Publication of the Malta Financial Services Authority Act (Digital Operational Resilience Act (DORA)) Regulations, 2024

As the date of application of Regulation (EU) 2022/2554 (“DORA” or the “Regulation”) is drawing closer, on the 16th July, 2024, a Legal Notice (166 of 2024) implementing the relevant provisions of the Regulation into Maltese law was published in the Malta Government Gazette (“DORA MT Regs”).

The DORA MT Regs by and large mirror the draft version of the DORA MT Regs as published by the Malta Financial Services Authority (“MFSA”) for consultation on the 16th January, 2024.

The below is a non-exhaustive summary of the most salient features of the DORA MT Regs.

  • Purpose: the purpose of the DORA MT Regs is to implement the relevant provisions of DORA into Maltese law.
  • Effective Date: the DORA MT Regs shall come into force on the 17th January, 2025 (coinciding with the date of application of the Regulation).
  • Applicability: the DORA MT Regs shall apply to the financial entities (“FEs”) referred to in Article 2(1) of the Regulation, and shall not apply to (i) the entities referred to in Article 2(3) of the Regulation, and (ii) the Malta Development Bank established by the Malta Development Bank Act (Cap. 574, Laws of Malta).
  • Competent Authority: the MFSA has been designated as the competent authority in Malta responsible for implementing the relevant provisions of the Regulation into Maltese law, and for ensuring FEs’ compliance with the Regulation, the DORA MT Regs, other applicable law and regulation. In such capacity, the MFSA shall exercise all the functions, obligations and powers of, and shall satisfy all the requirements imposed on, competent authorities by the Regulation.
  • The MFSA’s Powers: the DORA MT Regs provide the MFSA with wide-ranging powers, including the power to:
    1. issue rules for the better carrying out of the provisions of the Regulation and the DORA MT Regs;
    2. request information and documents from FEs;
    3. carry out inspections and investigations on FEs and any other person who consents to be interviewed for the purpose of collecting information relating to the subject matter of an investigation;
    4. order FEs to carry out corrective and remedial measures for breaches of obligations under the Regulation, the DORA MT Regs, other applicable law and/or regulation;
    5. impose effective, proportionate and dissuasive administrative penalties (of up to EUR150,000 per breach) and other administrative measures (e.g., to issue an order requiring a person to cease the conduct in breach of applicable law and/or regulation, and to desist from repeating such conduct); and
    6. to name and shame FEs in breach of their obligations under the Regulation, the DORA MT Regs, other applicable law and/or regulation.
  • Right of Appeal: the DORA MT Regs also provide a person in respect of whom a decision is taken by the MFSA in terms of the DORA MT Regs, the Regulation, other applicable and/or regulation, with the right to lodge an appeal from such a decision before the Financial Services Tribunal established under the Malta Financial Services Authority Act (Cap. 330, Laws of Malta).
  • Criminal Liability: Regulation 11 of the DORA MT Regs also renders certain acts or omissions, as well as more generally breaches of obligations under the Regulation, the DORA MT Regs, other applicable law and/or regulation, a criminal offence. Any person who contravenes the provisions of the said Regulation 11 shall, on conviction, be liable to the punishment of imprisonment for a term not exceeding one (1) year, or to a fine (multa) not exceeding EUR150,000, or to both such fine and imprisonment.

The journey towards DORA readiness is a complex task which is further compounded by the various regulatory and implementing technical standards, and guidance documents being released under the Regulation. Ganado Advocates has a DORA-focused team of professionals who are readily available to assist with any queries relating to the application of, and requirements or implications arising under, the Regulation and/or the DORA MT Regs as may be applicable to your firm.