The Malta Financial Services Authority (MFSA) issued an important circular to all financial entities under the scope of the Digital Operational Resilience Act (DORA – Regulation (EU) 2022/2554). This circular specifies the annual reporting deadlines and procedures for submitting the Register of Information (RoI) related to ICT Third-Party Service Providers (ICT TPPs) arrangements.
Key Highlights
- Scope: Applies to all financial entities authorized by the MFSA and within the scope of the DORA Regulation.
- What is RoI? A comprehensive record of all contracts and arrangements with ICT TPPs, including critical providers subject to European-level oversight.
- Annual Submission: Full RoI must be submitted each year to the MFSA between January 1 and March 21 (or next working days), starting in 2026.
- Reference Date: Data in the RoI should reflect the status as of December 31 of the previous calendar year.
- Submission Platform: All reporting must be done via the MFSA’s LH Portal with status “Accepted” for compliance.
- Non-Compliance: Failure to submit a validated and compliant RoI on time may result in regulatory enforcement actions under the MFSA Act and Legal Notice 166 of 2024.
- Guidance and Support: The MFSA provides technical guides, FAQs, and direct support contacts to assist entities in meeting these obligations.
Why It Matters
The RoI facilitates the monitoring and oversight of digital operational risks arising from third-party ICT service providers, enhancing sector-wide resilience. The annual reporting allows authorities to identify critical ICT service dependencies and ensure effective risk management frameworks are in place.
Financial entities are advised to prepare their ICT third-party data diligently and use the MFSA resources to ensure accurate and timely reporting under DORA’s evolving requirements.
