.svg)
Financial firms in Malta need to do more work to become compliant with the EU’s Digital Operational Resilience Act (DORA) before it comes into effect on January 17 next year, the Maltese Financial Services Authority (MFSA) has said.
Regulators across the EU are rushing to issue guidance on the law, which will tighten IT security for banks and other financial sector companies, including payments and e-money institutions. The German, Dutch and Spanish watchdogs have all issued advice to their respective sectors in recent months.
In Malta, the national competent authority sent out a new “Dear CEO” letter on Monday (March 25) outlining its expectations for firms in implementing the regulatory framework, setting out seven distinct requirements that they must meet.
These follow on from ten requirements that were released by the regulator last year, pointing out that management bodies must be aware of the regulation, and must have assessed compliance costs related to the regulation.
“While we have observed a high level of awareness in relation to the DORA Regulation, we need to see more concrete implementation measures by the relevant Authorised Persons,” said Alan Decelis, the MFSA’s ICT and cybersecurity chief, in a press statement accompanying the letter.
The specific expectations on companies set out this week include developing a digital operational resilience strategy and a DORA-compliant ICT risk management framework, and taking into consideration the regulatory technical standards (RTS) set out in the regulation.
The Maltese regulator also said that financial entities need to have begun developing an ICT-related incident management process, and to have taken into consideration the relevant provisions emanating from the RTS.
Further, institutions will need to ensure that the classification and reporting of major ICT-related incidents and the voluntary notification of significant cyber threats are compliant with the relevant regulatory and implementing technical standards outlined in the regulation.
Financial entities will also need to begin developing a digital operational resilience testing programme, and managing their ICT third-party risk, including, if applicable, a strategy on ICT third-party risk. They must also develop a policy on the use of ICT services supporting critical or important functions.
Firms must also start work on a register of information (RoI), and begin aligning their current written contractual arrangements with ICT third-party service providers to the key contractual provisions mentioned in the DORA regulation.
The authority says in the letter that it continues to expect management bodies to ensure that their respective financial entities are on track to ensure compliance with the DORA regulation by its date of applicability.
Sufficient DORA preparedness is one of the outcomes that the MFSA intends to achieve through its supervision in 2024, as outlined in the MFSA 2024 Supervisory Priorities document.
“This letter provides the minimum expectations of the MFSA vis-à-vis the respective financial entities in this regard,” the letter says. “The authority will be separately engaging with your financial entity to gather information in relation to your progress against these expectations in due course.”
Commenting on the authority’s 2024 minimum expectations, MFSA chief supervisor Christopher P. Buttigieg said in the press statement that “the authority is taking the necessary steps towards engaging with authorised persons in relation to sufficient DORA preparedness before its date of applicability. This is expected to contribute towards a higher level of compliance to the DORA Regulation by June 2025.”
MFSA’s chief executive Kenneth Farrugia said the DORA regulation is an important addition to Europe’s single rulebook.
“Recognising this fact, the MFSA has been proactive in its implementation of the DORA Regulation, ensuring regular and effective communication with authorised persons, the latest engagement being the publication of these minimum expectations,” he said.
