On Jan. 4, MLT FSA issued circular on implementation of EU DORA.
MLT FSA circular regarding Regulation 2022/2554 and amending directive 2022/2556 on digital operational resilience for the financial sector (DORA) published in EU OJ.
Follows, EU CNCL Dec. 2022 final Dir 2022/2556 and Reg 2022/2554 on digital operational resilience for the financial sector in the Official Journal, see #137568.
Follows MLT FSA Jul. 2022 circular on provisional agreement reached on DORA.
Document dated Jan. 4, 2023, was received on Feb. 7, 2023 due to a new feed.
DORA Implementation
Reg 2022/2552 (DORA) and Dir 2022/2556 will both enter into force on Jan. 16, 2023.
Amendments to Regs 1060/2009, 648/2012, 600/2014, 909/2014, 2016/1011, apply from Jan. 17, 2025; Dir 2022/2556 amends Directives 2009/65, 2009/138, 2011/61, 2013/36, 2014/59, 2014/65, 2015/2366 and, 2016/2341 and Member States are to adopt the measures necessary to comply with it also by Jan. 17, 2025.
Set out deadlines for RTS/ITS, guidelines, reports, etc which will supplement DORA.
DORA Overview
Overall, DORA is a complex cross-sectoral regulation which introduces a series of novel, directly applicable, requirements; MLT FSA recommend that authorized persons start with the necessary preparations to ensure compliance with the Regulation.
In Jan. 2023 MLT FIN issued guidance on DORA application countdown, see #160364.
Sep. 2023 New Circular
On Sep. 5, 2023, MLT FSA issued new circular updating that of Jan. re DORA provisions
Recalls obligations in terms of ICT various aspects; technical standards being prepared.
Stresses obligations on financial entities in terms of ICT-related areas (outlined) will change when compared to obligations emanating from ICT-related provisions within the current applicable Acts, Regulations, Rules and/or sector-specific Guidelines.
Thus, MLT FSA is reaching out to industry using various means including: written communications (circulars); periodic DORA Videocast; FAQ; public consultations (e.g. Consultation Document on Adoption of TIBER-EU Framework in Malta); webinars.
Authorized persons expected to keep abreast with updates, upcoming developments.
Expects financial entities management bodies within DORA scope ascertain that their financial entity is on track in its preparations to ensure compliance by application day.
Expects, as minimum and as at date of this Circular, financial entities: have informed management body of DORA; informed key function holders, including representatives from Three Lines of Defence, are updated on development of Technical Standards.
Also duly aware of new reporting requirements and/or changes to existing reporting requirements specified by DORA; duly discussed, planned for possible new compliance costs arising from it; among many other requirements, as explained in the circular.
Dec. 2023 Circular on Consultation
On Dec. 11, 2023, MLT FSA issued new circular relating to implementation of DORA.
Second set of technical standards, delivery deadline of Jul. 2024 open for consultation (#194221); financial entities and interested stakeholders can respond by Mar. 4, 2024.
Jan. 2024 Circular on DORA Technical Standards
On Jan. 19, 2024, MLT FSA issued circular as a follow up to its Jan. 2023 circular on DORA policy work, concerns first sets of technical standards under DORA Act.
Confirmed that EU EBA, EU EIOPA, EU ESMA have submitted first batch of DORA regulatory technical standards and implementing technical standards to EU CMSN.
Concern ICT and 3rd party risk management, incident classification, see #198438.
EU CMSN will now review the standards with aim of adopting them in coming months.
Feb. 1, 2024 Classifying Organization Size
On Feb. 1, 2024, MLT FSA will start collecting data in relation to the organization size classification of applicants and existing Authorized Persons in line with reg 2022/2554.
As part of the authorization process, applicants will be required to establish their organization size and submit a self-declaration form classifying themselves as follows.
Based on organization size the classifications are microenterprise, small enterprise, medium size enterprise as well as non-small and medium size enterprise.
Authorized persons will be required to classify their firm size within their corporate profile on license holder portal against submission of a self-declaration form.
In establishing firm size, applicants and existing authorized persons are guided by MLT FSA 2003/361/EC and additional material released by the EC, namely the user guide to the SME definition and small and medium enterprise self-assessment questionnaire.
Mar. 2024 Classification
On Mar. 1, 2024, MLT FSA issued circular on establishing, classifying organization size.
Financial institutions will be required to establish and classify their organization size as either: microenterprise; small enterprise; medium-sized enterprise; non-SME.
In establishing their firm size, applicants and existing authorized persons should refer to the EC user guide to the SME definition and the SME self-assessment questionnaire.
Financial institutions are required to update their corporate profile within the Licence Holder Portal by Mar. 31, 2024; further information can be obtained via email request.
Organization size should be classified by selecting classification within the SME field.
Financial institutions are additionally required to fill and upload a self-declaration form.
The classification selected within SME field and submitted within the form must match.
Once DORA Regulation applicable, financial entities to maintain Register of information (RoI) with information on all arrangements with ICT third-party service providers.
On request shall make full RoI available and other information to competent authority.
According to Article 28(9) of the DORA Regulation, the RoI is to be supplemented by an Implementing technical standard (the ITS) that establishes a standard template.
For purpose of RoI reporting using standard template, financial entities must maintain Legal entity identifier (LEI) by Jan. 17, 2025 (ie date of DORA applicability).
Financial entities to ensure corporate profile within LH portal kept updated with LEI.
Once DORA Regulation becomes applicable on Jan. 17, 2025, financial entities must maintain a Register of Information (RoI) with information on all of their arrangements with ICT Third-Party Service Providers (ICT TPPs) and upon request make it or specific sections with any information deemed necessary available to competent authority.
Among other things, ROI allows the European Supervisory Authorities (ESAs) to designate Critical ICT TPPS which will be subject to an EU-level oversight framework.
ESAs issued decision governing information competent authorities must report to them for purposes of CTPP designation, deadline for first submission of RoIs, see #233758.
Deadline for first submission of RoI from competent authorities to ESAs Apr. 30, 2025.
Financial entities who would like to learn more about how to prepare their registers of information and hear about the outcomes of the 2024 dry run exercise, are invited to take part in a workshop on Dec. 18, 2024, held virtually from 10:00 to 13:00.
Interested parties can register by Dec. 16, 2024 at the following link.
Dec. 2024 New Circulars
On Dec. 4, 2024, MLT FSA issued new circular related to its Jan. 2023 one on DORA.
After consultation amendments to its rules now published, aim to transpose DORA Amending Directive, where transposition measures are required to MLT FSA’s rules.
Also in line with Update on Guidance on Technology Arrangements, ICT and Security Risk Management, Outsourcing Arrangements, published in Mar. 2024; (summary).
Further information on legislative measures required to implement DORA Regulation and nationally transpose DORA Amending Directive will be published in due course.
Also issued circular on Reg 2024/2956 ITS for DORA application regarding templates for register of information as it was adopted and published in the EU Official Journal.
Remaining technical standards expected to be adopted and published in due course.
