On 26 September 2025, the Malta Financial Services Authority (MFSA) published a Dear CEO Letter with its supervisory observations on digital operational resilience, post the 2024 supervisory cycle. The letter outlines how Maltese financial institutions are preparing to meet the demands of the Digital Operational Resilience Act (DORA) and highlights both positive developments and areas of persistent shortcomings.
The letter reaffirms that the MFSA is also paying more attention to resilience as a supervisory priority, as it appreciates that the financial sector's dependence on technology and third-party ICT providers exposes it to new vulnerabilities. Although close to 90% of the controls evaluated have been either fully or partially realised, the regulator has identified some common gaps that require addressing, so that firms can sustain the high standards prescribed under DORA.
Supervisory approach and methodology
The supervisory model adopted by the MFSA is progressively transitioning into the Outcomes-based Supervisory Approach, which consists of a three-year cycle. Under this cycle, a company is subjected to a comprehensive supervisory engagement, a remediation period of twelve months, and is reassessed after two years using the same tools and controls. The strategy will focus on promoting long-term changes rather than quick remedies.
Despite only 13% of supervisory engagements in 2024 being carried out using this outcomes-based model, the MFSA has indicated it aims to increase this percentage. The initial outcomes are promising, as the firms audited according to this framework fared better than those audited according to conventional engagements. Additionally, 61% of controls were met in full, compared to 55% in non-outcomes-based audits. The regulator considers this as an indication that regular monitoring and follow-up have more long-term results.
Areas of supervisory focus
In 2024, supervisory work focused on four priorities: the preparedness of DORA, the effectiveness of risk management and compliance functions, the suitability of incident management processes, and the effectiveness of oversight over ICT third-party providers.
These areas were chosen because they are seen as the building blocks of digital resilience. The existence of sophisticated systems within a firm is not a guarantee that the firm will be able to withstand disruption unless it has effective governance, incident response, testing, and management of third parties.
According to the MFSA's results, although the sector is heading in the right direction, companies need to do more to embed resilience in everyday governance and operations, rather than considering it a compliance procedure.
Weaknesses in ICT risk management
One of the areas that has the most apparent gaps is ICT risk management. Many companies have created risk frameworks, however, the MFSA discovered that these are not always adequately incorporated into the overall risk management structure of the organisation. This implies that ICT risks can be at times handled as a stand-alone issue, as opposed to being part of the general profile of risks to the business.
The MFSA pointed to the common flaws in risk identification, mitigation and governance structures. Specifically, not all firms kept a sufficiently detailed ICT risk register or reviewed it on a regular basis in accordance with the changing threats. A lack of uniform usage of risk management tools was also observed, with some firms relying heavily on informal procedures rather than formal ones.
Another area of weakness was third party risk management. Although most companies recognised the need to depend on outside ICT vendors, supervision of these vendors was often not conducted in detail. The regulator noted that the risk assessments were at times superficial. In some instances, companies failed to adequately assess whether their third-party arrangements were resilient enough to withstand disruption.
Gaps in resilience testing
One of the significant findings of the MFSA's review was that resilience testing has not yet been established in the majority of firms. Although simple techniques like vulnerability scans are pretty standard, not many organisations have adopted formal resilience testing programmes in line with the requirements of DORA.
Advanced testing appears to remain uncommon, despite the fact that these exercises offer essential information on how firms would survive in a real situation. The MFSA was also concerned that internal audit functions frequently lack ICT expertise, and thus, they are unable to offer an independent review of resilience measures.
Some companies conducted resilience drills without keeping a record of the results or conducting systematic follow ups with respect to the lessons learned. This compromises the efficiency of the testing process and also leaves loopholes in accountability.
To address these weaknesses, the MFSA has introduced the TIBER-MT framework, a national adaptation of the EU threat intelligence-based testing model. The Authority highly promotes the use of TIBER-MT as a means of creating operational resilience. It views it as a significant mechanism for increasing the standards of testing within the sector.
Shortcomings in third-party risk oversight
A large number of companies have started to prepare a Register of Information on outsourcing arrangements; however, these registers tend to be either incomplete or do not reflect all the data points as defined by DORA.
Even the outsourcing policies are often poorly developed. The MFSA noted that numerous policies lack clear governance duties, elaborate risk assessment procedures, and proper mechanisms for monitoring, making it difficult for firms to demonstrate that they are undertaking adequate monitoring of vital service providers.
The MFSA has also encouraged firms to be more vigorous and aggressive in relation to third-party risk management, by making sure that the governance structure, monitoring processes and contractual arrangements are enhanced, in order to satisfy the requirements of DORA.
Looking ahead
In spite of the weaknesses outlined above, the tone of the MFSA is cautiously optimistic. The Authority recognised the massive strides achieved in the sector in 2024 and embraced the growing investment in measures of resilience by the firms. However, it equally demonstrated that operational resilience has to be a strategic concern, rather than a regulatory requirement.
The MFSA expects companies to be faster in integrating ICT risk into governance models, building a detailed incident response capacity, implementing structured resilience testing and improving third-party controls. As outcomes-based supervision starts to spread out, companies will be increasingly subject to scrutiny and will be required to show real improvements over time.
Conclusion
The Dear CEO Letter is an acknowledgement of the progress, whilst also being a call to action. The results of the MFSA indicate that approximately 90% of the controls are met at least in part; nevertheless, recurring inefficiencies in the areas of ICT risk management, incident response, resilience testing, and third-party management should be addressed.
For companies, the message is relatively straightforward: digital operational resilience is not merely about ticking a regulatory box. It involves developing trust, stability, and competitiveness in a more digital financial space. The proactive institutions are not only fulfilling the requirements of DORA, but will also be better prepared to withstand the rising risk of cyber disruption.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.