The MFSA publishes its minimum expectations for DORA preparedness

DORA introduces several requirements for financial entities within its scope

In the latest of a series of Circulars published by the Malta Financial Services Authority (MFSA) on the Digital Operational Resilience Act (’DORA’), the Authority outlined its expectations for management bodies of financial entities within DORA's scope to ensure that such organisations are on track in preparing for compliance with DORA by its effective date of 17th January 2025.  

The latest Circular, published on 5th September, is important and noteworthy for management bodies of financial entities in view of the Benchmarking Exercise that the Authority expects financial entities to have already undertaken at this stage of preparedness towards achieving DORA compliance. 

DORA introduces significant new requirements for financial entities and their Third-Party ICT Service Providers 

DORA introduces several requirements for financial entities within its scope. The obligations placed on financial entities with regards to ICT-related areas will differ from those established in the current applicable Acts, Regulations, Rules, and sector-specific Guidelines. Therefore, Authorised Persons are urged to stay informed about these ongoing updates. 

The new requirements encompass areas such as ICT risk management, ICT-related incident management, classification, and reporting. Additionally, DORA mandates digital operational resilience testing, which includes advanced testing based on Threat-Led Penetration Testing. The regulation also outlines guidelines for managing ICT third-party risk, including the establishment of an Oversight Framework for critical ICT third-party service providers. Moreover, DORA encourages voluntary information-sharing arrangements among financial entities.  It is important to note that DORA will be complemented by Regulatory/Implementing Technical Standards, which are currently being drafted by the European Supervisory Authorities (ESAs) through the Joint Committee.  


DORA: Preparing for Compliance 

In the Circular dated 5th September, the MFSA has clearly stated its expectations for management bodies of financial entities falling within DORA’s scope at this stage of preparations towards achieving compliance with the Regulation. . The MFSA stated that financial entities should, as a minimum, have achieved the following objectives by now: 


  1. Carried out a Gap Analysis between their present relevant strategies, policies, procedures, plans, systems, tools, and the requirements of DORA 

  1. Formally adopted a transition plan towards compliance with DORA, which should be approved by the management body and duly communicated throughout the organisation. 

  1. If applicable, engaged in discussions with external auditors and/or consultants regarding DORA. 

  1. If applicable, engaged in discussions with ICT Third-Party Service Providers concerning compliance with the Regulation. 

  1. Duly informed the management body about the significant impact and requirements introduced by DORA.  

  1. Duly informed key function holders about the Regulation, including representatives from the Three Lines of Defence. 

  1. Stayed abreast of any updates related to the development of the Technical Standards. 

  1. Gained a comprehensive understanding of new reporting requirements and any changes to existing reporting obligations as specified by the Regulation. 

  1. Discussed and planned for possible new compliance costs arising from DORA. 


How BDO Can Assist You 

As you navigate the complex landscape of Digital Operational Resilience and strive for compliance with the Regulation, BDO is here to provide expert guidance and support. Our team of professionals is well-prepared in helping you achieve DORA compliance and can assist you in every step of your compliance journey. We recommend the following action points:  

  • Perform a maturity assessment against the DORA requirements, with associated gap analysis and mitigation plan to reach compliance by the end of 2024  

  • Ensure that senior management is kept fully informed of all digital operational resilience activities. 

  • Commence scenario planning for a large-scale penetration test  

  • Consolidate the Register of Information for all ICT third-party providers  

  • Develop and implement incident management and business continuity plans to ensure that the organisation can respond effectively to a major incident.  

  • Develop a training and awareness program for management and key function holders to educate them on DORA requirements, responsibilities and to help them identify potential threats to operational resilience.  

  • Establish robust governance and oversight to ensure that DORA requirements are met and that the organisation's digital infrastructure is secure and resilient.  

  • Regularly testing the incident management and business continuity plans.  


BDO advises all in-scope entities not to delay any further in conducting and achieving the Benchmark level published by the MFSA. Contact us now to embark on your journey towards Digital Operational Resilience compliance. 

Get in touch

Key Contacts

Our Technology Team can assist you with DORA Compliance