MFSA issues Consultation Document on the National Implementation of Regulation (EU) 2022/2554 and Transposition of Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector

On the 16th January 2024, the Malta Financial Services Authority (“MFSA”) launched the first consultation process in relation to the implementation of the Regulation on digital operational resilience for the financial sector (“DORA”) which will apply from 17 January 2025.

The Consultation Document issued by the MFSA proposes the following implementation measures:

  1. Digital Operational Resilience Act (DORA) Regulations, 2023 which:
    1. Designates MFSA as the designated competent authority for DORA and the Digital Operational Resilience Act (DORA) Regulations, 2023;

     b. Assigns to MFSA all functions, obligations and powers imposed on competent authorities under DORA, including:

      1. Reporting of Major ICT-Related Incidents and Voluntary Notification of Significant Cyber Threats
      2. Responsibility for threat-led penetration testing matters at a national level

     c. Introduces provisions on cooperation and exchange of information, including:

      1. Transmission of reports and notifications to the European Central Bank in the case of credit institutions classified as significant
      2. Transmission of reports and notifications to the national Computer Security Incident Response Team
      3. Exchange of information

     d. Lays down Administrative and Criminal Penalties and Remedial Measures for breaches of the DORA Regulation

  1. Financial Market Act and Investment Service Act Data Reporting Services (Amendment) Regulations, 2023 which proposes to amend both S.L. 345.21 and S.L. 370.37.

 

  1. Amendments to a number of cross-sectorial legislation, including amendments to:

a. Financial Institutions

      1. Financial Institutions Act, Cap. 376
      2. Financial Institutions Rule FIR/01]

b. Credit Institutions:

      1. Banking Act, Cap. 371
      2. S.L. 371.16
      3. S.L. 371.05
      4. Banking Rule BR/24
    1. c. Regulated Markets and Market Operators
    1.      i. S.L. 345.04
    2.     ii. Financial Markets Act, Cap. 345
    1. d. Investment Service Providers
      1. Investment Services Rules for Investment Services Providers Part B, Part BI, Part BII and BIII
      2. S.L. 370.25
      3. S.L. 370.15

e. Insurance

     i. Chapter 6 of the Insurance Rules: Systems of Governance

f. Pensions

     i. Pension Rules for Occupational Retirement Schemes issued in terms of the Retirement Pensions Act, 2011

g. Resolution

     i. S.L. 330.09

Feedback on the proposed legislative amendments is to be submitted via the Government Portal and feedback on amendments to the MFSA rules is to be addressed to the Supervisory ICT Risk and Cybersecurity Function within the MFSA by sending an email to sirc@mfsa.mt. Feedback is to be submitted by no later than 16 February 2024.