The Dutch Federation of Pension Funds (Pensioenfederatie) has called on European policymakers to refrain from amending the Digital Operational Resilience Act (DORA) at this time and wait until the planned review in 2028 amid concerns about unintended consequences.

The call comes in response to the Digital Omnibus, a European legislative process that aims to streamline existing digital legislation (such as artificial intelligence, cybersecurity, and data) and reduce administrative burdens.

Although the pension sector endorsed the objective of the Digital Omnibus, it warned against the unintended effects of including DORA in this process.

In a statement, Pensioenfederatie suggested that, as DORA has only been applicable since 2025, it was "too early" to amend the regulation and opposed amending DORA at this moment in time.

In addition to this, it argued that important parts of the supervision were not yet operational, notably the oversight of major cloud and technology providers.

“We recognise increasing cyber risks and geopolitical risks of dependence on some big tech companies. Still, DORA alone cannot fix them. A consorted effort would be needed to decrease tech dependence,” it said.

Given this, it believed that premature adjustments would affect the predictability and stability of the regulatory framework and lead to higher burdens, without demonstrable improvement in the digital resilience of the financial sector.

Instead, Pensioenfederatie has advocated for dialogue between the financial sector and supervisors, clear guidance to create shared understandings of DORA’s application and a careful evaluation of DORA in 2028, as originally planned.

Additionally, the federation opposed the European Commission’s proposal for a European single-entry point for incident reporting, which aimed to reduce reporting costs.

The reasoning behind opposing a single-entry point was that many financial entities, notably pension funds, did not have these benefits, as they operated in a single EU country.

“In our view, national notification structures and entry points better correspond to existing cooperation and communication between financial entities and supervisors,” it said.

Pensioenfederatie also said that it saw limited synergies from a single-entry point for multiple reporting laws, considering the differences in reporting requirements as another reason for opposing this proposal.

“We care about a cost-efficient, user-friendly solution, with adequate availability, integrity and confidentiality, and the option to file notifications in Dutch and English,” it said.

The statement also flagged potential security risks of the centralisation of sensitive incident reporting information in a European single-entry point.

---