Financial Institutions And Supervisory ICT Risk And Cybersecurity Circulars Q1 2026

Executive Summary for MFSA Circulars Quarter 1

During the first quarter of 2026, the Malta Financial Services Authority (MFSA) issued a series of circulars addressing compliance reporting obligations for Financial Institutions and digital operational resilience requirements under the EU’s DORA framework. The circulars set out supervisory findings, regulatory expectations, and guidance relevant to all Authorised Persons (APs) operating within the Maltese financial sector.

Annual Compliance Report - Financial Institutions (January 27, 2026)

Fintech Supervision reviewed the first wave of Annual Compliance Reports (ACRs) submitted under Chapters 2 and 3 of the Financial Institutions Rulebook. The review revealed widespread deficiencies, including ACRs submitted without Board-approved Compliance Monitoring Plans (CMPs), unsigned reports, and plans that were entirely absent in some cases. Beyond formal breaches, the MFSA noted qualitative shortcomings such as missing risk assessments, incomplete testing schedules, and CMPs that focused disproportionately on AML to the exclusion of other regulatory obligations The MFSA has designated 2026 as a grace period, but has made clear that future submissions must fully meet established compliance standards.

DORA Register of Information - Reporting Reminder (January 28, 2026)

Financial Entities were reminded of their obligation to submit a DORA-compliant Register of Information (RoI) via the MFSA’s LH Portal, using 31 December 2025 as the reference date, within the reporting window of 1 January to 21 March 2026. Non-compliance may result in regulatory action under L.N. 166 of 2024 and the MFSA Act.

Heightened Cyber Threat Advisory (March 5, 2026)

In response to an elevated threat environment, the MFSA urged APs to strengthen their cybersecurity. Key directives include enforcing multi-factor authentication, patching vulnerabilities promptly, centralising log monitoring, participating in threat intelligence-sharing networks, and validating incident response playbooks. APs were also reminded of mandatory major ICT-related incident reporting timelines under Commission Delegated Regulation (EU) 2025/301.

DORA Register of Information - Additional Data Quality Checks (March 5, 2026)

The MFSA confirmed that the European Supervisory Authorities will conduct supplementary data quality checks on 2026 RoI submissions during April 2026. An “Accepted” portal status does not guarantee compliance with these checks. Financial Entities required to resubmit must do so by 30 April 2026.

TLPT Codes of Conduct Guidance (April 23, 2026)

The MFSA, acting as the TLPT Authority under DORA, published guidance on codes of conduct for Threat-Led Penetration Testing, developed in collaboration with the TIBER-EU Knowledge Centre. The guidance supports external testers, threat intelligence providers, and financial entities using internal testers in structuring compliant and ethically sound codes of conduct.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.