1.   Member States shall require IORPs to have in place the following key functions: a risk-management function, an internal audit function, and, where applicable, an actuarial function. IORPs shall enable the holders of key functions to undertake their duties effectively in an objective, fair and independent manner.

2.   IORPs may allow a single person or organisational unit to carry out more than one key function, with the exception of the internal audit function referred to in Article 26, which shall be independent from the other key functions.

3.   The single person or organisational unit carrying out the key function shall be different from the one carrying out a similar key function in the sponsoring undertaking. Member States may, taking into account the size, nature, scale and complexity of the activities of the IORP, allow the IORP to carry out key functions through the same single person or organisational unit as in the sponsoring undertaking, provided that the IORP explains how it prevents or manages any conflicts of interest with the sponsoring undertaking.

4.   The holders of a key function shall report any material findings and recommendations in the area of their responsibility to the administrative, management or supervisory body of the IORP which shall determine what actions are to be taken.

5.   Without prejudice to the privilege against self-incrimination, the holder of a key function shall inform the competent authority of the IORP if the administrative, management or supervisory body of the IORP does not take appropriate and timely remedial action in the following cases:

6.   Member States shall ensure the legal protection of persons informing the competent authority in accordance with paragraph 5.