On Mar. 26, MLT FSA issued Dear CEO letter on minimum expectations.
MLT FSA issued minimum expectations on digital operational resilience preparedness for financial entities as per EU Reg on Digital Operational Resilience (DORA), #137568.
MLT FSA, Head of Supervisory ICT Risk and Cybersecurity, Alan Decelis commented on observation of a high level of awareness in relation to the DORA Regulation.
However, he stated that MLT FSA we need to see more concrete implementation measures by the relevant Authorised Persons on Sufficient DORA Preparedness.
This is one of four outcomes MLT FSA intends to achieve via its supervision this year.
In 2024, Authorised Persons are expected to address any gaps in meeting the 2023 minimum expectations with concrete action, and meet 2024 minimum expectations.
Specifically, take steps to develop strategies, frameworks, policies, and procedures.
MLT FSA Chief Officer Supervision, Christopher P. Buttigieg, said MLT FSA's engagement with Authorised Persons expected to mean higher level of compliance.
Kenneth Farrugia, MLT FSA CEO stated DORA Regulation is important addition to Europe's single rulebook, and MLT FSA has been proactive in DORA implementation.
Feedback suggests a high-level of management body/key function holder awareness in relation to DORA Regulation, its Technical Standards and new reporting requirements.
Concrete aspect of 2023 Minimum Expectations, such as planning for new compliance costs, execution of a gap analysis, adoption of a transition plan, is still in progress.
2024 Minimum Expectations
For 2024 FSA expects a more advanced level of DORA preparedness and the following expectations as the minimum expectations for 2024 (2024 Minimum Expectations).
2024 Minimum Expectations 10 to 17 are in addition to 2023 Expectations 1 to 9.
Expectation 10: Financial Entities have taken steps towards developing a digital operational resilience strategy, as referred to in Article 6(8) of the DORA Regulation.
Expectation 11: Financial Entities have taken steps towards developing a DORA compliant ICT Risk Management Framework, in accordance with Chapter II of the DORA Reg and have taken into consideration RTS referred to in DORA Arts 15, 16(3).
Expectation 12: Financial Entities have taken steps towards developing an ICT-related incident management process as referred to in Art 17 of DORA, and have taken into consideration provisions emanating from RTS referred to in DORA Arts 15, 16(3).
Expectation 13: Financial Entities have taken steps towards ensuring classification and reporting of Major ICT-Related Incidents and the voluntary notification of Significant Cyber Threats are in accordance with the relevant Regulatory and Implementing Technical Standards supplementing Chapter III of the DORA Regulation.
Expectation 14: Financial Entities have taken steps towards developing a digital operational resilience testing programme, in accordance with Arts 24 and 25 of DORA.
Expectation 15: Financial Entities have taken steps towards managing their ICT third-party risk including: if applicable, a strategy on ICT third-party risk as provided by Art 28(2) of DORA; and a policy on the use of ICT services supporting critical or important functions taking into consideration the RTS referred to in Article 28(10).
Expectation 16: Financial Entities have taken steps towards developing a Register of Information ('RoI'), in accordance with Art 28(3) of the DORA Regulation and taking into consideration the Implementing Technical Standard referred to in Article 28(9).
Expectation 17: Financial Entities have taken steps towards aligning their current written contractual arrangements with ICT Third-Party Service Providers to the key contractual provisions specifically mentioned in Article 30 of the DORA Regulation.
DORA Preparedness
Management bodies expected to ensure that their respective Financial Entities are on track to ensure compliance with the DORA Regulation by its date of applicability.
In 2024, Financial Entities to address gaps in meeting 2023 Minimum Expectations, particularly concrete action, as well as to meet the 2024 Minimum Expectations by taking steps towards development of strategies, frameworks, policies and procedures.
Apr. 2024 MLT FIN Reviews MLT FSA's Expectations on DORA
On Apr. 23, 2024, MLT FIN described MLT FSA's letter to management bodies about its 2024 DORA ambitions and its minimum expectations in relation to their preparedness.
The next eight months are crucial, says MLT FIN, and the journey towards DORA readiness is a complex task which is further compounded by multiple guidance notes.
This includes 13 guidance notes and technical standards which are being released under the same regulation, and specialized DORA Ganado team is geared to assist.
Specifically with DORA and MLT FSA expectations, well before Jan. 17, 2025 deadline.
