DORA operational resilience for occupational pension funds, built for lean, heavily outsourced schemes that depend on third-party administrators, asset managers and custodians.
Institutions for occupational retirement provision are named as financial entities under DORA (Regulation (EU) 2022/2554, Article 2(1)(k)), so the digital operational resilience rules that govern banks and insurers also reach pension funds. DORA has applied since 17 January 2025, and an IORP that is in scope must now evidence a board-owned ICT risk framework, incident reporting, resilience testing and contractual oversight of the technology providers that keep member benefits flowing.
For IORPs this lands differently than for most other financial entities. Pension funds are typically small, run by lean boards and tiny in-house teams, and they outsource almost everything that touches technology: scheme administration to third-party administrators, investment to external asset managers, safekeeping to custodians and record-keeping to specialist platforms. DORA recognises this reality through proportionality and a Member-State exemption for the smallest schemes, but where it applies it forces the outsourced ICT chain into a governed framework so that a provider outage, a member-data breach or a delayed benefit payment is anticipated, contained and reported rather than discovered after the fact.
IORPs are DORA financial entities under Article 2(1)(k), but coverage is not uniform across the EU because Article 2(3) lets each Member State exempt the smallest schemes: notably IORPs operating pension schemes that together have fewer than 15 members in total, and IORPs that fall below the size threshold in Article 5 of the IORP II Directive (schemes with fewer than 100 members in total) which a Member State may choose to disapply from IORP II and, by extension, from DORA. Because this is a Member-State option rather than an automatic EU-wide carve-out, an IORP must check its own national transposition to know whether it is in or out, and a fund just over a threshold can be fully in scope. Where DORA does apply, Article 4 proportionality scales the expectations to the IORP's size, nature, scale and complexity, so a small single-employer scheme that outsources everything carries lighter internal-control expectations than a large multi-employer fund, yet no in-scope IORP escapes the core ICT risk, incident-reporting and third-party rules.
The IORP II Directive (Directive (EU) 2016/2341) already requires an effective system of governance, the three key functions (risk management, internal audit and actuarial) and, importantly, controls over outsourcing under Article 31, including the duty not to impair governance, increase operational risk or undermine supervision when activities are delegated. DORA acts as the cross-sectoral lex specialis that deepens the ICT dimension of those duties: rather than running two parallel programmes, an IORP should map its IORP II governance and Article 31 outsourcing arrangements onto DORA's five pillars so a single control set serves both. The risk-management key function naturally owns the DORA ICT risk framework, internal audit tests it, and the existing outsourcing register and due-diligence process becomes the backbone of DORA's register of information and third-party clauses. The practical challenge unique to IORPs is doing this with very little in-house IT, which makes third-party governance and proportionate documentation the dominant workstreams.
Most IORPs delegate scheme administration, contribution collection, member record-keeping and benefit calculation to a third-party administrator (TPA) running its own ICT platform. DORA's third-party rules (Articles 28-30) require the TPA to be inventoried in the register of information, risk-assessed for concentration and substitutability, and held to contractual audit, access and exit rights, because the IORP remains accountable even though it owns little of the technology.
Article 2(3) lets Member States exempt the smallest schemes (broadly fewer than 15 members, or below the IORP II Article 5 sub-100-member threshold), and Article 4 proportionality scales the rest. The first task for any IORP is to confirm, against its national transposition, whether it is exempt at all and, if in scope, to right-size the framework so a lean scheme is not held to large-bank expectations.
The administration system that records entitlements and the member portal that lets people view and manage their pension are the IORP's critical or important functions. DORA expects these to be identified as critical ICT assets, with availability, integrity and recovery requirements set and monitored, even when the platform is hosted and operated by an outsourced provider.
External asset managers, custodians and fund-accounting providers deliver services through their own ICT systems on which the IORP depends to value assets, settle trades and safekeep holdings. Where that dependency supports a critical or important function it falls within DORA's third-party regime, requiring due diligence, contractual ICT clauses and consideration of concentration when several functions sit with the same group.
DORA's incident management (Articles 17-19) applies even though most IORPs have no 24/7 security operations centre. The realistic answer is to define a major-incident procedure that relies on the providers' detection and notification duties, secure contractual obligations on TPAs and asset managers to alert the IORP promptly, and pre-agree who classifies and submits the report to the NCA within the regulatory clock.
DORA does not require a new committee structure for a small IORP; it requires ownership. The risk-management key function can own the ICT risk framework, internal audit can provide independent assurance, and the management body must approve the strategy and oversee third-party risk, reusing the IORP II system of governance rather than building a parallel one.
Everything tailored to your sector, ready to use on day one.
It depends on your Member State. IORPs are financial entities under DORA Article 2(1)(k), but Article 2(3) lets each Member State exempt the smallest schemes, broadly those with fewer than 15 members in total or below the IORP II Article 5 threshold of 100 members. You must check your national transposition to know whether your fund is exempt; if you are over the threshold or your country did not apply the exemption, DORA applies to you, scaled by Article 4 proportionality.
Yes, and outsourcing does not transfer accountability. Under DORA the IORP remains responsible for managing the ICT risk of its third-party administrator, asset managers and custodians: due diligence, contractual audit and access rights, monitoring, and a documented exit plan, all recorded in your register of information under Articles 28-30. Most of your DORA effort will sit in this third-party pillar precisely because so little technology is in-house.
Almost never. TLPT under DORA Articles 26-27 applies only to entities designated by their authority on the basis of systemic importance and ICT risk profile, and the great majority of IORPs are too small to be designated. Every in-scope IORP must still run a proportionate testing programme such as vulnerability assessments and reviews of key systems, but full threat-led testing is unlikely to be required of a pension fund.
Treat DORA as the detailed ICT layer that deepens IORP II. IORP II already requires a system of governance, the three key functions and controls over outsourcing (Article 31); DORA standardises and extends the technology dimension of those duties. Map your IORP II governance and outsourcing arrangements onto DORA's five pillars so one control set, and one provider register, satisfies both regimes rather than running them separately.
You may still have to report it. If the incident at your TPA meets DORA's major-incident thresholds for your fund, the IORP is responsible for classifying it under Article 19 and notifying the NCA on the initial, intermediate and final report clock. Because you will often learn of it from the provider, your administration contract should oblige the TPA to alert you promptly and supply the facts you need, and you should have a named person and templates ready to classify and submit.
Use the structure IORP II already gives you. The risk-management key function is the natural owner of the ICT risk framework, internal audit provides independent assurance, and the management body approves the strategy and oversees third-party ICT risk. You do not need a large new function; you need clear ownership, proportionate documentation and reliable provider obligations.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.