Given the ever-increasing risks of cyber-attacks, the European Union (the ‘EU’) has been strengthening the information and communication technology (the ‘ICT’) security of financial entities, such as banks, insurance companies and investment firms. The Malta Financial Services Authority (the ‘MFSA’) has published an updated circular in relation to the Digital Operational Resilience Act (the ‘DORA’), which was enacted to ensure that the financial sector in Europe is able to stay digitally resilient.

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) was recently published on the Official Journal of the EU and shall come into effect on the 16th of January 2023, to become fully applicable by the 17th of January 2025 following a two-year implementation period. As provided in Recital (12), this Regulation “aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience.”

Essentially, DORA introduces provisions, subject to different layers of proportionality, on financial entities in the areas of ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, managing of ICT third-party risk (including an Oversight Framework of critical ICT-third party providers) and voluntary information-sharing arrangements, with the aim of assisting firms in ensuring that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The requirements imposed by DORA are homogenous across all EU member states, with the ultimate aim of preventing and mitigating cyber threats, and are essentially applicable to critical third parties which provide ICT-related services to financial entities.1

This Regulation shall also be supplemented by a series of Regulatory/Implementing Technical Standards, Guidelines, Reports, Recommendations and Calls for Advice, all having different delivery deadlines as detailed in Annex 1.

About the Author

This update has been authored by Dr Luana Agius, Junior Regulated Industries Advisor. For additional information kindly contact us on

1 ‘Digital Operational Resilience Act (DORA)’ <> accessed 4 January 2023.

'Credit & Financial Institutions' Related News Articles

The new notified PIFs framework: MFSA publishes consultation document on regulatory changes
Ganado Advocates

by Ganado Advocates

26th May 2023

BOV Asset Management Limited launches the Global Multi-Asset Thematic 60 Fund managed by Fidelity International
Bank of Valletta

by Bank of Valletta

7th May 2023

Infocredit Group Limited

by Infocredit Group Limited

3rd May 2023

The classification of cryptoassets under the new Markets in Crypto-Assets Regulation
Ganado Advocates

by Ganado Advocates

24th February 2023

Welcome to “Enterprise Innovation” ¦ 23 February 2023 at Salini Resort Hotel
Griffiths + Associates Ltd

by Griffiths + Associates Ltd

20th February 2023

Bank of Valletta organises business breakfast on the Climate Challenges and Opportunities for Real Estate
Bank of Valletta

by Bank of Valletta

31st January 2023

BOV participates in Ġemma and MBA’s pilot project to promote financial literacy courses for elderly
Bank of Valletta

by Bank of Valletta

27th December 2022

High calibre international speakers for FinanceMalta’s 15th Annual Conference

by FinanceMalta

28th October 2022

H.E. Sheikh Feisal Bin Qassim Al Thani celebrates BNF Bank’s success in latest visit to Malta
BNF Bank plc

by BNF Bank plc

6th October 2022