Technological developments are changing the framework conditions in the financial market and are opening up new opportunities for Pensionskassen (pension funds), that are however also bound with risks. In addition, the Covid-19 pandemic has accelerated innovations and digital interconnectedness, while the challenges arising in conjunction with using of information and communication technologies (ICT) have also increased due to geopolitical developments.
In this environment, the FMA is continuing its analysis of the state of digitalisation in the Austrian financial market. Based on this, the FMA is able to take preventative measures, to initiate improvements in the legal framework, determine the intensity of supervision of individual supervised undertakings in a more risk-adequate manner, and to act in a risk-based and forward-looking manner in planning and setting the priorities for supervision.
Strengthening of cyber resilience is the centrepiece of legal development.
- Since publishing its FinTech Action Plan in March 2018, among other things, the European Commission has been pursuing the objective of strengthening the defences of the EU’s financial sector against cyber attacks. Within the Digital Finance Package, rules were also proposed in September 2020 for strengthening digital operational stability in conjunction with the use of information and communication technologies. The accompanying Regulation on Digital Operation Resilience in the Financial Sector (DORA Regulation) applies from 17 January 2025. It addresses the topics of ICT risk management and ICT incident reporting, resilience tests (incl. Threat Led Penetration Tests), ICT service risks as well as the exchange of information on cyber risks between entities..
- The FMA’s FMA-Leitfaden IT-Sicherheit für Pensionskassen (FMA Guide on IT Security for Pensionskassen (available in German only)) was published back in 2018 to provide guidance to Pensionskassen.
In the area of digitalisation, the FMA has taken the following measures and set the following priorities:
- Study on “Digitalisation of the Financial Market”: The FMA regularly conducts cross-sector analyses on digital transformation.
- IT interdependencies: Based on the visualisation of interconnectedness in the IT service provider landscape in the Pensionskassen sector, potential concentration risks are presented and further deductions reached for supervisory strategy and practice.
- FMA Blackout Maturity Level Assessment: (in German only) preparations for a possible blackout and how to handle one were evaluated in the Pensionskassen sector in 2022.
- FMA Cyber Maturity Level Assessment: The FMA is using a tool developed in-house for measuring and evaluating the cyber resilience of Austrian Pensionskassen. See for example FMA , Digitalisation in the Austrian Financial Market – 2021, chapter 10 FMA Cyber Maturity Level Assessment or FMA’s 2020 Report on the state of Austrian Pensionskassen (available in German only) , Part F. Cyber-resilence, 1. Results of the FMA-Cyber Maturity Assessment.
- FMA-Cloud Maturity Level Assessment: This tool was developed by the FMA to evaluate the precautions taken by insurance undertakings and Pensionskassen regarding the use of clouds in 2019. See also FMA , Digitalisation in the Austrian Financial Market – 2021, chapter 11 FMA Cloud Maturity Level Assessment.
- ICT-related incidents: the FMA enquires about such incidents and is thereby preparing the Pensionskassen for future binding reporting requirements.
- Post Covid-19 related risks: Risks arising in conjunction with the return to presence working were analysed.
- Practice dialogue: There is an ongoing exchange with the sector about digitalisation issues.