ICT Incident Reporting Process - Introduction
On 24 March 2025, the Malta Financial Services Authority ("MFSA") issued version 3.00 of its Major ICT-Related Incident Reporting Process, refining the framework introduced in 2022 and further updated in January 2025. This latest iteration reflects recent regulatory developments under the Digital Operational Resilience Act ("DORA") including the adoption of new Regulatory Technical Standards ("RTSs") in early 2024.
This version replaces the January 2025 version 2.00 process and aligns national reporting obligations with:
- Commission Delegated Regulation (EU) 2024/1772 – on classification and thresholds; and
- Commission Delegated Regulation (EU) 2025/301 – on content and timeframes for initial, intermediate, and final reporting.
To date, the MFSA's process to ICT-related incident reporting has matured over three releases:
October 2022 (Version 1.00): Introduced the first structured framework on the basis of the MFSA's 2022 consultation on the subject, which outlined the supervisory expectations regarding ICT incident reporting. That consultation, covered by our team at the time (see our summary).
January 2025 (Version 2.00): Aligned the framework with core DORA provisions and introduced the Cyber Reporting Management System ("CRMS").
March 2025 (Version 3.00): Fully integrates EU-level RTSs and clarifies reporting triggers and deadlines.
Compliance
The reporting process applies to all Authorised Persons, that is, entities licensed, registered, or otherwise authorised by the MFSA. Notably:
- For entities within scope of DORA, the process is mandatory.
- For other entities, it applies on a supervisory expectation basis as discussed in a previous article.
Qualification of Major ICT-Related Incident
The MFSA adopts the DORA definition of a Major ICT-Related Incident, namely, an incident that causes a high adverse impact on the network and information systems supporting critical or important functions of the financial entity. Specifically, the classification criteria are set out under Commission Delegated Regulation (EU) 2024/1772.
Annex A of the MFSA's reporting process provides a decision-making flow for determining whether an ICT-related incident meets the threshold to be reported as a Major ICT-Related Incident under DORA. The assessment follows a structured, three-step approach:
| 1 | The first step is to determine whether the incident has impacted critical or important functions of the financial entity. This is a threshold requirement drawn from Article 6 of Commission Delegated Regulation (EU) 2024/1772. To this extent: If the answer is in the negative, the incident is deemed non-major, and reporting is not required under this framework. If in the positive, the next step is to be followed. |
| 2 | The next step ponders whether the incident involved any successful, malicious, and unauthorised access to the entity's network and information systems. If yes, the incident is automatically classified as major, triggering the reporting obligation. If no, further assessment is required. |
| 3 | If there was no malicious access, the incident may still be considered major if it meets two or more of the following criteria, drawn from Article 9 of the same Delegated Regulation: Impact on clients, financial counterparts, or transactions; Reputational damage; Extended duration or significant service downtime; Wide geographical spread; Data losses; and Notable economic impact. If two or more of these apply, the incident must be reported as major. Otherwise, it remains non-major for the purposes of MFSA/DORA reporting. |
A Structured, Three-Tier Reporting Model
Under the new process, aligning with Commission Delegated Regulation (EU) 2025/301, Authorised Persons must follow a three-stage reporting timeline via the CRMS on the License Holder Portal:
- Initial Report: Submit within 4 hours from classification as "major", and no later than 24 hours from becoming aware of the incident.
- Intermediate Report: Due within 72 hours from the initial report, even if there are no new developments. Updated reports must be submitted once normal operations are restored.
- Final Report: Required within one month of the last intermediate report.
Complementing this third rendition of the Reporting Process, to facilitate compliance, the MFSA has released Report Templates as well as User Guides.
Remarks
The MFSA's new process underscores the increasing regulatory emphasis on digital resilience. Financial entities, especially those relying heavily on outsourced ICT services, should ensure their incident response and escalation workflows are DORA-compliant and tested in practice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.