DORA (the Digital Operational Resilience Act or Regulation 2022/2554) and the DORA Amending Directive (Directive 2022/2556) shall apply from 17 January 2025. The MFSA has just published an open letter to all Board members and CEOs of financial entities falling within scope of DORA outlining its minimum expectations in relation to their preparedness to the aforementioned upcoming laws.

Considering DORA’s wide scope, this letter is addressed to the management teams of almost all entities authorised by the MFSA including banks; financial institutions; investment firms; crypto-asset service providers; managers of alternative investment funds; insurance and reinsurance undertakings; institutions for occupational retirement provision; and crowdfunding service providers.

DORA imposes on financial entities (as defined therein) a number of obligations with the main aim of inter alia (i) identifying and managing risks associated with information and communications technology (ICT) (ii) classifying, managing and reporting of ICT-related incidents, (iii) ensuring digital operational resilience through testing; and (iv) ensuring oversight and management of risks stemming from third-party ICT providers. Last year, the MFSA had already sent a letter outlining its 2023 expectations including:

  1. To inform the management body, key function holders, and internal controls about DORA;
  2. To keep abreast with updates in relation to technical standards, and new reporting requirements under DORA;
  3. To carry out a gap analysis between their current framework and DORA requirements, and to adopt a transition plan, which has been approved by the management body;
  4. discuss potential compliance costs arising and engage external consultants, and ICT third-party service providers regarding DORA.

What are the MFSA’s expectations for 2024?

The Authority expects management bodies to ensure financial entities are on track on their transition plan and are making steady progress towards achieving a DORA-ready state in terms of compliance. The Authority is now expecting that entities, while taking into considering the technical standards under DORA, have:

  1. started developing a Digital Operational Resilience Strategy;
  2. started developing a DORA Compliant ICT Risk Management Framework;
  3. started developing an ICT-related incident management process;
  4. taken steps in ensuring that the classification and reporting of Major ICT-Related Incidents and the voluntary notification of Significant Cyber Threats are in line with DORA;
  5. started developing a DORA compliant digital operational resilience testing programme;
  6. taken steps towards managing their ICT third-party risk including – developed a strategy on ICT third-party risk and a policy on the use of ICT services supporting critical or important functions;
  7. started developing a Register of Information as required under DORA;
  8. started aligning their current written contractual arrangements with ICT Third-Party Service Providers to the DORA-mandated key contractual provisions.

In a rapidly evolving digital landscape, the MFSA’s expectations for 2024 underscore the urgency for financial entities to align with the stringent requirements of DORA. We recognize the complexities involved in transitioning towards DORA compliance and our firm is primed to guide you through this intricate process, ensuring your organization is not just prepared but thrives in the face of these regulatory changes. We are not only conducting gap analyses for a number of financial entities from multiple financial services sectors, but also assisting the same with drafting or reviewing policies, navigating the nuances of ICT-related incident management processes, and aligning contractual arrangements with ICT Third-Party Service Providers to meet DORA’s key contractual provisions.

The next eight (8) months are crucial. The journey towards DORA readiness is a complex task which is further compounded by the thirteen (13) guidance notes and technical standards which are being released under the same Regulation. The specialised DORA team at Ganado is geared to assist financial entities to align with the Regulation’s and MFSA’s expectations, well before the January 17, 2025 deadline.

Authors: James Debono (Senior Associate) & Luigi Farrugia (Associate)

'Investment Funds & Asset Management' Related News Articles

01
The INSIGHT Interview: Herald Bonnici, Secretary General, Private Equity & Venture Capital Association (PEVCA)
FinanceMalta

by FinanceMalta

17th June 2024

DORA Trifecta – Three delegated regulations adopted by the Commission
Ganado Advocates

by Ganado Advocates

23rd April 2024

ESG
GRC in Malta: Governance and ESG – Navigating the Intersection between Profit and Purpose
Ganado Advocates

by Ganado Advocates

5th April 2024

BOV OFFERS MAPFRE MSV Life CAPITAL GUARANTEED AND INCOME PLANS
Bank of Valletta

by Bank of Valletta

5th March 2024

Stable Return Fund of SCM Sicav plc was selected among the best flexible funds at the Diaman Awards
Solutions Capital Management SICAV p.l.c.

by Solutions Capital Management SICAV p.l.c.

4th March 2024

ESMA Consults on the ‘Classification of Crypto-Assets as Financial Instruments’ and ‘Reverse Solicitation’ under MiCA
Ganado Advocates

by Ganado Advocates

23rd February 2024

Agreement reached on the proposed Anti-Money Laundering Regulation and Sixth Anti-Money Laundering Directive
Ganado Advocates

by Ganado Advocates

19th February 2024

MFSA Circular on the Newly Published Accountancy Profession Regulations, 2023 (Legal Notice 299 of 2023)
Ganado Advocates

by Ganado Advocates

22nd January 2024

The Guaranteed Capital & Income Plan 2026 II now available from all BOV Branches, Investment Centres and Private Banking
Bank of Valletta

by Bank of Valletta

6th September 2023

New Guidance: Practical Guidance for Economic Operators: Detecting and Preventing Sanctions Evasion and Circumvention in Trade
Ganado Advocates

by Ganado Advocates

16th August 2023

ESG
ESG is here to stay as both the Asset Wealth Management and the policymakers seem set on an irreversible course of action
Zeta

by Zeta

26th July 2023

BOV Asset Management Limited launches the Global Multi-Asset Thematic 60 Fund managed by Fidelity International
Bank of Valletta

by Bank of Valletta

7th May 2023

INFOCREDIT GROUP AMONG THE SPONSORS OF MALTA FINANCIAL CRIME COMPLIANCE CONFERENCE 2023
Infocredit Group Limited

by Infocredit Group Limited

3rd May 2023

The CJEU clarifies key issues on the adoption of enforcement measures in respect of sanctioned entities
Ganado Advocates

by Ganado Advocates

4th January 2023

BOV Asset Management named official representative of Fidelity International in Malta
Bank of Valletta

by Bank of Valletta

25th November 2022

High calibre international speakers for FinanceMalta’s 15th Annual Conference
FinanceMalta

by FinanceMalta

28th October 2022

CJEU clarifies when dividend payments by fund managers must comply with the sound remuneration principles under AIFMD and UCITS Directive
Ganado Advocates

by Ganado Advocates

14th October 2022

New EU Cross-Border Distribution of Funds Rules: Key Considerations for UCITS and AIFs and their Asset Managers
Ganado Advocates

by Ganado Advocates

20th January 2022

ESMA Guidelines on the application of the appropriateness assessment and execution-only requirements under MiFID II
Ganado Advocates

by Ganado Advocates

20th January 2022

SAXO Bank Chief Economist optimistic for recovery in Malta’s Trade, Transport and Tourism
Bank of Valletta

by Bank of Valletta

25th May 2021

The future of Trade, Transport and Tourism in Malta – a business webinar by BOV, Saxo Bank and Malta Maritime Forum
Bank of Valletta

by Bank of Valletta

17th May 2021

What to expect: BOV, Malta Chamber and Saxo Bank debate on the future of businesses
Bank of Valletta

by Bank of Valletta

29th September 2020