Pensioenfederatie: PUOs zijn geen kritieke ICT-dienstverleners

The Pension Federation believes that Pension Fund Service Providers (PUOs) should not be designated as Critical Third Party Providers (CTPPs) of ICT services under the Digital Operational Resilience Act (DORA). There is no need for additional oversight on PUOs.
The Pension Federation has responded to a consultation regarding the designation of CTPPs for ICT services (please see eventID=21440 for details). The DORA Regulation pertains to information security in the financial sector and must be implemented by 17 January. Further regulations are currently being developed.
DORA imposes additional requirements on ICT providers for financial institutions. The CTPP designation aims to subject Big Tech entities that are systematically important for financial stability to European supervision. This includes cloud services and software providers.
Some Dutch PUOs are at risk of falling under this designation due to proposed criteria related to „providing services to 10% of the managed assets of a type of financial entity.“ Several PUOs serve 10% of the assets of European IORPs, pension institutions governed by the (EU) IORP II Directive.
The Pension Federation aims to prevent CTPP designations for PUOs. In their position paper, it
– firstly, argues that PUOs are not ICT service providers; they solely use ICT for providing pension services.
– secondly, claims that DORA supervision over PUOs is already sufficient. PUOs are indirectly supervised through the funds they manage. Additionally, since all PUOs operate within the country’s borders, there are no gaps in supervision. Double supervision should be avoided.
– thirdly, argues that the criterion „providing services to 10% of the managed assets of a type of financial entity“ is not suitable for the IORP sector, where the Netherlands is a prominent player in a smaller arena. A comprehensive analysis should demonstrate that ICT risks at PUOs are not critically important.