Financial entities, which include institutions for occupational retirement provision (IORPs[1]) that have 15 or more participants, must comply with the European Union’s (EU’s) Digital Operational Resilience Act (DORA) by January 17, 2025. DORA is intended to strengthen the EU financial sector's resilience against cyber attacks and other information and communication technology (ICT) disruptions, harmonize ICT risk management regulations across EU member states, and improve communication and information sharing between financial institutions and regulators. DORA was enacted in 2022 as a regulation, meaning that it applies to EU member states without the need for transposition into domestic law. Individual countries may, however, release local implementation guidance (e.g., as Ireland’s Pension Authority and Germany’s financial regulator — BaFin — both did in July 2024).
Similarly, in 2021 the U.S. Department of Labor (DOL) issued cybersecurity requirements for plan sponsors and other stakeholders of employee benefit plans to safeguard plan data, personal information and plan assets. On September 6, 2024, the DOL released updated guidance to confirm that the 2021 requirements apply to all benefit plans, including health and welfare plans.
DORA and its supporting regulatory technical standards set out extensive detailed requirements for financial entities to establish policies and procedures, organized under five core pillars:
The management body of a financial entity is responsible for implementing DORA’s requirements. For IORPs, the Pension Foundation Board (or equivalent) is considered the relevant management body while employer sponsors are clear stakeholders. Employers can bring their direct experience in establishing similar policies and procedures for their business as well as plan and take actions to ensure compliance by the January 17, 2025 deadline. IORPs with 15 to 99 members are subject to somewhat lesser requirements under DORA (i.e., they are exempt from performing advance testing of ICT systems and adopting a strategy on ICT third-party risk).