Reporting of Major ICT-Related Incidents
On 13 October 2022 the MFSA published a Circular on the Reporting of Major ICT-Related Incidents (the “Circular”).
The Circular explains that after a public consultation process which began on 12 July 2022 the MFSA issued:
- A Major ICT-Related Incident Reporting Process document (the “Process Document”);
- Templates for Initial, Intermediate and Final Major ICT-Related Incident Reporting (the “Templates”); and
- User Guidelines for submitting Major ICT-Related Incident Reporting to the MFSA (the “User Guidelines”).
The MFSA expects all Authorised Persons (apart from credit institutions, payment service providers, electronic money institutions and account information service providers) to report Major ICT-Related Incidents, whether of an operational or security nature, to the Authority, in line with the Process Document, using the provided Templates, and by adhering to User Guidelines.
The MFSA cautions that major ICT-related incident reporting will eventually have to be aligned with the Digital Operational Resilience Act.
The Circular, the Process Document (including the Templates and the User Guide) apply from 13 October 2022 and supersede the Circular on Cybersecurity – Threat Mitigation which was published on 25 September 2019.
 Any person that is licensed, registered or otherwise authorised by the MFSA. The term ‘Licence Holder’ is also used by the MFSA.