DORA Crosswalk
The Digital Operational Resilience Act (DORA — EU Regulation 2022/2554) entered application on 17 January 2025. It establishes a harmonised framework for ICT risk management across EU financial entities, replacing a patchwork of sector-specific ICT guidance with binding, directly applicable requirements.DORA Applicability to Pension Schemes
DORA Article 2 defines “financial entities” in scope. Institutions for Occupational Retirement Provision (IORPs) are explicitly included in the scope of DORA, subject to the following: Full scope: IORPs with more than 15 members are subject to the full DORA framework. Proportionate regime: IORPs with 15 members or fewer benefit from a simplified regime under Article 16 — proportionate requirements for ICT risk management. The Pensions Authority is the competent authority for IORPs in Ireland for DORA purposes, consistent with its role as the IORP II supervisory authority.PensionPortal.ai as an ICT third-party service provider: PensionPortal.ai provides ICT services to Irish pension schemes. Depending on the materiality of those services, PensionPortal.ai may qualify as a critical ICT third-party service provider (CTPP) subject to direct oversight by the European Supervisory Authorities (ESAs) under DORA Chapter V. We monitor CTPP designation criteria and will notify affected customers of any change in status.
DORA’s Five Pillars: PensionPortal.ai Coverage
Pillar 1: ICT Risk Management (Articles 5–16)
The ICT risk management framework (ICTRM) must be documented, board-approved, and integrated into the scheme’s overall risk management system (IORP II Article 22). It must cover: ICT risk identification, protection, detection, response, and recovery.PensionPortal.ai support: The Risk module provides a dedicated ICT risk register. The ORA module incorporates ICT risk as a sub-category of operational risk for Article 28 purposes. The Operations module hosts the ICT continuity plan with documented RTO/RPO.
Pillar 2: ICT-Related Incident Management (Articles 17–23)
Financial entities must establish and maintain ICT incident management processes, including: incident detection and classification, escalation procedures, and notification of major ICT incidents to the competent authority (Pensions Authority) within prescribed timeframes.Major incident classification: Article 18 defines major ICT incidents requiring regulatory notification. Criteria include: number of affected clients, duration of service disruption, geographic spread, data loss, criticality of disrupted services, and economic impact.PensionPortal.ai support: Incident detection and alerting; severity classification aligned to DORA Article 18 criteria; Pensions Authority notification workflow; post-incident reporting templates aligned to DORA Article 19 requirements.
Pillar 3: Digital Operational Resilience Testing (Articles 24–27)
Financial entities must maintain a digital operational resilience testing programme covering: basic testing (vulnerability assessments, network security assessments, gap analyses, software testing), and for significant entities, threat-led penetration testing (TLPT) under Article 26.PensionPortal.ai support: Annual independent penetration testing; quarterly vulnerability scanning; automated SAST in CI/CD; application security scanning. Test results and remediation evidence available to trustees as part of the platform security documentation pack.
Pillar 4: ICT Third-Party Risk Management (Articles 28–44)
Financial entities must maintain a register of all ICT third-party service providers, assess the risk of each provider, and ensure written contractual arrangements include mandatory provisions under Article 30 (including: service description, data locations, security standards, incident notification obligations, audit rights, exit provisions).PensionPortal.ai support: The Outsourcing Register supports documentation of ICT third-party providers. PensionPortal.ai’s own contractual terms with customers include all Article 30 mandatory provisions. Sub-processor list maintained with security assessments.
Pillar 5: Information and Intelligence Sharing (Article 45)
DORA encourages (but does not mandate) participation in cyber threat intelligence sharing arrangements among financial entities.PensionPortal.ai approach: We monitor relevant threat intelligence channels including ENISA advisories, NCSC-IE feeds, and financial sector ISACs. Material threat intelligence relevant to platform security or customer risk is shared via platform security advisories.
DORA Article-by-Article Crosswalk
| DORA Article | Chapter | Requirement | PensionPortal.ai Approach | Evidence |
|---|---|---|---|---|
| Article 5 | ICT Risk Management | Governance and organisation: board responsibility for ICT risk strategy, oversight, and accountability | ICT risk section in Governance module; board-level ICT risk reporting template | Board ICT risk report; governance documentation |
| Article 6 | ICT Risk Management | ICT risk management framework: documented, integrated with overall risk management; protection, detection, response, recovery | ICT risk register in Risk module; integration with ORA module | ICT risk register export; ICTRM documentation |
| Article 7 | ICT Risk Management | ICT systems, protocols, and tools: inventory, lifecycle management, security classification | Asset inventory functionality; system classification documentation | Asset register; classification matrix |
| Article 8 | ICT Risk Management | Identification: continuous identification, classification, and documentation of ICT-related risks and assets | Continuous vulnerability monitoring; CVE feed integration | Vulnerability scan reports; risk identification records |
| Article 9 | ICT Risk Management | Protection and prevention: access management, physical security, cryptography, data security, software security | RBAC, MFA, AES-256, WAF, SAST — all implemented | Security configuration documentation; penetration test reports |
| Article 10 | ICT Risk Management | Detection: anomaly detection, monitoring, logging | Immutable audit logs; Sentry error monitoring; anomaly alerting | Audit log exports; alert configuration; monitoring dashboards |
| Article 11 | ICT Risk Management | Response and recovery: ICT business continuity policy, crisis management, RTO/RPO | Business continuity plan with RTO 4h / RPO 1h; documented recovery procedures | BCM plan; DR test results; RTO/RPO validation |
| Article 12 | ICT Risk Management | Backup and recovery: documented backup policy, regular backups, backup testing, immutable backups | Daily encrypted backups; immutable backup storage; quarterly restoration tests | Backup configuration; restoration test records |
| Article 13 | ICT Risk Management | Learning and evolving: post-incident reviews, threat-led improvements to ICTRM | Post-incident review process; ICTRM annual review; improvement tracking | Post-incident reports; ICTRM review records |
| Article 17 | Incident Management | Classification of ICT incidents and cyber threats: major vs non-major classification | Incident severity classification aligned to DORA Article 18 criteria | Incident register with severity classifications |
| Article 18 | Incident Management | Major ICT incident criteria: client impact, duration, data loss, geographic spread, criticality | Automated severity scoring against Article 18 criteria in incident module | Incident assessment records |
| Article 19 | Incident Management | Reporting of major ICT incidents to competent authority: initial, intermediate, and final reports | Pensions Authority notification workflow; report templates aligned to DORA Article 19(4) | Notification records; Pensions Authority correspondence |
| Article 24 | Resilience Testing | General digital operational resilience testing programme: vulnerability assessments, network security assessments, gap analyses | Annual pen testing; quarterly vulnerability scanning; automated SAST | Pen test reports; vulnerability scan results; SAST reports |
| Article 26 | Resilience Testing | Advanced testing via TLPT (Threat-Led Penetration Testing): for significant IORPs | TLPT programme in development for customers that require it; coordination with DORA-qualified testers | TLPT reports (where applicable) |
| Article 28 | Third-Party Risk | General principles for ICT third-party risk management: risk-based assessment, register | Outsourcing register; third-party security assessment process | Outsourcing register; security assessment records |
| Article 30 | Third-Party Risk | Contractual arrangements with ICT third-party providers: mandatory provisions including security standards, audit rights, incident notification, exit provisions | PensionPortal.ai DPA and Terms of Service include all Article 30 mandatory provisions | DPA; Terms of Service; sub-processor list |
| Article 45 | Intelligence Sharing | Cyber threat information sharing arrangements | Threat intelligence monitoring; customer security advisories | Advisory publications; threat monitoring records |
DORA and IORP II: The Relationship
DORA does not replace IORP II’s governance requirements — it supplements them with specific ICT risk requirements. The relationship:| IORP II Obligation | DORA Supplement |
|---|---|
| Article 21 — System of governance (operational risk) | DORA Articles 5-16 — detailed ICT risk management framework |
| Article 22 — Risk management system | DORA Article 6 — ICTRM as sub-system of overall risk framework |
| Article 28 — Own risk assessment | DORA Article 6(8) — ICT risk as explicit ORA sub-category |
| Article 30 — Continuity planning | DORA Article 11 — ICT business continuity policy |
| Article 31 — Outsourcing | DORA Articles 28-44 — ICT third-party risk management |
For IORP II-compliant schemes, the most efficient approach is to treat DORA compliance as an extension of the existing IORP II governance framework — adding the ICT-specific requirements to the risk register, the ORA, the continuity plan, and the outsourcing register — rather than creating a parallel DORA compliance workstream. PensionPortal.ai’s integrated approach supports this.