Digital transformation is essential and provides opportunities for the financial services sector and consumers alike. Its fast and non-rhythmic pace needs to be embraced with an open mind, but adaptation must be met with strategy, ensuring sustainability and resilience to risk, say Christopher P Buttigieg, Chief Officer Supervision and Alan Decelis, Head of Supervisory ICT Risk and Cybersecurity at the MFSA.

As a result of dependency and interconnectedness, ICT risk has been widely recognised as a source of systemic risk worldwide. The increased leverage on arrangements with ICT Third Party Providers also means that Big Techs are becoming increasingly critical and are deepening interdependencies.

At a European level, this risk is being addressed through the Digital Operational Resilience Act (DORA), which will become applicable on January 17, 2025.

DORA is built on five principal pillars – ICT Risk Management; Incident Management, Classification and Reporting; Testing; Third-Party Risk; and Information Sharing Arrangements – and brings a harmonised set of requirements that apply uniformly across the whole financial sector. Under DORA the European Supervisory Authorities will start overseeing Critical ICT Third Party Providers.

Addressing ICT risks and digital finance challenges with a focus on strengthening operational resilience within the framework of DORA is one of the MFSA’s Strategic Priorities. For this purpose, the MFSA established a dedicated supervisory function and has consulted on the legislative package for the implementation of DORA while providing guidance on how it should be implemented in practice.

In 2023, the Authority addressed Boards of Directors of financial entities regarding compliance with the DORA Regulation. Expectations included informing management and key function holders about DORA, staying updated on technical standards, and understanding new reporting requirements. Entities are also expected to plan for compliance costs, conduct a gap analysis, adopt a transition plan approved by management, and engage with auditors and ICT Third Party Service Providers. Feedback indicates good awareness but limited progress in planning, analysis, and transition. The Authority expects tangible progress as the DORA Regulation’s applicability date nears.

Sufficient DORA preparedness is set as one of the outcomes that the MFSA intends to achieve through its supervision in 2024. The ‘2024 Minimum Expectations’ include developing a digital operational resilience strategy, compliant ICT Risk Management Framework, incident management process, incident classification and reporting standards, resilience testing programme, ICT third-party risk management strategy and policy, and aligning contracts with ICT Third-Party Service Providers with DORA requirements. These steps are crucial for financial entities to meet DORA compliance standards effectively.

This year financial entities must fill gaps in meeting 2023 Minimum Expectations and progress towards meeting 2024 requirements by developing strategies and frameworks. The Authority stresses the urgency for management bodies to steer financial entities towards full compliance with the impending DORA Regulation.

Developing robust strategies and frameworks is paramount, requiring entities to rectify previous gaps and meet heightened expectations in 2024. By utilising various supervisory tools, including inspections and CEO correspondence, the MFSA remains committed to providing further guidance to the industry, ensuring compliance with both 2023 and 2024 Minimum Expectations.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.