AEIP publishes its position on the DORA
AEIP published its position on the Digital Operational Resilience Act (DORA). With this, AEIP underlines that IORPs and provident institutions of social protection are inherently different from other financial market entities in the sense that they are ‘not-for-profit’, have a paritarian structure and play an important social role in pension adequacy as well as health insurance. In that regard, we stress that the IORP II Directive and the Solvency II Directive set clear requirements regarding governance and risk management, including those on operational and ICT risk as well as outsourcing. These rules, which are specific for IORPs and provident institutions and have proven effective in practice, should prevail on these similar requirements as introduced by DORA.
AEIP’s position also states that the requirements of the DORA Regulation should not impose significant additional cost burden and should have a much more proportional approach to the ICT risk of IORPs and provident insurers. In particular, we fear that mainly small and medium-sized IORPs and provident institutions will be highly negatively impacted by the required measures, since these lead to fixed costs and proportionality for small and medium-sized IORPs is mainly lacking in the European Commission’s proposal. Instead of developing new standards, provisions on classification and reporting of ICT-related incidents should rather be aligned with existing international standards and good practices.
Moreover, we believe that the right implementation of the proportionality principle is of utmost importance. introducing proportionality by referring to microenterprises as well as small and medium-sized enterprises alone without their specific context is not the right approach, since the classification of small, medium or large entities should refer to the specific environment or sector of the respective financial entity. In particular for IORPs, we argue that only staff headcount should be taken into account in this context, disregarding the financial ceilings given that these amounts are not a good measure for determining the size of IORPS. Importantly, as also stated in the European Parliament’s ECON Committee amendment proposal, micro, small or medium-sized IOPRs and provident insurers should be excluded from the Regulation’s scope.
Under the current regulatory framework of IORP II and Solvency II Directive, all operational and ICT risks as well as compliance costs are eventually borne by IORPs and provident institutions respectively. So any effort to enhance the monitoring of third-party providers and outsourced service providers should take into consideration this fact and rather aim to ease the burden for these non-for-profit financial entities.
Finally, regulatory overload should be avoided while coordination between institutions is a very important aspect, given that the current DORA proposal overlaps to a great extent with other regulatory outputs at the EU level, such as EIOPA’s guidelines on outsourcing to cloud service providers as well as its guidelines on ICT security and governance.
To read the full position of AEIP on the DORA, please see here.