How Maltese financial entities can close the last mile gaps before year end

MFSA’s 2024 digital operational resilience takeaways

The Malta Financial Services Authority’s Supervisory ICT Risk & Cybersecurity (SIRC) function has released its general observations on Digital Operational Resilience for 2024. Progress is real as most assessed controls were either fully or partially achieved. But persistent execution gaps recur in four places: ICT risk governance, incident classification & reporting, risk based resilience testing, and ICT third party risk (Register of Information and contracts).
BDO Malta’s own DORA implementations and assessments across Banks, Insurances, EMIs, PSPs, Funds and CASPs mirror these themes. Many entities have policies drafted, but:
  • the ICT Risk Management Framework (ICT RMF) & Digital Operational Resilience Strategy (DORS) is often incomplete or not fully operationalised,
  • risk based testing lacks a structured programme and not consistently documented,
  • incident classification and reporting mechanics are not rehearsed properly, and
  • Register of Information (ROI) and contractual clauses for ICT providers are still maturing.


What the MFSA letter says 
  • The Supervisory ICT Risk & Cybersecurity (SIRC) function delivered the 2024 plan using a risk based and outcomes based approach (a three year cycle that will re assesses the same controls two years after the initial engagement). Only 13% of 2024 engagements used the outcomes based model, which SIRC plans to expand.
  • Across the four outcome areas (DORA preparedness; risk & compliance; incident management; third party status), 61% of assessed controls were fully achieved, 28% partially achieved, and 9% not met — indicating broad progress but uneven execution. A similar pattern appeared in non outcomes based work (55% / 24% / 21%).
  • Where issues recur:
    • Chapter IIICT Risk Management. Weaknesses in risk identification, mitigation and governance; ICT risk not consistently integrated into the enterprise risk framework. 
    • Chapter III – Incident Management. Gaps in incident classification, reporting protocols and communications during ICT disruptions. 
    • Chapter IV – Resilience Testing. Limited evidence of structured, risk based testing programmes; internal audit often lacks ICT depth; advanced testing (e.g., Threat-Led Penetration Testing [TLPT]) still emergent. 
    • Chapter V – ICT Third Party Risk. ROI completeness issues; outsourcing policies not fully reflecting governance duties; contracts not yet fully aligned (exit, audit, continuity, sub outsourcing).


BDO Malta’s field observations: the four most persistent last mile gaps
Drawing on multiple DORA implementations, assessments, thematic reviews and internal audits we conducted, four execution gaps repeat across the markets. These align with MFSA’s observations:
  • ICT Risk Management Framework (ICT RMF) & Digital Operational Resilience Strategy (DORS) exists on paper, but not as a living steering mechanism
    • Many entities create an ICT RMF & DORS but stop short of making it the single source of truth that evidences the current ICT Risk management and resilience picture, defines risk tolerance, embeds a communications strategy and links to risk based testing. We frequently find that the DORS is drafted after audit periods, or lacks measurable indicators tied to incidents and preventive control effectiveness.
  • Resilience testing is ad hoc rather than programmatic
    • Vulnerability scans and occasional DR exercises occur, yet annual, risk based programmes covering all critical/important functions are not consistently documented, scheduled and evidenced with lessons learned tracked into remediation and risk registers. Internal audit teams are often not yet tooled to independently test resilience end to end.
  • Incident classification & reporting: timing is known, muscle memory isn’t
    • Teams can quote high level timelines for initial, intermediate and final reports under DORA, but classification criteria, roles, playbooks, and report within hours drills are under practiced. Continual rehearsal and governance touchpoints (especially board visibility) are required.
  • ICT third party governance: ROI is improving, contracts lag
    • Entities built the Register of Information but data completeness and contractual alignment (audit/access rights, exit & stressed exit, sub outsourcing, continuity) remain the hard part. Procurement, Legal and Risk need a shared playbook to close the loop from diligence to onboarding to monitoring to assurance. 


What this means for boards and control functions
  • Boards should expect regular reporting on ICT risk tolerance, critical/important functions, testing outcomes and third party exposure, backed by evidence. Board education and recurring briefings remain essential.
  • Internal Audit may need targeted co sourcing to obtain the right ICT skill mix for resilience testing, incident management and third party assurance reviews.
 
The good news? With practical steps and focused work, financial entities can close most of these last mile gaps before they become supervisory findings.


How BDO Malta can help
  • DORA readiness accelerators: ICT Risk Management Framework, Digital Operational Resilience Strategy refresh and board training modules aligned to MFSA’s supervisory focus areas.
  • Testing programmes: design and operate your annual, risk based testing calendar; prepare organisations for TIBER MT/TLPT MT.
  • Incident drill downs: classification matrices, reporting and tabletop exercises aligned to DORA timelines.
  • Third Party Risk: Contract reviews; contract clause packs, onboarding checklists and vendor assurance.
  • Internal Audit outsourcing or co-sourcing

Have questions? Contact us

Key Contacts

Get in touch with our experts

Ivan Spiteri Director Technology BDO Malta

Ivan Spiteri

Director of Technology Advisory & Assurance
View bio

Related News

Take a look at our related news articles