The Malta Financial Services Authority (the ‘MFSA') has issued a Circular entitled: Update and Benchmarking Exercise on Regulation (EU) 2022/2554 on Digital Operational Resilience (the ‘Regulation'), which shall apply as from 17 January 2025.
Essentially, as provided in the Circular, the Regulation places several requirements on the financial entities within its scope, in the areas of ICT risk management; ICT-related incident management, classification and reporting; digital operational resilience testing; managing of ICT third-party risk; and voluntary information-sharing arrangements.
Having said this, it is to be noted that the obligations on financial entities in terms of the abovementioned ICT-related areas, will change when compared to the obligations emanating from ICT-related provisions within the current applicable Acts, Regulations, Rules and/or sector-specific Guidelines.
The Circular also advises Authorised Persons to keep themselves well informed with ongoing updates relating to the Regulation, particularly with the below:
- The upcoming Public Consultation on the national implementation of the Regulation and the national transposition of the Amending Directive; and
- The upcoming ESAs Joint Committee Public Consultation on the second set of Technical Standards, following the initial Public Consultation on the first set of Technical Standards published on the 22nd of June 2023.
Financial entities' management bodies falling within the scope of the Regulation are expected by the MFSA to ensure that the entity is well on track in its preparations to ensure compliance with the Regulation by the 17th of January 2025.
As a minimum, and as at the date of this Circular being the 5th of September 2023, financial entities shall:
- have duly informed the management body of the Regulation;
- have duly informed key function holders of the Regulation, including representatives from the Three Lines of Defence;
- be keeping themselves abreast with any updates in relation to the development of the Technical Standards;
- be duly aware of new reporting requirements and/or changes to existing reporting requirements, as specified by the Regulation;
- have duly discussed and planned for possible new compliance costs arising from the Regulation;
- have carried out a gap analysis between its present relevant strategies, policies, procedures, plans, systems, tools and the requirements of the Regulation;
- have formally adopted a transition plan towards compliance with the Regulation that has been approved by the management body and communicated accordingly;
- if applicable, have engaged in discussions with their external auditors and/or consultants regarding the Regulation; and
- if applicable, have engaged in discussions with their ICT Third Party Service Providers regarding the Regulation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.