IRE PEN issued information note on Digital operational resilience act (DORA) requirements for pension fund trustees applicable from Jan. 17, 2025.
Follows Jul. 2024, IRE CB spoke on urgency of implementation of DORA, see #217976.
Schemes Subject to DORA
DORA requirements apply according to a scheme’s active and deferred membership.
Schemes with 100 or more active and deferred members subject to all requirements.
Schemes with 16-99 active and deferred members are subject to most requirements.
However, simplified version of information and communication technology (ICT) risk management framework applies for these schemes.
Smaller schemes are also exempt from performing advanced testing of ICT systems and from having to adopt a strategy on ICT third-party risk.
Schemes with 15 or fewer active and deferred members are not subject to DORA.
Main Requirements
Documenting and maintaining a comprehensive ICT risk management framework to include ICT business continuity plans, policies, as part of risk management system.
Identifying all sources of ICT risk and cyber threats on a continuous basis.
Ongoing monitoring of security and functioning of ICT systems relied on.
Effective management of ICT third-party risks, ensuring key contractual provisions are in place with service providers as per article 30 of DORA.
Maintaining a register of information on all contractual arrangements on the use of ICT services provided by third-party providers.
Managing and reporting major ICT related incidents to the Pensions Authority and keeping a record of significant cyber threats.
Testing ICT systems supporting critical or important functions at least yearly.
Nov. 2024 Dedicated Website
On Nov. 28, 2024, IRE PEN issued a dedicated website page for information on DORA.
Any relevant updates from IRE PEN on DORA will be provided through this page.
Regulators
IRE PEN
Entity Types
Fiduciary; Pension
Reference
PR, 11/28/2024; PR, Gd, 7/29/2024; DORA Dir 2022/2556, Reg 2022/2554
