.svg)
The Malta Financial Services Authority (MFSA) has identified meaningful progress in operational resilience compliance, but warns that shortcomings in testing, incident management and outsourcing oversight could undermine sector stability.
The MFSA has become one of the first national regulators in the EU to share its findings on progress in compliance with the Digital Operational Resilience Act (DORA) framework.
Its most recent communication reveals some of the key strengths and weaknesses of firms, including e-money and payment institutions, as they implement the DORA rulebook.
According to the MFSA, nearly 90 percent of the DORA-derived assessments have been fully or at least partially achieved.
It said this represents “meaningful progress” towards meeting regulatory expectations, especially in the four priority areas it examined last year: DORA preparedness, risk management and compliance functions, incident management and third-party provider oversight.
Ongoing issues
The regulator also highlighted several recurring shortcomings, noting that many licence holders still lack robust ICT risk frameworks, have failed to integrate ICT risks into overall governance and continue to show deficiencies in third-party risk management.
On incident management, the MFSA reported gaps in firms’ ability to classify and report ICT incidents and to maintain effective communication channels during disruptions. It warned that these weaknesses could threaten operational continuity.
In the area of digital operational resilience testing, the authority noted that although some firms have started resilience testing, structured programmes aligned with DORA requirements remain limited. It also found that internal audit teams often lack ICT expertise and urged firms to adopt its recently issued TIBER-MT framework to bolster threat-led penetration testing.
The regulator also observed that many licence holders have begun developing outsourcing registers and contractual provisions with ICT providers but still lack comprehensive governance, exit strategies and oversight mechanisms.
Remaining priorities
Despite these weaknesses, the MFSA praised firms’ growing investment in operational resilience and said it remains committed to supporting licence holders “on this journey”.
It emphasised that digital resilience is “not merely a regulatory requirement” but a “fundamental pillar of trust, stability and competitiveness” in the financial sector.
“As cyber threats grow in frequency and sophistication, the ability to anticipate, withstand, and recover from ICT-related disruptions becomes ever more critical.”
For payment institutions and e-money providers in particular, the MFSA’s findings underline both the opportunities and the pressures created by DORA.
Stronger resilience standards may help boost customer trust and competitiveness, but they will also require sustained investment in governance, systems, and skilled resources.
Payments firms that move quickly to address gaps will be better positioned to avoid regulatory scrutiny and to differentiate themselves in an increasingly demanding European market.
