Will DORA impact the scope of MFSA’s Guidance on (amongst others) ICT Risk Management and Outsourcing Arrangements?

As the date of application of Regulation (EU) 2022/2554 (the “Regulation” or, as more commonly known, “DORA”) is looming large on the horizon, the MFSA has issued a critical Circular which lays to rest the conundrum entities falling in scope of MFSA’s regulatory remit have been pondering on in the space of ICT risk management and digital operational resilience more broadly.

The Circular clarifies to the industry that, with effect from DORA’s date of application (17 January, 2025):

  1. MFSA’s cross-sectoral Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements published in 2020 (the “MFSA Guidance Document”) will no longer apply to MFSA Authorised Persons which fall within scope of DORA (i.e., the Authorised Persons which qualify as ‘financial entities’ under the Regulation); and
  2. the MFSA Guidance Document will continue to apply to MFSA Authorised Persons which do not fall in scope of DORA, such as company service providers and recognised fund administrators. An exhaustive list of such Authorised Persons is included in Annex 1 to the Circular.

The journey towards DORA readiness is a complex task which is further compounded by the regulatory technical standards and guidance documents being released under the Regulation. Ganado Advocates has a DORA-focused team of professionals who are readily available to assist with any queries relating to the application of, and requirements emanating from, the MFSA Guidance Document or DORA as may be applicable to your firm.