MFSA outlines minimum expectations on Digital Operational Resilience Preparedness for financial entities

The Malta Financial Services Authority has been engaging with Authorised Persons in scope of the Digital Operational Resilience Act (DORA) on an ongoing basis with a view to contribute towards their transition towards compliance to the Regulation by its date of applicability, that is, 17 January 2025. The latest guidance in a string of communications addressed to the industry is being provided through the publication of its 2024 minimum expectations on sufficient preparedness.

These minimum expectations were the focus of a Dear CEO letter sent to financial services entities and reflect the feedback which the MFSA has received from Authorised Persons through its supervisory engagements in relation to its 2023 minimum expectations.

Commenting on the feedback received, MFSA’s Head of Supervisory ICT Risk and Cybersecurity Alan Decelis said: “While we have observed a high level of awareness in relation to the DORA Regulation, we need to see more concrete implementation measures by the relevant Authorised Persons.” As outlined in the regulator’s 2024 Supervisory Priorities, the MFSA’s Supervisory ICT Risk and Cybersecurity function will be focusing on ensuring ‘Sufficient DORA Preparedness’, which is one of four outcomes that it intends to achieve through its supervision this year.

In 2024, Authorised Persons are expected to address any gaps in meeting the 2023 minimum expectations with concrete action. On top of this, they should also meet the 2024 minimum expectations by taking steps towards the development of strategies, frameworks, policies, and procedures. 

Commenting on the Authority’s 2024 minimum expectations, MFSA’s Chief Officer Supervision Christoper P. Buttigieg stated: “The Authority is taking the necessary steps towards engaging with Authorised Persons in relation to sufficient DORA preparedness before its date of applicability. This is expected to contribute towards a higher level of compliance to the DORA Regulation by January 2025.”

MFSA’s Chief Executive Officer Kenneth Farrugia added: “The DORA Regulation is an important addition to Europe’s single rulebook. Recognising this fact, the MFSA has been proactive in its implementation of the DORA Regulation, ensuring regular and effective communication with Authorised Persons, the latest engagement being the publication of these minimum expectations.