The EU Digital Operational Resilience for the Financial Sector Regulation 2022/2554 (hereafter referred to as DORA) sets requirements concerning the security of network and information systems supporting the business processes of the financial entities within its scope. Several already existing EU directives, including MiFID II, UCITS IV, AIFMD and PSD2, were amended by directive 2022/2556 (hereafter referred to as the DORA Amending Directive).

The Malta Financial Services Authority (MFSA) is to introduce the Digital Operational Resilience Act (DORA) Regulations 2023 (hereafter referred to as the MT DORA Regulations) as a Legal Notice (in virtue of Cap. 330 of the Laws of Malta). These regulations shall apply to all entities referred to in Article 2(1) of DORA. The MT DORA Regulations shall not however apply to the Malta Development Bank entities referred to in Article 2(3) of DORA.

The MFSA shall be the designated competent authority for matters related to the MT Dora Regulations. Its functions and obligations shall include: reporting of Major ICT-related incidents and voluntary notification of significant cyber threats; participating (via a high-level representative) in the European-level oversight forum to impose related framework upon Critical ICT Third Party Service Providers; and responsibility for threat led penetration testing matters at a national level.

EU Directive 2015/2366 (PSD 2) shall be amended by virtue of Article 7 of the DORA Amending Directive and as such affects the Maltese Financial Institutions Act and the relevant MFSA regulations. Consequently, the amendments shall require applicants pursuing a license as a financial institution to include the following in their application: a business plan which includes, inter alia, arrangements for the use of ICT services in accordance with DORA; a description of the procedure for incident monitoring, management and reporting in accordance with Chapter II of DORA; and a description of the business continuity arrangements in accordance with DORA.

The EU Directive 2013/36/EC, also known as the Capital Requirements Directive, is set to undergo changes as per Article 4 of the DORA Amending Directive. This will have implications on the Maltese Banking Act and the relevant rules and regulations. As a result of these changes, credit institutions will be obligated to establish and rigorously test their contingency plans, ICT business continuity policies and plans, and ICT response and recovery plans, in compliance with Article 11 of DORA. Credit institutions are also required to set up and manage their network and information systems in compliance with the same article.

In the case of Regulated Markers and Market Operators, it is now required that the Regulated Market ensures that they are adequately equipped to manage the risks to which they are exposed, including ICT risk, as per Chapter II of DORA, in order to be authorized. Regulated markets must also ensure the digital operational resilience of their trading systems is in accordance with the same chapter.

Investment Service Providers are also required to have a resilient trading system if they engage in algorithmic trading. They shall also have business continuity arrangements in case of failure of its trading systems, as per Article 11 of DORA. The MFSA shall have authority to evaluate the investment firms’ strategies, processes, and mechanisms in light of any risks revealed by the Digital Operational Resistance testing prescribed by Chapter IV of DORA. The MFSA shall also have discretion to investigate any ICT Third Party Service Providers.

Insurance amendments are also proposed for systems of governance by including a reference to the setting up and management network and information systems in accordance with DORA. This amendment shall also apply to Occupational Retirement Schemes issued in terms of the Retirement Pensions Act.

The final envisaged amendment is in relation to Recovery and Resolution. Maintaining digital operational resilience is crucial to ensure the continuity of critical functions and core business operations of a financial entity during its resolution process. Amendments related to resolution provide clear guidelines on the information to be incorporated in recovery plans and the data that the resolution committee requires to be part of an entity’s resolution plans, as per DORA’s requirements. The resolution committee will take these factors into account when evaluating the resolvability of an entity or group.

The MFSA is currently conducting a consultation on these proposed changes and shall be accepting feedback until the 16th of February.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content