Skip to main content

Digital Operational Resilience Act (DORA)

Does DORA apply to me?

If you fall under any of the below then DORA is most likely applicable to you, subject to certain exemptions:

ICT Service Providers – any undertaking that provides ICT systems and services to financial entities on an ongoing basis, including hardware as a service, as well as hardware services that incorporate technical support through means of software or firmware update.

Financial entities – this includes a vast range of entities, including:

  • Credit institutions
  • Account information service providers
  • Investment firms
  • AIFMS
  • Cryptoasset service providers
  • Payment institutions
  • Central securities depositories
  • Credit rating agencies
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries

Is your organisation well prepared for DORA?

The ‘Digital Operational Resilience Act’ or DORA (Regulation (EU) 2022/2554) seeks to enhance and improve ICT operational risk requirements across various financial sectors. What was once a piecemeal approach scattered amongst various laws is now being consolidated into one singular EU regulation. It will become applicable as of 17th January 2025.

Mamo TCV DORA Overview
DORA Legislation
DORA Guidance
Mamo TCV Advocates - DORA Services

If you think that DORA is applicable to you please ask for our assistance

Contact us

Mamo TCV Advocates - DORA Services

UNDERSTANDING DORA

DORA at a glance

The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents.

When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.

This is where the Digital Operational Resilience Act, or DORA, comes into play.

WHAT WE BELIEVE IN

How can we help?

Our Reputation

Mamo TCV Advocates is a leading Maltese law firm with years of experience in the field of technology law. With clients ranging from world-famous multinational IT companies to individual service providers we can provide your organisation practical advice regardless of the situation you are in.

DORA Compliance

Over the past years we have carried out several legal audits and training sessions for our diverse portfolio of clients and we are now assisting clients with their various new DORA-related legal obligations. From rules relating to direct marketing to data retention obligations, we have you covered.

What we Offer

  • Assistance with identifying applicability of DORA.
  • Negotiation, vetting and amending of contracts between key stakeholders to ensure DORA compliance.
  • Assistance with reporting obligations.
  • Provision of comprehensive expert legal advice to facilitate compliance.

Key Contacts

Photo of Dr Claude Micallef-Grimaud
Claude Micallef Grimaud
Antoine Camilleri - Mamo TCV Advocates
Antoine Camilleri

Stay updated with our latest insights

Explore Insights
Euro symbol on banknote
FinTech

ESMA Supports MFSA’s MiCA Approach

On the 10th of July 2025, the European Securities and Markets Authority (ESMA) published the results of its first peer review of a Crypto-Asset Service Provider (CASP) authorisation under the Markets in Crypto-Assets Regulation (MiCA). The review, focused on Malta, marks an important milestone in the EU’s transition to a harmonised regulatory framework for crypto-assets. The review can be accessed on this link. Malta, which had already established a structured national framework through its Virtual Financial Assets (VFA) regime in 2018, was among the first jurisdictions to operationalise MiCA. The peer review confirms that the Malta Financial Services Authority (MFSA)…
Penetration Testing
DORA

Threat-Led Penetration Testing Regulatory Technical Standards under DORA Take Effect

As of today, 8 July 2025, the Regulatory Technical Standards (RTS) on Threat-Led Penetration Testing (TLPT) are now effective, including in Malta, following their publication in the Official Journal on 18 June 2025. These RTS supplement Article 26 of the Digital Operational Resilience Act (‘DORA’) and lay down a framework for the execution of TLPT. The RTS specify the criteria used for identifying the financial entities which are required to perform threat-led penetration tests and lay down organisational arrangements for financial entities. The RTS also include provisions on risk management and specify criteria for engaging TLPT providers. Moreover, the RTS…
Person using a credit card
Banking & Finance

Payments Insights #5 – When CASPs Overlap PSPs

The EU’s Markets in Crypto-Assets Regulation (MiCA) provides in Article 70(4) that a crypto-asset service provider (CASP) offering payment services related to its crypto activities must either obtain a payment institution authorisation itself or partner with an authorised payment service provider (PSP) under PSD2. This reflects the “dual nature” of certain crypto-assets: notably, MiCA classifies e-money tokens (i.e. stablecoins) as electronic money, meaning they are not only crypto-assets under MiCA but also “funds” under the Second Payment Services Directive (PSD2). In practice, this dual status raised uncertainty about whether CASPs dealing in stablecoins need a separate PSD2 licence in addition…
Traffic warning
DORA
DORA ICT Subcontracting RTS Published
Digital Inclusion
Telecoms, Media & Technology
Digital Inclusion: The European Accessibility Act and the Web Accessibility Directive
monochrome-photo-of-shapes-square-and-triangle
DORA
ICT Aspects of a MiCA Application

Get in touch if you require any assistance