Ireland’s Pensions Authority has set out the reporting timelines for major ICT-related incidents and significant cyber threats, necessary under the Digital Operational Resilience Act (DORA).

Pension schemes subject to the new EU regulation, which came into effect on 17 January, are obliged to report major ICT-related incidents to the Pensions Authority within prescribed timeframes using reporting templates provided by the authority.

An ICT-related incident is considered major where the criteria and thresholds set out in the regulatory technical standards are met.

Upon classification of an incident as major an initial report must be made within four hours but no later than 24 hours from the time the scheme became aware of the incident.

This should be followed by an intermediate report within 72 hours, at the latest, from the submission of the initial notification. An updated intermediate report must be submitted once regular activities have been recovered.

Furthermore, a report must be submitted when major incidents are reclassified as non-major. This must be done soon as it is determined that the incident reported as major at no time fulfilled the required classification criteria and materiality thresholds.

Finally, a final report must be submitted no later than one month after either the submission of the intermediate report or, where applicable, after the latest updated intermediate report

The authority clarified that where the time limit for the submission of any of the above reports falls on a weekend day or a bank holiday the pension scheme may submit the report by noon of the next working day. Completed reporting templates must be emailed to the authority

In addition, the DORA regulation requires in-scope pension schemes to record significant cyber threats. The authority said voluntary reports of significant cyber threats, which are deemed of relevance to the financial system, service users or clients, should be emailed to the authority, using the template provided on its website.

---