On the 16th of January 2025, the MFSA published a circular on the register of information-reporting-timelines for MFSA-authorised persons. Subsequently, on the 17th of January 2025, the MFSA published another circular outlining several resources uploaded to its website to assist compliance with Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”).
The circular issued on 16th of January 2025 focuses on the Register of Information required under Article 28(3) of DORA. This register mandates financial entities to document all contractual arrangements with ICT Third-Party Service Providers (“ICT TPPs”), ensuring transparency in their digital operations. Entities must be prepared to present this register to the competent authority upon request. The MFSA highlights the timelines for submission, specifying that entities falling within DORA’s remit must file their registers between April 1 and April 8, 2025. To facilitate compliance, the circular refers to the European Banking Authority’s Reporting Framework, which provides technical documentation and templates necessary for completing the registers. The MFSA has warned of potential regulatory action in cases of non-compliance, underscoring the importance of adherence to the stipulated deadlines.
The second circular, dated 17th January 2025, introduces the Cyber Reporting Management System (“CRMS”). This system is designed to address the reporting requirements for major ICT-related incidents and other cyber events as outlined in DORA. Financial entities such as credit institutions, payment institutions, and electronic money institutions are now required to report incidents using the CRMS platform accessible through the MFSA’s License Holder Portal. The circular elaborates on the reporting process, which includes a mandatory reporting timeline for major incidents and a voluntary option for notifying the MFSA about significant cyber threats.
To assist entities, the MFSA has provided a suite of resources, including the Major ICT-Related Incident Reporting Process document, reporting templates, and comprehensive user guidelines. This material is accessible through the Supervisory ICT Risk and Cybersecurity section of the MFSA’s website.
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact the DORA team on: dora@mamotcv.com