top of page

DORA Compliance important milestone for Dutch Pension Sector


In  'Federation: new European ICT rules too strict for pension funds', the insights of the Dutch Pension Federation on DORA (Digital Operational Resilience Act) are summarized. Pension funds would differ from other financial institutions because they have a lower ICT risk. The measures in DORA would not be appropriate and would rely too much on 'one size fits all'. As a result, implementation would increase costs for the fund and therefore the participants.

Hyfen sees the implementation of the requirements from DORA in a different light. They constitute the next logical step in the digital transformation of the financial (and therefore pension) sector. Harmonized legislation on IT resilience provides a solid basis on which the future European financial infrastructure can be built, which is an infrastructure that Dutch pension funds should want to take part in.

DORA: a foundation to build on

On September 24th 2020 the European Commission presented its 'Digital Finance Package'. The objective is to make the financial sector more digitally secure and accessible so that innovative startups and established financial institutions can realize benefits and consumers can benefit from access to new financial products and innovations.  The strategy is divided into four priorities:

  1. Addressing the fragmentation of the Digital Single Market for financial services, allowing European consumers to access cross-border services and helping European financial companies scale up their digital activities;

  2. Ensure that the EU regulatory framework promotes digital innovation in the interests of consumers and market efficiency;

  3. Creating a European financial data space to foster data-driven innovation, building on the European data strategy, including better access to and exchange of data within the financial sector;

  4. Address new challenges and risks associated with the digital transformation.  

So, the European Commission foresees a financial sector with a high degree of interaction between parties and frequent exchange of (personal) data. To achieve this, a safe and well-functioning foundation is necessary:  "The EU cannot afford to question the operational resilience and security of its digital financial infrastructure and services. The risk of client money being stolen or their data compromised should also be minimized.'  As a result, the regulatory cornerstone of this vision came into force on January 16th 2023: DORA. DORA harmonizes the fundament to build on: risk management, incident management, reporting to supervisors by regulated entities, testing resilience, exchange of information, digital supply chain management and enforcement. All important topics from an IT control perspective are covered and harmonized across different financial entities. This formalization of internal control requirements into laws and regulations should not be considered in the context of today, but rather in the context of tomorrow.

The context of tomorrow

Where the first outlines were described in the digital finance package, the European Commission takes things one step further with the proposed Financial Data Access Regulation (FDAR). Under FDAR, the European Commission wants data about persons managed by financial entities, including pension funds, to be ‘open’ to other parties with the consent of the data subject.  With the arrival of FDAR, the amount of personal data to be managed and exchanged by pension parties will therefore most likely be subject to a sharp increase. Based on this data exchange new services can be developed and existing customer journeys personalized even further, for example in the context of duty of care. Certainty about the reliability, integrity, security and privacy of this data exchange will therefore soon be of even greater importance.  Closer to home the context for 'data sharing', the increased level of information collection and the role of pension funds is also beginning to emerge. The arrival of the new Dutch Future Pensions Act gives participants additional freedom of choice, and therefore increases the responsibility of pension funds to provide information and guidance. In this context, supervisors expect more and more from pension funds.  Even today, the AFM encourages the use of data from external sources in the ‘Richtlijn Keuzebegeleiding’, i.e. Duty of Care guidance:

AFM, Guideline for Duty of Care guidance '... Of course, the pension provider can go one step further and obtain information about the financial situation of the participant and include it in the decision-making guidance.'

Futhermore, both the financial services market and technology are developing at a breakneck pace. New products and services are constantly emerging, for example by applying AI or combining data from different sources. Due to the current focus of the Dutch Pension Sector on the implementation of the new pension system, there is a risk that these developments will fall out of sight. Falling behind the rest of the financial sector due to this focus on the transition can therefore be a threat to the long term viability of the Dutch pension sector.  In practice, compliance with DORA, Duty of Care and other new legislation (e.g. the AI act) is already requested by Hyfen customers. We already implement these requirements in our Hyfen Compliant Cloud platform and new pension- and dataservices. Having the basics in order with a well-secured, robust and efficient IT environment that is at least equivalent to that of other financial parties is therefore a must, also for pension funds.  If you want to learn more about this topic, please contact Dante van Grafhorst, General Counsel at Hyfen via


Commenting has been turned off.
bottom of page