MFSA sends letter to management bodies about its 2024 DORA ambitions

DORA (the Digital Operational Resilience Act or Regulation 2022/2554) and the DORA Amending Directive (Directive 2022/2556) shall apply from 17 January 2025. The MFSA has just published an open letter to all Board members and CEOs of financial entities falling within scope of DORA outlining its minimum expectations in relation to their preparedness to the aforementioned upcoming laws.

Considering DORA’s wide scope, this letter is addressed to the management teams of almost all entities authorised by the MFSA including banks; financial institutions; investment firms; crypto-asset service providers; managers of alternative investment funds; insurance and reinsurance undertakings; institutions for occupational retirement provision; and crowdfunding service providers.

DORA imposes on financial entities (as defined therein) a number of obligations with the main aim of inter alia (i) identifying and managing risks associated with information and communications technology (ICT) (ii) classifying, managing and reporting of ICT-related incidents, (iii) ensuring digital operational resilience through testing; and (iv) ensuring oversight and management of risks stemming from third-party ICT providers. Last year, the MFSA had already sent a letter outlining its 2023 expectations including:

1. To inform the management body, key function holders, and internal controls about DORA;
2. To keep abreast with updates in relation to technical standards, and new reporting requirements under DORA;
3. To carry out a gap analysis between their current framework and DORA requirements, and to adopt a transition plan, which has been approved by the management body;
4. discuss potential compliance costs arising and engage external consultants, and ICT third-party service providers regarding DORA.

What are the MFSA’s expectations for 2024?

The Authority expects management bodies to ensure financial entities are on track on their transition plan and are making steady progress towards achieving a DORA-ready state in terms of compliance. The Authority is now expecting that entities, while taking into considering the technical standards under DORA, have:

1. started developing a Digital Operational Resilience Strategy;
2. started developing a DORA Compliant ICT Risk Management Framework;
3. started developing an ICT-related incident management process;
4. taken steps in ensuring that the classification and reporting of Major ICT-Related Incidents and the voluntary notification of Significant Cyber Threats are in line with DORA;
5. started developing a DORA compliant digital operational resilience testing programme;
6. taken steps towards managing their ICT third-party risk including – developed a strategy on ICT third-party risk and a policy on the use of ICT services supporting critical or important functions;
7. started developing a Register of Information as required under DORA;
8. started aligning their current written contractual arrangements with ICT Third-Party Service Providers to the DORA-mandated key contractual provisions.

In a rapidly evolving digital landscape, the MFSA’s expectations for 2024 underscore the urgency for financial entities to align with the stringent requirements of DORA. We recognize the complexities involved in transitioning towards DORA compliance and our firm is primed to guide you through this intricate process, ensuring your organization is not just prepared but thrives in the face of these regulatory changes. We are not only conducting gap analyses for a number of financial entities from multiple financial services sectors, but also assisting the same with drafting or reviewing policies, navigating the nuances of ICT-related incident management processes, and aligning contractual arrangements with ICT Third-Party Service Providers to meet DORA’s key contractual provisions.

The next eight (8) months are crucial. The journey towards DORA readiness is a complex task which is further compounded by the thirteen (13) guidance notes and technical standards which are being released under the same Regulation. The specialised DORA team at Ganado is geared to assist financial entities to align with the Regulation’s and MFSA’s expectations, well before the January 17, 2025 deadline.

Authors: James Debono (Senior Associate) & Luigi Farrugia (Associate)