessments and scans as well as penetration tests. For particularly critical financial organisations, threat-led penetration tests are also required.

Extensive consultations are currently still underway, and the Federal Financial Supervisory Authority is also examining how to incorporate the requirements of DORA into its supervisory practice. The Federal Financial Supervisory Authority’s has issued several circulars that provide guidelines for IT in financial institutions, insurance companies, capital management firms and payment services providers. These circulars are known as the Supervisory Requirements for IT in Financial Institutions (Bankaufsichtliche Anforderungen an die IT, BAIT), the Insurance Supervisory Requirements for IT (Versicherungsaufsichtliche Anforderungen an die IT, VAIT), the Capital Management Supervisory Requirements for IT (Kapitalverwaltungsaufsichtliche Anforderungen an die IT, KAIT) and the Supervisory Requirements for IT at Payment Services Providers (Zahlungsdiensteaufsichtliche Anforderungen an die IT, ZAIT). The future role of these circulars is likely to continue to be significant. Further information from the supervisory authority and about its initial expectations can be found here. However, in view of the limited time frame for implementing DORA’s requirements, it is important for IORPs not to waste any time and instead acquaint themselves with DORA’s provisions.