DORA: the MFSA’s expectations in terms of minimum preparations

The target date of 17 January 2025 has by now become synonymous with compliance by financial firms with Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector (“DORA” and the “Amending Directive”).

DORA applies to EU financial firms (the umbrella term “financial entities” is used), such as banks, insurance companies, payment and e-money institutions and investment firms and to third party service providers of ICT services which contract with these financial entities. DORA also captures providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services as well as financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.[1]

Broadly, DORA consists of requirements in five main areas:

  • ICT risk management.
  • ICT incident reporting.
  • Digital operational resilience testing.
  • ICT third-party risk management.
  • Information intelligence and sharing.

On the 5 September 2023, the MFSA issued an update to its Circular on DORA and the Amending Directive which it had published in January 2023 (the “Circular Update”).[2] The MFSA reminds entities in scope that the obligations on financial entities in terms of the ICT-related areas outlined above “will change when compared to the obligations emanating from ICT-related provisions within the current applicable Acts, Regulations, Rules and/or sector-specific Guidelines.”

The Circular Update is one of the several and varied means through which the MFSA is keeping in touch with the industry in relation to this important regulatory compliance milestone. The MFSA expects the relevant entities to keep abreast with ongoing updates and highlights the following upcoming developments:

  • The Public Consultation on the national implementation of the Regulation and the national transposition of the Amending Directive, planned to be issued by the MFSA in Quarter 4, 2023.
  • The European Supervisory Authorities (ESAs) Joint Committee public consultation on the second set of Technical Standards.

Both consultations are intended for interested stakeholders to share their views with the MFSA and the ESAs as applicable.

In addition, in its Circular Update, the MFSA is taking the opportunity to emphasize what it considers to be the “minimum” in terms of level of preparations towards compliance with DORA. Amongst others, the MFSA expects that any relevant entity:

  • has duly informed Board and management and key function holders of requirements emanating from DORA;
  • keeps itself abreast with updates on the development of Technical Standards;
  • is duly aware of new reporting requirements and/or changes to existing reporting requirements as specified by DORA;
  • has duly discussed and planned for possible new compliance costs
  • has carried out a gap analysis between its present relevant strategies, policies, procedures, plans, systems, tools and the requirements of DORA;
  • has formally adopted a transition plan towards compliance with DORA; and
  • if applicable, has engaged in discussions with external auditors, consultants and ICT Third Party Service Providers.

A cursory look at the MFSA’s expectations above brings to light the role to be played by the Board and management of relevant entities to ensure through their respective role and functions that DORA compliance is on track. DORA compliance needs to be embedded in agendas, discussions and priorities. Although the 17 January 2025 may appear to be a long way off, awareness, preparedness, gap analysis and action plans are key.