7 February 2023Analysis

MFSA spotlights EU’s push for digital resilience

The Malta Financial Services Authority (MFSA) has published an updated circular in relation to the Digital Operational Resilience Act (DORA), which was enacted to ensure that the financial sector in Europe is able to stay digitally resilient.

According to the MFSA the update comes as the European Union (EU) has been strengthening the information and communication technology (ICT) security of financial entities, such as banks, insurance companies and investment firms, due increasing numbers of cyber attacks.

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations was recently published on the Official Journal of the EU and came into effect on the 16th of January 2023.

It will become fully applicable by the 17th of January 2025 after a two-year implementation period.

This Regulation “aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience.”

According to the MFSA: "DORA introduces provisions, subject to different layers of proportionality, on financial entities in the areas of ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, managing of ICT third-party risk (including an oversight framework of critical ICT-third party providers) and voluntary information-sharing arrangements, with the aim of assisting firms in ensuring that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The requirements imposed by DORA are homogenous across all EU member states, with the ultimate aim of preventing and mitigating cyber threats, and are essentially applicable to critical third parties which provide ICT-related services to financial entities."