The Digital Operational Resilience Act ('DORA'), formally known as Regulation ('EU') 2022/2554, became applicable to all financial entities within the European Union on 17th January 2025. This regulation aims to enhance the digital operational resilience of financial entities by establishing uniform requirements for managing Information and Communication Technology ('ICT') risks. A critical component of DORA is the obligation for financial entities to maintain a comprehensive RoI detailing all arrangements with ICT Third-Party Service Providers ('ICT TPPs').
Key Obligations for Financial Entities
Maintenance of the RoI
Under Article 28(3) of DORA, financial entities are required to maintain an up-to-date RoI that includes all contractual arrangements with ICT TPPs. The RoI must be comprehensive, accurately reflecting the scope, nature, and duration of each ICT service used, as well as any associated risks. The register should also include information on critical or important ICT TPPs, their role, and the potential impact of service disruptions.
Submission Deadlines
The Malta Financial Services Authority ('MFSA') has specified that for the year 2025, all authorised persons must submit their RoI between 1st April 2025 and 8th April 2025 (both days inclusive). This requirement applies to entities authorised by the MFSA up to and including 31st March 2025. Entities authorised after this date are exempt from the 2025 submission but must maintain the RoI and provide it upon request.
Consequences of Non-Compliance
Failure to submit the RoI by the specified deadline may result in regulatory actions from the MFSA. Such actions could include administrative penalties, regulatory sanctions, and reputational risks. Non-compliance with the DORA regulation, as set out in Legal Notice 166 of 2024 and the MFSA Act, may have serious implications for financial entities, particularly regarding ongoing relationships with ICT TPPs and overall regulatory standing.
Preparation and Reporting Framework
To facilitate compliance, the European Banking Authority ('EBA') has introduced the Final Technical Package for its Reporting Framework 4.0, which will apply from March 2025. Key features of this framework include:
- The Data Point Model ('DPM') 2.0, offering enhanced metadata features, improved validation rules, and greater automation of compliance processes.
- Standard Specifications, including new semantics and validation rules to support automated submission processes.
- Transition Support, as the EBA will continue to publish both DPM 1.0 and DPM 2.0 until December 2025, ensuring a smooth transition.
Financial entities are encouraged to familiarise themselves with the EBA Reporting Framework 4.0, which incorporates the latest XBRL taxonomies and technical specifications to support accurate and efficient reporting. The MFSA will issue further guidance on completing and submitting the 2025 RoI reporting in due course.
What to Expect Moving Forward
- The MFSA will provide detailed instructions for the 2026 RoI reporting process at a later date.
- Financial entities must remain proactive in monitoring updates to DORA compliance requirements, including any changes to submission deadlines or reporting obligations.
- For further clarification, financial entities can contact the MFSA Register of Information Team via email at roi@mfsa.mt.
Conclusion
The implementation of DORA marks a critical milestone in improving the digital resilience of the EU's financial sector. By adhering to the RoI requirements and meeting submission deadlines, financial entities will not only fulfil their regulatory obligations but also contribute to building a more secure and resilient financial ecosystem.
Financial entities are encouraged to act promptly to ensure compliance with DORA and take the necessary steps to maintain the RoI in line with regulatory requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
