Answer ... The applicable cybersecurity regime is based on the European cybersecurity legislation and includes the Network and Information Security Directive 2 (NIS2), as well as EU Regulation 2019/881, which is directly applicable to Malta and is known as the Cybersecurity Act. The Cybersecurity Act establishes common cybersecurity certification at the EU level, while NIS2 aims to ensure a high common level of security of networks and information systems across the European Union.
Other transposed EU regulations include:
- the GDPR, which protects personal data;
- the Payment Services Directive (2015/2366) (PSD2); and
- EU Regulation 1093/2010 on the European Banking Authority.
Digital Operational Resilience Act: The Digital Operational Resilience Act (EU Regulation 2022/2554) (DORA) was ratified by the European Parliament in November 2022. DORA mandates certain entities, including crypto-asset service providers (CASPs), to address information and communications technology (ICT) related incidents comprehensively, covering:
- protection;
- detection;
- containment;
- recovery; and
- restoration of capabilities.
DORA emphasises ICT risk, establishing rules for:
- management;
- incident reporting;
- resilience testing; and
- third-party risk monitoring.
DORA recognises that ICT incidents and operational resilience gaps can jeopardise the financial system, regardless of capital allocation. DORA will become applicable in Q4 2024, meaning that entities which are subject to it are expected to be in full compliance with DORA’s requirements by that time.
DORA is based on five key pillars, which set out obligations for subject entities, outlined below.
ICT risk management: DORA’s ICT risk management framework requires firm leadership to take full responsibility for:
- ICT risk management;
- resilience strategy; and
- third-party provider policies.
Competent authorities can impose penalties for regulatory breaches.
These rules are aligned with European Bank Authority and European Insurance and Occupational Pensions Authority guidelines but now have legal weight, increasing supervisory scrutiny.
Firms must:
- define ICT disruption tolerances;
- identify critical functions;
- understand dependencies; and
- conduct business impact analyses for severe disruptions, driving more sophisticated scenario testing and system redundancy for critical functions.
ICT-related incident reporting: DORA’s incident reporting framework simplifies EU obligations in the financial sector, but introduces new requirements for classifying and reporting ICT-related incidents. Firms need to enhance their capabilities to collect and analyse such incidents, which they often lack today.
While DORA adds ‘significant cyber threats’ to the reportable events list, reporting remains optional, with a requirement to notify affected clients or counterparties. Firms must record all significant cyber threats, necessitating improved incident management.
For ICT-related incident reporting, specific deadlines are delegated to European supervisory authorities (ESAs) in technical standards, causing uncertainty for firms.
ESAs are set to assess the feasibility of centralising incident reporting through a single EU hub. Streamlining reporting aims to reduce the compliance burden and enhance cross-border threat understanding.
Digital operational resilience testing: DORA mandates regular digital operational resilience tests for all relevant firms, excluding microenterprises. They must assess their ‘critical ICT systems and applications’ comprehensively at least annually, addressing any identified vulnerabilities. Additionally, firms with specific significance and maturity levels must perform ‘advanced’ threat-led penetration testing every three years, guided by the European Central Bank’s TIBER-EU framework.
DORA also requires financial sector firms to include all third-party providers (TPPs) supporting critical functions in their advanced testing. If a TPP cannot participate, it can conduct its own TLPT. This collaborative approach is an evolving practice that demands industry-wide cooperation.
ICT third-party risk management: DORA’s third-party risk management (TPRM) requirements are in alignment with the existing guidelines of the ESAs. However, DORA expands the scope to encompass non-cloud service provider (CSP) ICT outsourcing, going beyond the ESAs’ focus on CSPs.
Under DORA, these TPRM requirements introduce specific contractual terms that financial firms must incorporate into their ICT outsourcing agreements by the end of Q4 2024. The fact that these terms become legally binding under DORA increases the pressure on financial sector firms to successfully negotiate these terms with their service providers. Notably, some of these terms – such as providing ‘unrestricted access to premises’ in contracts supporting critical functions – may present practical challenges.
DORA also encourages the development of a ‘holistic multi-vendor strategy’ within the ICT risk management framework. While this aspect is optional, supervisors still have tools at their disposal to encourage its adoption. Additionally, firms are now obliged to conduct concentration risk assessments for all outsourcing contracts supporting the delivery of critical functions. This task not only is challenging in itself but may also compel firms to consider multi-vendor strategies or establish resilient frameworks to demonstrate why an alternative approach is not required.
Oversight framework: The revised DORA largely retains the enhanced oversight authority of the ESAs as proposed in the original text. This means that TPPs designated as ‘critical’ (CTPPs) will be subject to extensive regulatory powers, allowing ESAs to:
- assess;
- request security practice changes; and
- impose penalties when necessary.
As a result, CTPPs are compelled to demonstrate their capacity to enhance the resilience of their operations, particularly when critical or important functions of financial sector firms are involved.
The final version of DORA introduces several new safeguards regarding the ESAs’ ability to instruct financial sector firms to suspend or terminate their contracts with CTPPs. This inclusion offers assurance that these powers will be invoked:
- only in exceptional circumstances; and
- with careful consideration of their sector-wide implications.
Furthermore, the revised DORA significantly augments the role of the Joint Oversight Forum (JOF), a collaborative body comprising:
- ESAs;
- relevant authorities;
- supervisors; and
- independent experts.
The JOF will play an expanded role in shaping consistent best practices for overseeing CTPPs, potentially establishing a more defined standard for their expected level of resilience over time.
DORA and NIS 2: The European Commission Guidelines, published in the Official Journal of the European Union on 18 September 2023, address key concerns for entities determining their compliance obligations under NIS 2 and DORA, along with other sector-specific EU legal acts.
Article 4(1) of the NIS 2 states that when sector-specific EU legal acts (eg, DORA, applicable in the financial sector) require essential or important entities to implement cybersecurity risk-management measures or report significant incidents equivalent in effect to NIS 2, the provisions of NIS 2 will not apply to such entities; instead, sector-specific rules will take precedence. However, where sector-specific EU legal acts do not cover all entities in a specific sector, the relevant provisions of NIS 2 will apply to the entities that are not covered.
Additionally, Article 4(2)(a) of NIS 2 deems cybersecurity risk management measures mandated for essential or important entities under sector-specific EU legal acts equivalent in effect to the obligations in NIS 2 when they are at least as effective as those outlined in Articles 21(1) and (2) of NIS 2.
Until DORA takes effect, virtual currencies are still subject to a number of obligations with regard to cybersecurity. The European Banking Authority (EBA) has published several cybersecurity guidelines that must be observed, including guidelines on:
- internet payment security;
- the assessment of ICT risk; and
- security measures for operational and security risks under the Second Payment Services Directive.
At the national level, the MFSA has issued guidance on cybersecurity specifically in relation to virtual currencies. The Supervisory ICT Risk and Cybersecurity function of the MFSA is responsible for supervising licence holders in the areas of ICT risk and cybersecurity, in order to ensure digital operational resilience. Generally, applicants for licences are required by the MFSA to implement IT infrastructure which ensures that the master data is retained in Malta.
The virtual financial asset (VFA) rulebooks also require licensed entities to:
- establish and maintain an operational framework that includes cybersecurity considerations at all levels (eg, technical and organisational); and
- appoint a chief information security officer (CISO) tasked exclusively with promoting a corporate culture that encompasses an active approach to cybersecurity, cybersecurity education and training.
Each licensed entity is advised to establish a cybersecurity framework considering its specific set-up and the nature of its business. It should provide for the following, among other things:
- information and data security roles and responsibilities, including the designation of the CISO;
- a privileged access management policy;
- a sensitive data management policy;
- a threat management policy;
- security education and training;
- an ongoing monitoring policy;
- risk assessments, the frequency and extent of which should be determined by the entity;
- maintenance of audit trails to detect and respond to cybersecurity events;
- an incident response and recovery plan;
- a business continuity plan; and
- a security policy for third-party service providers.
Further, licensed entities should:
- carry out a self-assessment of the deployed cybersecurity architecture; and
- ensure that internal and external audits are carried out at regular intervals to ensure compliance.
The guidance also requires them to ensure that payment transactions are conducted in a secure manner by continuously monitoring and enforcing the use of controls specified in the relevant technical standards and guidelines (eg, the Payment Card Industry Data Security Standard, the Cryptocurrency Security Standard and the EBA guidelines on internet payment security).
Issuers of VFAs are advised to:
- conduct advanced ex ante analysis of possible threat agents and risk factors affecting their cybersecurity, specifically focusing on the identification of possible risks associated with the initial VFA offerings;
- perform checks vis-à-vis the cybersecurity requirements included in the white paper; and
- implement threat and attack mitigation tools (eg, kill-switch, safe mode, encryption).
Finally, regarding VFA service providers, the guidance sets out the specific cybersecurity requirements for each respective licence class:
- Class 1 licence holders should implement suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches;
- Class 2 and Class 3 licence holders should establish adequate mitigation controls to safeguard clients’ funds and consider several security risks regarding wallet creation (eg, geographical distribution of keys or multiple keys for signing); and
-
Class 4 licence holders should, among other things, ensure that:
-
- the back-up key is access controlled and encrypted;
- keys are accessed securely (eg, with two-factor authentication set as a minimum, key management procedures and mitigation actions and a key compromise protocol); and
- ensure authenticated communication channels.
However, once the Markets in Crypto-Assets Regulation and DORA are in full effect, the obligations of CASPs will be those set out in DORA, so firms are advised to perform gap analyses to ensure their compliance beforehand.