MFSA clarifies the scope of application of the DORA Framework to VFA Service Providers transitioning towards authorisation under the MiCA Regulation

On the 27th January, 2025, the MFSA released a Circular (the “2025 MFSA Circular”) with an important clarification under Regulation (EU) 2022/2554 (the “DORA Regulation”) pertinent to firms operating within the crypto space.

By way of background, on the 26th March, 2024, the MFSA issued a Circular (the “2024 MFSA Circular”) through which the MFSA laid to rest the conundrum which industry had faced in terms of identifying which regime shall be applicable to financial services operators as of the 17th January, 2025 (the DORA Regulation’s application date); you may wish to refer to this publication as a refresher.

Annex 1 to the 2024 MFSA Circular included an exhaustive list of the MFSA Authorised Persons which were, and remain, subject to the MFSA’s Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements (the “MFSA Guidance Document”), including, by way of example, company service providers and recognised fund administrators. The entities listed in Annex 1 to the 2024 MFSA Circular do not fall in scope of the DORA Regulation. However, the said Annex 1 made no mention of the fate of operators licensed by the MFSA as VFA service providers under the VFA Act (Chapter 590, Laws of Malta (the “VFA Act”)).

Against this backdrop, Ganado Advocates sought a clarification on behalf of industry from the MFSA to confirm whether existing operators licensed by the MFSA as VFA service providers under the VFA Act shall or shall not fall in scope of the DORA Regulation between the 17th January, 2025 (the DORA Regulation’s application date), and:

  1. the date on which the operator is granted or refused an authorisation as a crypto-asset service provider under Article 63 of Regulation (EU) 2023/1114 (the “MiCA Regulation”); or
  2. the 1st July, 2026, being the end of the transitional period referred to in Article 58(3) of the MiCA Act (Chapter 647, Laws of Malta);

whichever occurs first.

The 2025 MFSA Circular has now clarified the following:

  • the DORA Regulation applies to, inter alia, crypto-asset service providers as authorised under the MiCA Regulation and issuers of asset-referenced tokens;
  • a VFA service provider authorised under the VFA Act is required to continue following the guidelines set out in the MFSA Guidance Document until the 1st July, 2026, or until the operator is granted or refused an authorisation as a crypto-asset service provider under Article 63 of the MiCA Regulation; and
  • a VFA service provider which receives authorisation from the MFSA as a crypto-asset service provider pursuant to Article 63 of the MiCA Regulation shall, with effect from the date of the receipt of such authorisation: (a) no longer be subject to the MFSA Guidance Document, and (b) qualify as a financial entity under, and become subject to, the DORA Regulation.

Complying with the DORA Regulation is a rather complex task which is further compounded by the regulatory and implementing technical standards and guidance documents being released under the DORA Regulation. Ganado Advocates has a DORA-focused team of professionals who are readily available to assist with any queries relating to the application of, and requirements emanating from, the MFSA Guidance Document or the DORA Regulation as may be applicable to your firm.