The Digital Operational Resilience Act
(‘DORA’), formally known as Regulation (‘EU’)
2022/2554, became applicable to all financial entities within the
European Union on 17th January 2025. This regulation aims to
enhance the digital operational resilience of financial entities by
establishing uniform requirements for managing Information and
Communication Technology (‘ICT’) risks. A critical
component of DORA is the obligation for financial entities to
maintain a comprehensive RoI detailing all arrangements with ICT
Third-Party Service Providers (‘ICT TPPs’).
Key Obligations for Financial Entities
Maintenance of the RoI
Under Article 28(3) of DORA, financial entities are required to
maintain an up-to-date RoI that includes all contractual
arrangements with ICT TPPs. The RoI must be comprehensive,
accurately reflecting the scope, nature, and duration of each ICT
service used, as well as any associated risks. The register should
also include information on critical or important ICT TPPs, their
role, and the potential impact of service disruptions.
Submission Deadlines
The Malta Financial Services Authority (‘MFSA’) has
specified that for the year 2025, all authorised persons must
submit their RoI between 1st April 2025 and 8th April 2025 (both
days inclusive). This requirement applies to entities authorised by
the MFSA up to and including 31st March 2025. Entities authorised
after this date are exempt from the 2025 submission but must
maintain the RoI and provide it upon request.
Consequences of Non-Compliance
Failure to submit the RoI by the specified deadline may result
in regulatory actions from the MFSA. Such actions could include
administrative penalties, regulatory sanctions, and reputational
risks. Non-compliance with the DORA regulation, as set out in Legal Notice
166 of 2024 and the MFSA Act, may have serious implications for
financial entities, particularly regarding ongoing relationships
with ICT TPPs and overall regulatory standing.
Preparation and Reporting Framework
To facilitate compliance, the European Banking Authority
(‘EBA’) has introduced the Final Technical Package for its
Reporting Framework 4.0, which will apply from March 2025. Key
features of this framework include:
The Data Point Model (‘DPM’) 2.0,
offering enhanced metadata features, improved validation rules, and
greater automation of compliance processes.
Standard Specifications, including new
semantics and validation rules to support automated submission
processes.
Transition Support, as the EBA will continue
to publish both DPM 1.0 and DPM 2.0 until December 2025, ensuring a
smooth transition.
Financial entities are encouraged to familiarise themselves with
the EBA Reporting Framework 4.0, which incorporates the latest XBRL
taxonomies and technical specifications to support accurate and
efficient reporting. The MFSA will issue further guidance on
completing and submitting the 2025 RoI reporting in due course.
What to Expect Moving Forward
The MFSA will provide detailed instructions for the 2026 RoI
reporting process at a later date.
Financial entities must remain proactive in monitoring updates
to DORA compliance requirements, including any changes to
submission deadlines or reporting obligations.
For further clarification, financial entities can contact the
MFSA Register of Information Team via email at roi@mfsa.mt.
Conclusion
The implementation of DORA marks a critical milestone in
improving the digital resilience of the EU’s financial sector.
By adhering to the RoI requirements and meeting submission
deadlines, financial entities will not only fulfil their regulatory
obligations but also contribute to building a more secure and
resilient financial ecosystem.
Financial entities are encouraged to act promptly to ensure
compliance with DORA and take the necessary steps to maintain the
RoI in line with regulatory requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.