On Jan. 27, 2025, MLT FSA announced an addendum to circular dated Mar. 26, 2024.
Reference made to virtual financial asset service providers as authorized by MLT MFSA in terms of the Virtual financial assets act and crypto-asset service providers in terms of Digital operational resilience act (Reg 2022/2554), article 2(1)(f).
As per article 58(3) of Markets in crypto-assets act, crypto-asset service providers may continue to provide their services until Jul. 1, 2026 or until they are granted or refused an authorization pursuant to article 63 of Reg 2023/1114, whichever comes first.
On Mar. 26, MLT FSA issued circular, ICT and security risks guidance.
MLT FSA issued circular in relation to update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.
Follows EU CNCL May 2022, EP reach provisional agreement on DORA, see #137568.
Overview
In Dec. 2020, MLT FSA issued principle-based cross-sectoral Guidance on technology arrangements, ICT and security risk management, and outsourcing arrangements.
Since then, MLT FSA says there have been important legislative developments, most noticeably the adoption of Regulation (EU) 2022/2554, known as the DORA Regulation.
DORA Regulation Impact on Guidance
DORA Regulation is cross-sectoral and its scope is provided under Article 2, and the Regulation will not apply to certain sectors, but certain financial entities excluded.
Specifically these financial entities excluded from scope pursuant to Article 2(3).
MLT FSA wish to simplify expectations in relation to ICT, security risk management, and outsourcing arrangements, and to provide required level of clarity at this stage.
Therefore, as of DORA Regulation applicability date, Jan. 17, 2025, MLT FSA's guidance will no longer apply to Authorized Persons in scope of the DORA Regulation.
MLT FSA's guidance will continue to apply to Authorized Persons not in scope of DORA Regulation, and provides list of such Authorized Persons in Annex 1 of this circular.
Guidance that was issued by MLT FSA and relevant rules currently cross-referencing it, will be amended at a later stage to reflect the update as per DORA Regulation.
If necessary, email MLT FSA's Supervisory ICT Risk and Cybersecurity function.
Effectiveness
From Jan 17, 2025 the MLT FSA guidance will only apply to: trustees/other fiduciaries; company service providers; professional investor funds (PIFs), including self-managed PIFs; investment service providers that are custodians and depositories.
Also applies to recognized fund administrators; managers of AIFs as referred to in Art 3(2) of AIFMD Dir 2011/61 (De Minimis alternative investment fund managers).
Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises.
Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total; insurance and reinsurance undertakings as referred to in Art 4 of Dir 2009/138; personal retirement schemes and administrators of personal retirement schemes; FIs that solely provide activities of the first schedule of the Financial Institutions Act (Cap. 376 of the Laws of Malta).
Authorised Credit Servicers in terms of the Credit Services and Credit Purchasers Act.
Editorial Update
On Mar. 29, 2024, Reg-Track added effectiveness heading/content to above summary.
In Mar. 2024, MLT FSA minimum expectations on upcoming DORA, see #206267.
Jan. 2025 Addendum
On Jan. 27, 2025, MLT FSA announced an addendum to circular dated Mar. 26, 2024.
Reference made to virtual financial asset service providers as authorized by MLT MFSA in terms of the Virtual financial assets act and crypto-asset service providers in terms of Digital operational resilience act (Reg 2022/2554), article 2(1)(f).
As per article 58(3) of Markets in crypto-assets act, crypto-asset service providers may continue to provide their services until Jul. 1, 2026 or until they are granted or refused an authorization pursuant to article 63 of Reg 2023/1114, whichever comes first.
