DORA: the MFSA’s expectations in terms of minimum preparations
by Ganado Advocates
1st November 2023
The target date of 17 January 2025 has by now become synonymous with compliance by financial firms with Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector (“DORA” and the “Amending Directive”).
DORA applies to EU financial firms (the umbrella term “financial entities” is used), such as banks, insurance companies, payment and e-money institutions and investment firms and to third party service providers of ICT services which contract with these financial entities. DORA also captures providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services as well as financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.[1]
Broadly, DORA consists of requirements in five main areas:
On the 5 September 2023, the MFSA issued an update to its Circular on DORA and the Amending Directive which it had published in January 2023 (the “Circular Update”).[2] The MFSA reminds entities in scope that the obligations on financial entities in terms of the ICT-related areas outlined above “will change when compared to the obligations emanating from ICT-related provisions within the current applicable Acts, Regulations, Rules and/or sector-specific Guidelines.”
The Circular Update is one of the several and varied means through which the MFSA is keeping in touch with the industry in relation to this important regulatory compliance milestone. The MFSA expects the relevant entities to keep abreast with ongoing updates and highlights the following upcoming developments:
Both consultations are intended for interested stakeholders to share their views with the MFSA and the ESAs as applicable.
In addition, in its Circular Update, the MFSA is taking the opportunity to emphasize what it considers to be the “minimum” in terms of level of preparations towards compliance with DORA. Amongst others, the MFSA expects that any relevant entity:
A cursory look at the MFSA’s expectations above brings to light the role to be played by the Board and management of relevant entities to ensure through their respective role and functions that DORA compliance is on track. DORA compliance needs to be embedded in agendas, discussions and priorities. Although the 17 January 2025 may appear to be a long way off, awareness, preparedness, gap analysis and action plans are key.
___________
[1] https://ganado.com/news/countdown-to-dora-the-regulation-applies-from-17-january-2025/
[2] https://www.mfsa.mt/wp-content/uploads/2023/09/Update-and-Benchmarking-Exercise-on-Regulation-EU-2022-2554-on-Digital-Operational-Resilience.pdf
https://www.mfsa.mt/publications/circulars/supervisory-ict-risk-and-cybersecurity-circulars/
Author: Catherine Formosa (Senior Associate, Ganado Advocates)