Malta Financial Services Authority reports stronger DORA preparedness in 2024 resilience reviews but flags recurring ICT control gaps

The Malta Financial Services Authority published a Dear CEO letter and general observations report summarising its 2024 supervisory engagements on digital operational resilience, finding improving alignment with regulatory expectations while calling for further strengthening of baseline ICT controls across licence holders. The 2024 review combined Outcomes-based and non-Outcomes-based supervisory techniques to assess both advanced and baseline readiness. Under the Outcomes-based framework, nearly 90% of assessed controls were fully or partially achieved, with 61% scored as fully achieved and 28% as partially achieved. In the non-Outcomes-based engagements, 21% of assessed controls were rated “not met”, pointing to inconsistencies and gaps in foundational resilience. Recurring weaknesses were mapped to Digital Operational Resilience Act chapters and included ICT risk management (risk identification, governance and integration with enterprise risk), incident management (classification and timely internal and external reporting), resilience testing (limited structured threat-led testing and insufficient ICT specialist capability in internal audit), and third-party risk management (quality of the register of information and oversight of continuity, confidentiality and auditability). The MFSA also announced a Cyber Finance Summit scheduled for 15-16 October in Valletta to convene industry and regulators on topics including digital-era supervision, evolving cyber threats and ICT third-party risk management.