New Technical Standards - DORA

On 3 March 2025, the Malta Financial Services Authority (“MFSA”) issued an update to its Circular regarding the Digital Operational Resilience Act (“DORA”), confirming that key regulatory and implementing technical standards have now been published in the EU Official Journal, marking yet another step towards operationalising DORA across the financial sector. These standards further cement DORA’s framework, providing captured financial entities with clearer and enforceable obligations on ICT-Related incident reporting and oversight conditions, and further reinforcing the European Union’s (“EU”) commitment to a harmonised cybersecurity and ICT risk management framework.

From a broader perspective, this development underscores the EU’s ongoing regulatory drive toward financial stability and cyber resilience, aligning DORA with existing legislative frameworks such as the NIS2 Directive and even the GDPR. Simultaneously, these standards contribute to a more structured, coordinated approach to digital risk management across the Union.

Exploring the Novel Adoptions

Following the interinstitutional drafting process led by the European Supervisory Authorities (“ESAs”), three key Regulatory Technical Standards and Implementing Technical Standards have been formally adopted and published. This section aims to revisit some salient features:

1. Commission Delegated Regulation (EU) 2025/295 introduces harmonised oversight conditions for critical ICT third-party service providers under DORA:

Article 1 Designation Process

A key aspect of this regulation is the designation process for ICT third-party service providers, where such service providers that support critical financial functions may submit detailed applications demonstrating their criticality. Interestingly, this demonstration of criticality consists of a self-assessment with regards to market presence, number of known competitors and their relation to any proprietary technology/ specific features.

Article 5 Subcontracting Governance

Critical ICT third-party service providers which are required to share information to the Lead Overseer with regards to subcontracting arrangements, have been provided with an adopted template present within the Annex. Chief among which, such ICT service providers must disclose, inter alia, the subcontractors’ risk profiles and their compliance with data protection laws, business continuity measures and information pertaining to the frequency of audits to be conducted.

• Commission Delegated Regulation (EU) 2025/301 establishes the content and timeframes for reporting major ICT-related incidents, with the aim that financial entities notify authorities within structured deadlines. This regulation also introduces voluntary notification procedures for significant cyber threats:

Article 5: Three-Stage Reporting Framework

The regulation introduces a three-stage reporting process for major ICT-related incidents. The stages comprise of:

1. Initial Notification: Financial entities must submit an initial notification within four hours from the classification of an incident as major and no later than 24 hours after becoming aware of it. This notification provides essential details, which aims to ensure that competent authorities are informed as early as possible to assess potential systemic risks.

1. Intermediate Report: Due within 72 hours of the initial notification, detailing impact, root cause, and remediation measures. Within 72 hours of the initial notification, entities must submit an intermediate report, offering a more detailed assessment of the incident, including its impact, root causes, and mitigation measures. If regular activities have been restored before this deadline, an updated report must be submitted promptly.

1. Final Report: A comprehensive final report must be submitted within one month after the latter intermediate report. This report shall provide a full incident analysis, detailing root causes, financial losses, implemented corrective measures, and any lessons learned to prevent future occurrences.

Article 6: Voluntary Notification of Significant Cyber Threats

In addition to mandatory reporting of major ICT-related incidents, the regulation also reaffirms voluntary notification for significant cyber threats, as was originally comprised within Article 18(2) of DORA. This mechanism thus allows financial entities to proactively inform regulators about emerging cyber threats which are relevant to the financial system, even if they have not yet materialised into full-scale ICT-related incidents.

• Commission Implementing Regulation (EU) 2025/302, complimenting the former Regulation 2025/301, sets out the standard forms, templates, and procedures for financial entities to report major ICT-related incidents and notify significant cyber threats under DORA.

Article 7: Aggregated Reporting

A notable feature of this regulation is the ability to aggregate reports when multiple financial entities are impacted by a common ICT incident originating from the same third-party provider.

As such, as provided under Article 19(5) of DORA, third-party service providers to whom the reporting obligations of a financial entity have been outsourced, may issue a single report on behalf of all impacted financial entities, providing these conditions are met:

• The incident originates from or is caused by a third-party ICT service provider;
• The third-party ICT provider services multiple financial entities or a group;
• All impacted financial entities classify the incident as major;
• The incident only affects entities within a single Member State, and the report is submitted to the same competent authority; and
• The competent authority has explicitly permitted the use of aggregated reporting.

• Additionally, the ESAs have published a Report on the feasibility of further centralisation in the reporting of major ICT-related incidents, as required under Article 21 of DORA.

Outcome

For captured financial entities, these regulations clarify ‘how’ and ‘when’ major ICT-related incidents shall be reported. This standardisation of reporting formats and oversight conditions aim to reduce fragmentation in view of streamlining compliance efforts, purporting enhanced coordination across the European Union.

Captured entities should review these newly published regulations to impact on their ICT risk management and incident reporting frameworks.

----

In the meantime, if you require any help complying with DORA, GTG is here to assist. For more information, assistance or clarification, kindly contact us at info@gtg.com.mt 

Author: J.J. Galea

Looking for more information regarding DORA? Feel free to continue reading on:

DORA Negotiations: Key Contractual Content in ICT Contracts

DORA: Drafting and Reviewing ICT Services AgreementsDORA and ICT Service Providers: Navigating the Boundaries of Applicability