The Maltese Financial Services Authority (“MFSA”) has published a new circular as a follow-up on the previous circular regarding the reporting timelines and requirements for the Register of Information (“RoI”) for authorised persons under the Digital Operational Resilience Act (DORA).
The MFSA is using the circular to remind the industry that authorised persons within the scope of DORA shall submit their RoI to the MFSA between, and including, the 1st and 8th of April 2025. This deadline applies to all authorised persons licensed by the MFSA by the 31st of March 2025. Those not authorised by this date are still required to maintain an RoI and make it available to the MFSA upon request.
The circular reminds recipients that contractual arrangements in accordance with DORA, pertaining to critical or important functions, must be properly maintained in line with DORA’s requirements and furthermore must be submitted by the stated deadline. Failure to comply may result in penalties being imposed by the MFSA.
From an interface perspective, the Supervisory ICT Risk and Cybersecurity Function within the MFSA has updated its informational tab to provide access to the RoI user guidelines.
At a high level, the RoI user guidelines require that the RoI be maintained at various levels, entity, sub-level, and consolidated, with a clear distinction between arrangements supporting critical or important functions and those that do not. Technical requirements, such as file formats, data validation rules, and encryption standards, are provided to ensure the integrity and confidentiality of the information.
The MFSA’s guidance document also includes navigation tips for easier access to the portal, details on reporting deadlines and update frequency, and instructions on how an authorised person should notify the MFSA of any new contractual arrangement.
User support is provided through troubleshooting tips, examples of correct submissions, and a comprehensive FAQ section to address issues promptly, ensuring ongoing compliance.
The RoI submission page within the licence holder portal is automatically accessible to compliance officers. If the person submitting the RoI is not a compliance officer, they must first create an LH portal account and subsequently request access to the RoI submission form from the MFSA.
The EBA has also enhanced their webpage with relevant resources for RoI reporting, including all necessary files, validation rules for each ESA, and an extensive FAQ section.
Lastly, it is stated that the compliance of significant credit institutions falls under the responsibility of the European Central Bank (“ECB”). One of the obligations imposed on such institutions by DORA is to share an RoI with the ECB, with further guidance on this submission yet to be provided.
For information or assistance, please contact us at info@gtg.com.mt
Author: Neil Gauci