MFSA Circular on DORA Authorisations (2025)

Get in TouchOpens in a new window/tab
MFSA Circular on DORA Authorisations (2025)
 
MFSA DORA Authorisation Findings (2025): What They Reveal About Operational Resilience Maturity

The Malta Financial Services Authority (MFSA) 2025 DORA authorisation review highlights a clear evolution in supervisory expectations under the Digital Operational Resilience Act (DORA). Digital operational resilience is increasingly being assessed not as a documentation exercise, but as evidence of embedded operational capability across ICT risk, incident management, and third-party ecosystems.

While progress is evident in certain areas—particularly ICT testing—significant gaps continue to emerge in ICT risk governance, third-party risk management, and the practical implementation of Regulatory Technical Standards (RTS). Collectively, these findings signal a critical transition phase in DORA implementation: from framework design to demonstrable resilience in practice.

 

Key Takeaways from the MFSA Circular

1. ICT Risk Management Remains the Weakest Area

The MFSA highlights DORA Chapter II (ICT Risk Management) as the most challenging area for applicants.

Common deficiencies include:
•    Incomplete or missing business continuity and disaster recovery plans
•    Lack of business impact analysis (BIA)
•    Absence of a defined digital operational resilience strategy
•    Weak or insufficiently documented backup and restoration procedures
•    Gaps in asset management, vulnerability management, and patching

These findings indicate that many applicants have not yet embedded operational resilience into day-to-day processes, particularly when moving from policy design to implementation. 


2. Incident Management is Partially Implemented—but Not Operationalised

While some applicants show progress under DORA Chapter III, the MFSA notes recurring issues in:
•    Establishing end-to-end incident management processes
•    Ensuring proper classification of incidents
•    Meeting regulatory reporting and notification requirements

In practice, many frameworks are defined on paper but lack integration between detection, response, recording, and reporting mechanisms. 


3. Testing is a Positive Outlier

DORA Chapter IV (Testing) is identified as the area with the highest level of compliance, with:
•    Very few observations
•    No material concerns raised

This suggests that firms are generally more comfortable implementing structured testing regimes than developing foundational governance and risk management capabilities. 


4. ICT Third-Party Risk is a Persistent Challenge

DORA Chapter V remains the second most problematic area, with significant issues in:
•    Applying third-party risk management principles
•    Negotiating and embedding Key Contractual Provisions
•    Conducting proportionate due diligence
•    Developing tailored exit strategies

A recurring issue is the use of generic outsourcing frameworks, including “one-size-fits-all” exit plans that fail to reflect provider-specific risks. 


5. Regulatory Technical Standards (RTS) Are Not Yet Fully Understood

The MFSA highlights ongoing difficulties with the detailed requirements under Level 2 measures, particularly:
•    ICT Risk Management RTS: 
o    Business continuity
o    ICT operations security
o    Asset management

•    ICT Third-Party Policy RTS: 
o    Due diligence processes
o    Exit and termination planning

These findings point to gaps in understanding the practical application of RTS requirements, rather than just their interpretation. 


6. Over-Reliance on Generic or AI-Generated Documentation

The circular includes a notable warning regarding excessive use of generative AI:
•    Submissions were often generic, misaligned, or inaccurate
•    Lack of tailoring to actual operations and risk profile
•    Insufficient evidence of ownership and understanding

The MFSA emphasises that responsibility for submissions remains with the applicant, and poorly validated documentation leads to delays and resubmissions.


7. Updated Annexes Introduced to Streamline Applications

The Authority has introduced updated Annexes (AX05 and AX50) in late 2025:
•    Designed as self-assessment tools
•    Supported by addenda outlining expectations
•    Aim to reduce inefficiencies while maintaining regulatory quality

Applicants preparing for 2026 are expected to align early with these updated formats. 
 


Our Perspective: What This Means in Practice

Based on our experience supporting DORA implementation programmes, DORA Thematic review, DORA audits, and MFSA licensing applications, the MFSA’s observations are fully consistent with what we see across the market.


1. The Core Issue is Not Documentation. It is Integration
Many applicants approach DORA as a documentation exercise, resulting in:
•    Policies not linked to actual controls
•    Risk frameworks not embedded in operations
•    Disconnect between IT, risk, and business functions

Regulators are increasingly testing whether controls work in practice, not just whether they exist.


2. Third-Party Risk is Underestimated at Strategic Level
ICT outsourcing remains one of the most misunderstood DORA domains, particularly where:
•    Providers support critical or important functions
•    Contracts are inherited or non-negotiable
•    Legal and IT teams operate in silos

Successful applicants treat third-party risk as a strategic governance issue, not a procurement or legal formality.


3. Incident Management Requires End-to-End Thinking

We frequently see organisations with:
•    Tools for detection
•    Policies for response

But lacking:
•    Integrated workflows
•    Clear ownership
•    Tested escalation and reporting mechanisms

DORA compliance requires a closed-loop model, from detection through to regulatory reporting.


4. RTS Compliance is the Real Maturity Test

Level 1 (DORA regulation) requirements are broadly understood. However:
•    RTS requirements introduce operational depth
•    Require evidence-based implementation
•    Expose weaknesses in governance, controls, and documentation

RTS readiness is increasingly the differentiator between acceptable and high-risk applications.


5. AI is Useful, but a Regulatory Risk if Misused

The MFSA’s comments on AI reflect a growing supervisory concern.

Our experience confirms:
•    AI-assisted drafts can accelerate delivery
•    But often introduce generic or non-compliant language

AI should support drafting but never replace expert validation and tailoring.

 

Practical Recommendations for Applicants and How Can BDO Help:

Based on both MFSA expectations and our advisory experience:

Before Submission
•    Perform a mock regulatory review of AX05 and AX50
•    Validate that policies align with actual operations
•    Ensure ICT risk, incident management, and outsourcing are fully integrated

For ICT Risk Management
•    Develop a complete BIA-driven resilience framework
•    Align response & recovery plans with realistic scenarios
•    Evidence control effectiveness, not just policy existence

For Third-Party Risk
•    Perform documented, proportionate due diligence
•    Develop provider-specific exit strategies
•    Ensure contracts include all mandatory DORA provisions

For Documentation
•    Avoid templates that are not risk-profile specific
•    Ensure clear ownership and accountability
•    Treat annexes as evidence backed submissions, not forms

The MFSA’s circular reinforces a critical message: 
While progress is evident particularly in testing and some areas of incident management, significant gaps remain in:
•    ICT risk governance
•    Third-party risk management
•    Practical implementation of RTS requirements

For applicants, the priority moving forward is clear:
Shift from compliance-by-design to resilience-by-operation.
Those that invest early in integrated, tailored, and operationally validated frameworks will not only improve their chances of authorisation, but also build sustainable resilience in an increasingly regulated environment.


 

Contact Us