Legal Amendments implementing DORA Regulation in Maltese Law

Introduction

On the 11th of November 2024, the Malta Financial Services Authority (the “MFSA”) has published a new Circular concerning the necessary legal measures for the purposes of the national implementation of Regulation 2022/2554 on Digital Operational Resilience (the “DORA Regulation”). The DORA Regulation is also accompanied by the DORA Amending Directive (EU) 2022/2556 (the “Amending Directive”). Akin to the transposition deadline of the Amending Directive, the DORA Regulation shall be applicable as from the 17th of January 2025.

The MFSA’s announcement relating to the measures implementing elements of the DORA Regulation follows the earlier release of the Consultation Document, which sought feedback from local stakeholders on the proposed implementation approach to be adopted for the DORA legislative package. The MFSA announced that measures related to the transposition of the DORA Amending Directive will be published in due course.

MFSA Act (DORA) Regulations, 2024 [1]

Legal Notice 166 of 2024 serves as the legislative foundation for the implementation of the DORA Regulation within Malta’s national legal framework. This legal notice officially designates the MFSA as the competent authority responsible for overseeing the implementation of the DORA Regulation and ensuring compliance across relevant sectors. To this end, the MFSA is endowed with extensive supervisory powers, enabling it to monitor, assess, and enforce adherence to the provisions outlined in the Regulation.

Additionally, Legal Notice 166 of 2024 empowers the MFSA to impose administrative penalties and take other corrective measures in response to any breaches of the DORA Regulation. This authority ensures that entities operating within the financial services sector are held accountable for any non-compliance, promoting a secure and resilient digital environment.

The legal notice further establishes the Financial Services Tribunal as the designated forum for appeals. This provides an avenue for persons to challenge any administrative penalties or measures imposed by the MFSA, thereby ensuring fairness and transparency in the enforcement process. Together, these provisions underscore Malta’s commitment to aligning with EU standards on operational resilience while maintaining robust oversight and accountability mechanisms.

Data Reporting Services (Amendment) Regulations, 2024 [2]

Legal Notice 255 of 2024 serves as the legislative instrument through which Malta formally incorporates updates to the current Data Reporting Services Regulations Subsidiary Legislation 345.21 of the laws of Malta in alignment with changes introduced by the DORA Regulation. These updates are designed to enhance the operational resilience framework within the financial services sector, ensuring consistency with the EU-wide regulatory standards set out in the DORA Regulation.

The primary focus of these amendments is to ensure that specific entities – namely, authorised persons, consolidated tape providers, and approved reporting mechanisms – comply with the enhanced operational resilience requirements mandated by the DORA framework. This includes adopting robust measures to safeguard ICT systems, manage cyber risks, and ensure business continuity in the face of potential disruptions. The changes aim to promote a more secure, efficient, and reliable data reporting infrastructure across the financial services ecosystem, aligning national practices with broader EU objectives.

 

[1] Legal Notice 166 of 2024 Malta Financial Services Authority Act (Cap. 330) Digital Operational Resilience Act (DORA) Regulations, 2024

[2] Financial Markets Act (Cap. 345) and Investment Services Act (Cap. 370) Data Reporting Services (Amendment) Regulations, 2024