MFSA Circular on Update and Benchmarking Exercise on Regulation (EU) 2022/2554 on Digital Operational Resilience

5th September 2023 – The Malta Financial Services Authority (“MFSA” or the “Authority”) has issued an update to regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 (the “Regulation”) on Digital Operational Resilience for the financial sector, which will apply from 17th January 2025. The Regulation outlines requirements for financial entities in areas such as ICT risk management, incident management, digital operational resilience testing, managing ICT third-party risk, and voluntary information-sharing arrangements. Interested stakeholders are invited to share their views with the Authority.


The Regulation will be supplemented by regulatory/implementing technical standards, drafted by the European Supervisory Authorities (“ESAs”) through the Joint Committee. The Authority has also issued a circular informing stakeholders of the ESAs Joint Committee Public Consultation on the First Set of Technical Standards under Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector.


The obligations on financial entities in terms of ICT-related areas will change compared to obligations emanating from ICT-related provisions within current applicable Acts, Regulations, Rules, and sector-specific Guidelines. The Authority is reaching out to the industry through various means, including written communications, periodic Digital Operational Resilience Act Videocasts, Frequently Asked Questions, public consultations, and events like webinars. Authorised persons are expected to keep abreast of ongoing updates, particularly regarding the national implementation of the Regulation and the national transposition of the amending directive.


Benchmarking Exercise:

The Authority expects financial entities to ensure compliance with the Regulation by its applicability date of 17th January 2025. This includes informing management bodies, key function holders, keeping up with technical standards development, being aware of new reporting requirements, discussing compliance costs, analysing gaps between strategies, policies, procedures, plans, systems, and tools, adopting a transition plan, engaging with external auditors and consultants, and engaging with ICT Third Party Service Providers.


Financial entities must also have formally adopted a transition plan, communicated it, and engaged in discussions with external auditors and consultants. Authorised persons can request further information or provide feedback by emailing the Supervisory ICT Risk and Cybersecurity function within the MFSA at [email protected].


The full circular can be accessed through this link:

For further explanation on the Digital Operational Resilience framework and related regulations, feel free to contact us here.