PensionsEurope acknowledges the EC’s initiative to simplify EU digital rules and the importance of maintaining a robust operational resilience framework while maintaining high standards of personal data protection. We emphasize that pension funds need a more proportionate approach under both DORA and the GDPR.
Second pillar pension funds are very different from other financial entities because they are often managed through social partners and linked to employer affiliation.
Applying DORA requirements uniformly creates unnecessary compliance costs, particularly for smaller and less complex pension funds. A principle-based approach of DORA would help to achieve effective ICT risk management and avoid unnecessary ICT controls. Creating a centralised EU incident reporting hub would increase complexity and costs. Instead, ICT incident reporting should be streamlined (fewer fields, longer deadlines) and focused on material impacts on critical functions. The granularity of subcontracting and the register of information also needs to be reduced.
The EU simplification agenda needs to tackle unnecessary complexity arising from both DORA and the GDPR.
