Update on DORA registers of information

Today, the Pensions Authority provides an update regarding the registers of information (ROIs) required under article 28(3) of DORA.

The European Supervisory Authorities (ESAs) recently introduced simplifications to their processes for the collection of registers of information for the purposes of designating the critical ICT third-party service providers (CTPPs) under article 31 of DORA. These simplifications reduce the frequency of the ESAs’ ‘full-scope’ criticality assessments to once every three years, from once a year, and introduce a simplified process for CTPP designations in each interim year.   

The simplified process for interim years will focus on a reduced population of financial entities,  excluding categories making no contribution to the ‘step 1-designation’ of CTPPs under the relevant delegated regulation. IORPs are currently one such excluded category, meaning that the next ESA collection of IORP ROIs has been deferred until 2028.

On this basis, the Pensions Authority will conduct its next ROI collection in 2028 and this collection is expected to include all Irish IORPs in scope of the ROI requirement. Those schemes will be required to submit full ROIs to the Pensions Authority using a reference date of 31 December 2027. The Pensions Authority will communicate further details on the timing and format of ROI submissions in advance of this exercise. Trustees should ensure they have in place technical infrastructure in line with EBA requirements.

In the meantime, trustees are reminded of the requirement under article 28(3) of DORA for relevant IORPs to maintain and update their ROI. To this end, IORPs in scope of the ROI requirement should update their ROI information immediately in the event of any known change to the information contained in the ROI, and at least annually in any event. Systematic annual reviews are important to allow trustees to assess and record any new information relevant to their contractual arrangements on the use of ICT services, even when there have been no changes to the scheme’s direct contractual arrangements, e.g., in the event of changes to any subcontractors used by the scheme’s existing registered administrator. The Pensions Authority will look for evidence that such reviews have taken place, therefore trustees should ensure ROI reviews are recorded appropriately, e.g., in the minutes of trustee meetings.

Trustees should also note their obligation under article 28(3) of DORA to inform the Pensions Authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions.

Lastly where an IORP has determined that it does not rely on ICT third-party service providers within the meaning of DORA, trustees are reminded to confirm this position to the Pensions Authority by emailing DORA_nullROI@pensionsauthority.ie.

Further information is available on the Pensions Authority’s DORA webpage.