As most trustees are now likely aware, the Digital Operational Resilience Act (EU) 2022/2554 (“DORA”) will apply to Irish occupational pension schemes from 17 January 2025. DORA is an EU regulation that aims to achieve uniform requirements across the EU for the security of network and information systems of companies and organisations operating in the financial sector. It creates a regulatory framework around digital operational resilience, whereby all financial entities need to make sure they can withstand, respond to and recover from all types of ICT-relates disruptions and threats.

While there is uncertainty in the industry regarding the scope of the application of DORA to pension scheme service providers, there are steps can begin to take prior to the 17 January 2025 implementation date.  As the matter continues to be debated and guidance from the Pensions Authority is awaited in this area, particularly on foot of a question relating to the interpretation of ICT services in scope of DORA and the extent of the exemption of regulated services (guidance on this point is expected from the ESAs imminently), trustees should be putting a plan in place which includes the following:

1. undertaking trustee training to understand trustee responsibilities under DORA;
2. appointing a relevant person to take ownership of ensuring compliance with DORA and oversight of the scheme’s ICT risk management framework (in most cases this is likely to be the scheme risk management key function holder);
3. preparing a list of any scheme activities that are supported by information and communication technology (“ICT”) systems and services and identify any third parties providing those ICT services to appropriately map the functions, providers, data and systems;
4. sharing a DORA preparedness questionnaire with any identified relevant providers;
5. putting in place DORA compliant contractual terms with those ICT service providers;
6. preparing a ICT risk management (DORA) framework (or updating existing scheme documents) to include: ICT operational resilience policy; ICT cyber security policy; Business continuity policy; and Incident response policy;
7. ensuring the scheme is in a position to be notified of major ICT incidents from providers or direct providers to report such incidents directly to the Pensions Authority in the DORA prescribed time limits (i.e 24 hours);
8. reviewing information and reporting content from ICT service providers to ensure that the trustees are sufficiently informed of any ICT risks.

As the DORA landscape continues to evolve, trustees should keep the Pensions Authority DORA page under review for updates. This is particularly the case in relation to the submission of the register of ICT service providers to Pension Authority, which is required of all schemes with 16 or more active and deferred members and must be submitted in the first week in April 2025.

Our Pensions Group are currently providing training on DORA to trustee boards and assisting with amending and preparing appropriate documentation. If you would like to receive trustee training on DORA at your next trustee meeting, or have any queries on DORA implementation or documentation, please reach out to your usual Arthur Cox contact or contact a member of the Pensions Group.

For more information, visit our DORA information page.