The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) entered into force on 16th January 2023 and its application date is only a month away, with financial entities expected to be compliant as from 17th January 2025.

In Malta, the Malta Financial Services Authority (MFSA) has been designated as the competent authority in relation to DORA.

Who is captured by DORA?

DORA brings harmonised rules relating to operational resilience for the financial sector applying to 20 different types of financial entities, including credit and financial institutions, investment firms, crypto-asset service providers (CASPs), AIFMs, insurance and reinsurance undertakings and intermediaries, data reporting service providers and crowdfunding service providers.

Some financial entities, however, benefit from exemptions or are subject to a very light regulatory framework. These include de minimis AIFMs; insurance undertakings falling outside scope of the Solvency II Directive; institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total; persons exempted under the MiFID II Directive; insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises; and post office giro institutions.

DORA also captures under its remit, ICT third-party service providers that are deemed to be critical in terms of DORA. This topic shall be covered in more detail in our ancillary series, “DORA Readiness: Empowering ICT Service Providers in Financial Services”.

What does DORA seek to regulate?

DORA creates a comprehensive framework addressing various core components of the digital operational resilience of financial entities, with the overall objective to strengthen and align the digital operational resilience across the different Union financial areas.

DORA is built on a number of important principles, primarily:

• ICT Risk Management
• ICT Third-Party Risk Management
• Digital Operational Resilience Testing
• ICT-Related Incidents & Reporting
• Information Sharing
• Oversight of Critical ICT-Third Party Service Providers

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services. Within DORA’s aim to increase digital operational resilience, new requirements oblige certain financial entities to conduct advanced testing based on threat-led penetration testing (TLPT). Specifically, DORA requires authorities to identify financial entities subject to the obligation to perform TLPT.

DORA will force financial entities and their management to consider ICT-related risks as a dynamic part of their existence where they should do their utmost to mitigate and reduce this risk throughout their existence as reasonable and prudent operators. This ‘outcome-based’ regulation not only imposes specific obligations and processes, but also focuses on principles and the results which the legislator aims to achieve, with the ultimate focus being the safety of the financial services industry, its members and users, and the prevention and mitigation of cyber threats.

Throughout this series, we will be exploring these pillars and their ancillary requirements and regulatory obligations in more detail.

What are the implications of non-compliance?

The Regulation has conferred the supervisory, investigatory and sanctioning powers in relation to DORA to the competent authorities in each respective member state; in Malta’s case this would be the MFSA.

The Malta Financial Services Authority Act (Digital Operational Resilience Act (DORA)) Regulations set out that in case of a breach or failure to comply, the MFSA may impose administrative measures that may not exceed €150,000 for each infringement.

The MFSA is further empowered to impose certain measures in relation to any breach, including that of adopting any type of measures, as permitted by DORA, to ensure financial entities within scope continue to comply with their legal requirements, as well as issuing public notices which indicate the identity of the person in breach and the nature of the breach.

Any penalties or measures imposed are intended to be effective, proportionate and dissuasive. Thus, in metering the penalty or measure to be imposed, the MFSA shall take into account the extent to which such breach is intentional, or resulting from negligence, along with all the relevant factors, where appropriate.

Any person failing to comply with directives, unlawfully altering or concealing documents, providing false or misleading information, obstructing authorised actions, or violating any provisions shall be liable to imprisonment of up to 1 year, a fine of up to €150,000, or both. This penalty applies without prejudice to any additional criminal proceedings under other applicable laws.

Beyond DORA

While DORA is a crucial legislative step forward in enhancing cybersecurity through a harmonised approach, this Regulation should not be analysed in isolation.

The TIBER-EU was the first EU-wide guideline, issued in 2018, on how authorities, critical entities (including financial) and threat intelligence/red-team providers should operate and test on cybersecurity using controlled cyber-attacks. The TIBER-EU framework will give authorities and financial entities comprehensive support in fulfilling DORA requirements for TLPT.

The NIS2 Directive also aims to set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure. It also aims to remove divergences in cybersecurity requirements and in the implementation of cybersecurity measures in different member states by setting out minimum rules for a regulatory framework and laying down mechanisms for effective cooperation among relevant authorities in each member state.

Complementing NIS2 is the Critical Entities Resilience (CER) Directive which is aimed at strengthening the resilience of critical infrastructure against various threats, including cyberattacks, natural hazards, terrorist attacks, and sabotage. The CER Directive complements these laws by focusing on the physical and operational resilience of critical infrastructure.

The Cyber Resilience Act on the other hand introduces horizontal cybersecurity requirements for all products with digital elements, whether directly or indirectly connected to the internet, to ensure they are secure throughout their lifecycle. It covers all digital products, including IoT devices, embedded software, and hardware components.

This is the first article in our series “Chartering DORA Compliance: A Guide for Financial Entities”. Over the coming weeks we will be delving deeper into DORA’s key principles and implications for financial entities.