Update on the Digital Operational Resilience Act (“DORA” or “Regulation (EU) 2022/2554”)
Reference is made to our article on DORA published on 3 August 2022. This article noted that on 28 July 2022 the Malta Financial Services Authority (“MFSA”) published a circular announcing that in May 2022, the European Parliament and the Council reached a provisional political agreement on DORA. That article set out the rationale of DORA, its applicability, and its main objectives. And on 4 January 2023, the MFSA published another circular which noted that Regulation (EU) 2022/2554 was officially adopted in November 2022, that it entered into force on 16 January 2023 and that it will apply from 17 January 2025 along with Amending Directive (EU) 2022/2556. More recently, and on 5 September 2023, the MFSA published a circular entitled Update and Benchmarking Exercise on Regulation (EU) 2022/2554 on Digital Operational Resilience. This brief article will brief set out the MFSA’s update and benchmarking exercise.
Update on DORA
The MFSA noted that DORA will be supplemented by Regulatory/Implementing Technical Standards, (the “Technical Standards”) which are currently being drafted by the European Supervisory Authorities (the “ESAs”) through the Joint Committee. The delivery deadlines for the Technical Standards are set out in Annex 1 of the circular published in January 2023.
The MFSA explained that it is providing information to the industry on DORA through a range of methods including written communications (for instance, circulars); periodic DORA Podcasts (see legislation section); Frequently Asked Questions (see legislation section); public consultations (for instance, the Consultation Document on the Adoption of the TIBER-EU Framework in Malta); and events (for example, webinars). The MFSA expects Authorised Persons (see article 2 of Regulation (EU) 2022/2554) to follow ongoing updates and drew attention to these two forthcoming consultations in which interested stakeholders will be invited to share their views:
- A public consultation on the national implementation of the Regulation and the national transposition of the Amending Directive, planned to be issued by the Authority in Q4 of 2023.
- The ESAs Joint Committee public consultation on the second set of Technical Standards.
The MFSA expects Authorised Persons to already, and at the very least, to:
- have duly informed the management body about DORA;
- have duly informed key function holders about DORA, including representatives from the Three Lines of Defence.
- keep themselves abreast with any updates in relation to the development of the Technical Standards;
- be duly aware of new reporting requirements and/or changes to existing reporting requirements, as specified by DORA;
- have duly discussed and planned for possible new compliance costs arising from DORA;
- have carried out a gap analysis between its present relevant strategies, policies, procedures, plans, systems, tools and the requirements of DORA;
- have formally adopted a transition plan towards compliance with DORA that has been approved by the management body and duly communicated accordingly;
- have engaged in discussions with their external auditors and/or consultants regarding the Regulation (if applicable);
- have engaged in discussions with their ICT Third Party Service Providers regarding the Regulation (if applicable).
The MFSA also expects directors of Authorised Entities to ensure that the Authorised Entity is working toward complying with DORA by 17 January 2025.