On 16 July 2024, Legal Notice 166 of 2024 was published in Malta. This implemented the relevant provisions of DORA (full title being Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) 648/2012, (EU) 600/2014, (EU) No 909/2014 and (EU) 2016/1011) into Maltese law. The said provisions can now be found under the Malta Financial Services Authority Act (Digital Operational Resilience Act (DORA)) Regulations, 2024 (S.L. 330.20) – the ‘Maltese Regulations’.
The Maltese Regulations shall come into force on 17 January, 2025, on the same day that DORA itself becomes applicable across the EU, including Malta.
From a substantive perspective, the Maltese Regulations do not add or take away anything from DORA. Rather, the scope of the Maltese Regulations is to implement the relevant provisions of DORA from a local standpoint, wherever relevant. In the case of any conflict between the Maltese Regulations and DORA, it is the provisions of the latter which shall prevail.
Applicability
The provisions of the Maltese Regulations shall apply to the same financial entities which are exhaustively listed in Article 2(1) of DORA. It is noteworthy that the wording of the Maltese Regulations seems to be deliberately omitting ICT third-party service providers from the applicability of the Maltese Regulations.
The provisions of the Maltese Regulations are, however, inapplicable to all entities referred to in Article 2(3) of DORA, and also to the Malta Development Bank established by way of the Malta Development Bank Act, Chapter 574 of the Laws of Malta.
Competent Authority
As expected, the Malta Financial Services Authority (the ‘MFSA’) shall be designated as the competent authority, and consequently shall be responsible for implementing DORA and ensuring compliance with the same. With respect to the Oversight Forum referred to in Article 32 of DORA, the MFSA shall also be the relevant competent authority whose staff member shall be the high-level representative mentioned therein.
With this being said, the designation of the MFSA as the competent authority in this regard, does not overstep the competence of:
- The European Central Bank vis-a-vis credit institutions which have been classified as significant [1] ; and
- The European Securities and Markets Authority in relation to (i) trade repositories [2], (ii) credit rating agencies [3] and (iii) administrators of critical benchmarks [4].
By way of its designation as the competent authority, the MFSA is vested with all the functions, obligations and powers, and shall be obliged to observe any requirements imposed on competent authorities by DORA; this shall include the receival of any reports associated with any major ICT-related incident reports and any voluntary notifications of significant cyber threats [5].
In the circumstance that the MFSA avails itself of its ability to delegate some or all of the tasks referred to in Articles 26 and 27 of DORA to another national authority in the financial sector, such delegation must be communicated on the MFSA’s official website without undue delay. Any such delegation of powers, however, shall have no ramifications on the power of the MFSA to identify financial entities that are required to perform Threat-Led Penetration Testing.
Cooperation and Exchange of Information
Pursuant to its responsibilities outlined in Article 19 of DORA, the MFSA shall immediately transmit any reports related to major ICT-related incidents, and any voluntary notifications of significant cyber threats made by credit institutions classified as significant, to the European Central Bank.
In keeping with the above, the MFSA is also empowered to transmit to the national Computer Security Incident Response Team, or any other relevant body or authority, any reports related to major ICT-related incidents and any voluntary notifications of significant cyber threats or information related thereto.
Supervisory Powers of the Authority
Article 7 of the Maltese Regulations lists numerous powers which the MFSA may avail itself of, without prejudice to any other powers assigned to the MFSA under the Maltese Regulations, DORA or the Malta Financial Services Authority Act (Chapter 330 of the laws of Malta – the ‘Act’), or any other applicable law.
These powers include:
- accessing any document or data held in any form that the MFSA considers relevant for the performance of its duties and receiving or taking a copy of it;
- carrying out on-site inspections, which shall include the right to (i) summon representatives of financial entities for oral or written explanations on facts or documents related to the investigation; and (ii) interview any other natural or legal person consenting to be interviewed in relation to the subject matter;
- requiring corrective and remedial measures for breaches of the requirements of DORA, the Act, the Maltese Regulations or any other regulations or rules issued for the purposes of implementing DORA (together referred to as the ‘Rules’), provided that these decisions are properly reasoned.
Where any measures have been adopted with respect to any legal persons, the MFSA shall have the power to apply such measures to the members of the management body of such legal person, and to other individuals who are responsible for the breach under national law.
Administrative Powers of the MFSA
On the occasion that the MFSA is satisfied that a person’s conduct amounts to a breach of the Rules, or such person has otherwise contravened or failed to comply with any condition, obligation, requirement, order or directive made or given by the MFSA, the MFSA may impose
administrative measures on such person and/or subject such person to an administrative penalty that may not exceed €150,000 for each infringement. Such measure or penalty must be communicated to the relevant person by notice in writing and without the right of recourse to a court hearing.
The MFSA shall be further empowered to impose the following measures in relation to any breach as outlined in the immediately preceding paragraph:
- issue an order requiring the natural or legal person to cease the conduct contrary to the Rules, and to desist from a repetition of the same;
- require the temporary or permanent cessation of any practice or conduct in breach and to prevent repetition of such practice or conduct;
- adopt any type of measures, as permitted by DORA, to ensure financial entities within the remit of DORA continue to comply with their legal requirements;
- require existing data traffic records held by a telecommunication operator, where there is a reasonable suspicion of a breach of the Rules, and where such record may be relevant to the investigation of such breach; and
- issue public notices which indicate the identity of the natural or legal person and the nature of the breach.
As in the case of the supervisory powers of the MFSA, where any administrative measures or penalties are taken with respect to any legal person, the MFSA shall have the power to apply such measures or penalties to the members of the management body of such legal person, and to other individuals who are responsible for the breach under national law.
Any penalties or measures imposed by the MFSA shall be effective, proportionate and dissuasive. In this respect, when determining the type and level of penalty or measure to be imposed, the MFSA shall take into account the extent to which such breach is intentional, or resultant from negligence, along with all the relevant factors, where appropriate. These factors include:
- materiality, gravity and duration of the breach;
- degree of responsibility of the natural or legal person responsible for the breach;
- financial strength of the natural or legal person responsible for the breach;
- importance of profits gained or losses avoided by the natural or legal person responsible for the breach;
losses for third parties caused by the breach; - level of cooperation with the MFSA of the natural or legal person responsible for the breach; and
- previous breaches by the natural or legal person responsible for the breach.
Any imposition of a penalty or measure as mentioned above, will be without prejudice to any other consequence the relevant act or omission may incur under civil or criminal law, provided that such imposition in respect of anything done or omitted to be done by a subject person, in the case that such act or omission constitutes a criminal offence, shall negate the possibility of instituting or continuing proceedings against that same person in respect of the specific criminal offence.
Publication of Administrative Penalties and other Measures
The MFSA shall publish any decision imposing an administrative penalty or measure on its official website without undue delay, following the notification of such decision to the relevant person. This publication shall include the type and nature of the breach, the identity of the persons responsible and the penalty or measure imposed. Such publication shall remain on the official website only for the period necessary, provided that such period is no longer than 5 years.
A person may avail themselves of the right to appeal a decision taken by the MFSA before the Financial Services Tribunal (the ‘Tribunal’), and in the case that the relevant decision of the MFSA is subject to such an appeal,, the MFSA shall include that information on its website, along with any subsequent information on the outcome of the appeal. Any decision of the Tribunal, or any other judicial decision that annuls the decision of the Tribunal shall also be published.
Following a case-by-case assessment, the MFSA may determine that the publication of the identity of legal persons or of the identity and personal data of natural persons would:
- be disproportionate;
- jeopardise the stability of the financial markets;
- jeopardise the pursuit of an ongoing criminal investigation; or
- cause disproportionate damage to the persons involved.
In these cases, the MFSA may adopt one of the following solutions:
- defer the publication of the decision until all reasons for non-publication cease to exist;
- publish the decision on an anonymous basis; or
- refrain from publishing the decision where the preceding options (1) or (2) are considered insufficient to guarantee a lack of any danger to the stability of the financial markets, or the publication would be disproportionate to the leniency of the imposed penalty or measure.
Offences
Any person who:
- fails to comply with any order or directive issued by the MFSA under the Rules;
- without reasonable excuse alters, suppresses, conceals, destroys or refuses to produce any document which they are lawfully required to produce under the Rules;
- for the purposes of, or pursuant to, any of the Rules, or any condition, obligation, requirement, directive or order made or given as aforesaid, furnishes information or makes a statement which he knows to be inaccurate, false or misleading in any material respect, or recklessly furnishes information or makes a statement which is inaccurate, false or misleading in any material respect;
- intentionally obstructs a person from exercising rights or powers conferred by the Rules; or
- contravenes or fails to comply with any of the provisions of the Rules
shall be liable to a punishment of imprisonment for a term not exceeding 1 year or to a fine not exceeding €150,000, or to both such fine and imprisonment, without any prejudice to any criminal proceedings that may be instituted under any other applicable law.
[1] in accordance with Article 6(4) of Regulation (EU) No 1024/2013, as referred to in Article 46(a) of DORA
[2] in accordance with Article 22 of Regulation (EU) No 648/2012, as referred to in Article 46(h) of DORA
[3] in accordance with Article 21 of Regulation (EC) No 1060/2009, as referred to in Article 46(n) of DORA
[4] in accordance with Articles 40 and 41 of Regulation (EU) 2016/1011, as referred to in Article 46(o) of DORA
[5] in accordance with Article 19 of DORA
Are you ready for DORA? Is it applicable to you?
Find out more on our dedicated DORA section by clicking hereThis document does not purport to give legal, financial, technical or tax advice. Should you require further information or legal assistance, please do not hesitate to contact the Mamo TCV DORA team at dora@mamotcv.com