Skip to main content

Multi-Framework Mapping Rules

Irish pension trustees operate at the intersection of multiple regulatory frameworks simultaneously. IORP II imposes governance and operational risk obligations. GDPR governs the processing of member personal data. DORA applies ICT resilience requirements to financial entities and their ICT providers. ISO 27001 provides the information security management framework that underpins operational resilience. These frameworks overlap significantly — but they are not identical, and they are not administered by the same regulator. Managing them as separate compliance workstreams is inefficient and creates gaps. PensionPortal.ai’s multi-framework approach maps all obligations onto a single control spine, enabling evidence reuse and demonstrating integrated compliance.

The Multi-Framework Challenge

IORP II

EU Directive 2016/2341, transposed as S.I. 128/2021. Primary Irish pensions governance framework. Supervised by the Pensions Authority.

GDPR

EU Regulation 2016/679. Governs processing of all personal data, including pension member data. Supervised by the Irish Data Protection Commission (DPC).

DORA

EU Regulation 2022/2554. Digital Operational Resilience Act. ICT risk and resilience framework for financial entities, including IORPs. Application date: 17 January 2025.

ISO 27001:2022

International standard for Information Security Management Systems. Not a legal obligation but provides the structured framework that maps to all three regulatory obligations above.
A trustee who treats these as four separate compliance workstreams will:
  • Duplicate evidence collection (the same access log satisfies IORP II, GDPR, and DORA)
  • Miss the connections between frameworks (a GDPR DPIA covers ICT risk relevant to DORA)
  • Create inconsistencies when explaining their compliance posture to different audiences
PensionPortal.ai solves this by maintaining a single, mapped evidence base.

PensionPortal.ai Mapping Methodology

Our methodology has a clear hierarchy: 1. IORP II as the primary spine All Irish pension scheme governance obligations derive from IORP II as transposed by S.I. 128/2021. Every compliance obligation is first mapped to the relevant IORP II Article and its Irish implementation reference. This ensures the compliance posture is grounded in the trustee’s primary legal obligation. 2. GDPR as an overlay on personal data processing GDPR obligations attach wherever IORP II compliance activities involve processing member personal data — which is almost universally. The GDPR overlay maps each IORP II-driven processing activity to the relevant GDPR lawful basis, data subject right, and processor obligation. 3. DORA as an overlay on ICT risk DORA obligations attach to the ICT systems and third-party ICT providers that support IORP II compliance. The DORA overlay maps IORP II operational risk requirements (Article 21) and outsourcing provisions (Article 31) to the specific DORA ICT risk management chapters. 4. ISO 27001/27002 as the control reference ISO 27002 controls provide the implementation-level detail for the security and operational risk obligations imposed by IORP II, GDPR, and DORA. Where a control satisfies multiple frameworks, this is documented explicitly.

Common Control Areas: Where One Control Serves Multiple Frameworks

A single access management control — implementing Role-Based Access Control (RBAC), MFA, and privileged access management — satisfies:
  • IORP II Article 21 (S.I. 128/2021, Reg. 21): Operational risk management requires adequate internal controls including access restrictions
  • IORP II Article 23 (Reg. 23): KFH separation of duties requires that individuals with conflicting functions cannot access each other’s domains
  • GDPR Article 25: Data protection by design requires access controls that prevent unauthorised processing
  • GDPR Article 32: Technical security measures for processing must include access controls
  • DORA Article 9: ICT access management is an explicit requirement of the ICT risk management framework
  • ISO 27002 A.8.2: Privileged access rights control
Evidence reuse: a single access log export and RBAC configuration document satisfies all of the above.
Immutable audit logs — capturing all user actions, administrative operations, and data access — satisfy:
  • IORP II Article 26 (S.I. 128/2021, Reg. 26): Internal audit function requires an audit trail
  • IORP II Article 21 (Reg. 21): Accountability as part of the system of governance
  • GDPR Article 5(2): Accountability principle — the controller must be able to demonstrate compliance
  • GDPR Article 30: Records of processing activities include evidence of processing operations
  • DORA Article 8: ICT risk management requires logging of ICT operations for root cause analysis and incident investigation
  • ISO 27002 A.8.15: Logging control
Evidence reuse: the platform audit log export is a single artifact that serves all frameworks.
A single incident management process and playbook satisfies:
  • IORP II Article 21 (S.I. 128/2021, Reg. 21): Operational risk management must include incident management
  • GDPR Article 33: Data breach notification to DPC within 72 hours
  • GDPR Article 34: Data breach communication to affected data subjects where high risk
  • DORA Articles 17-23: ICT-related incident classification, management, and reporting to competent authority (Pensions Authority for IORPs)
  • ISO 27002 A.5.24-A.5.28: Incident management controls
Evidence reuse: the incident register, post-incident reviews, and DPC/Pensions Authority notification records are a single evidence set serving all frameworks.
Business continuity and disaster recovery planning satisfies:
  • IORP II Article 30 (S.I. 128/2021, Reg. 30): Continuity planning is an explicit written policy requirement
  • DORA Article 11: ICT business continuity management — RTO, RPO, crisis communications, business impact analysis
  • DORA Articles 24-27: Digital operational resilience testing including BCM testing
  • ISO 27002 A.5.30: ICT readiness for business continuity
Evidence reuse: BCM plan, BIA, DR test records, and RTO/RPO validation serve all three frameworks.
Data protection technical and organisational measures satisfy:
  • IORP II Article 29 (S.I. 128/2021, Reg. 29): Written policy on data strategy and protection
  • GDPR Article 5: Data protection principles (integrity and confidentiality)
  • GDPR Article 25: Data protection by design and by default
  • GDPR Article 32: Security of processing (encryption, pseudonymisation, resilience)
  • DORA Article 9: ICT security including data confidentiality and integrity
  • ISO 27002 A.8.24: Cryptography; A.8.11**: Data masking
Evidence reuse: encryption configuration, architecture documentation, and DPIA serve all frameworks.

Crosswalk Reference Pages

The detailed, article-by-article crosswalks for each framework are maintained as separate reference pages:

IORP II Crosswalk

Article-by-article mapping of IORP II to PensionPortal.ai platform modules and evidence artifacts. Includes Irish S.I. 128/2021 regulation references.

GDPR Crosswalk

GDPR Article crosswalk covering trustee (controller) obligations and PensionPortal.ai (processor) support.

DORA Crosswalk

DORA chapter-by-chapter crosswalk covering ICT risk management, incident management, resilience testing, and third-party risk.

Irish Pensions Crosswalk

Broader Irish pensions legislation crosswalk — Pensions Act 1990 obligations beyond IORP II, Revenue requirements, and trust law.

How to Use the Mapping in Practice

For evidence collection: Before collecting evidence for an audit or regulatory enquiry, consult the mapping rules to identify which single artifact satisfies multiple obligations. This prevents producing four separate documents where one will do. For gap analysis: When a control gap is identified — for example, an access review has not been performed — the mapping rules show the full regulatory consequence: it is not just an ISO 27001 gap but simultaneously an IORP II operational risk gap, a GDPR Article 25 gap, and a DORA Article 9 gap. This enables proportionate prioritisation of remediation. For regulator conversations: When the Pensions Authority enquires about operational risk management under Article 21 of IORP II, the mapping rules enable you to demonstrate that the scheme’s approach to ICT risk is simultaneously aligned with DORA (the EU-wide ICT resilience standard) and ISO 27001 (the international information security standard). This demonstrates a systematic, not ad hoc, approach to risk management. For the evidence pack: The PensionPortal.ai Evidence Pack (see Evidence Pack Generation Runbook) assembles multi-framework evidence into a single, structured export. The mapping rules govern which artifacts are included for each framework.
The multi-framework mapping is maintained as a living document within PensionPortal.ai and updated when legislation changes, new regulatory guidance is issued, or platform architecture changes affect control implementation. Trustees should ensure they are referencing the current version of each crosswalk, not a cached copy from a prior period.