Strengthening Digital Operational Resilience: Lessons from the 2025 Authorisation Cycle
JULY 08, 2026

The Malta Financial Services Authority’s (the “Authority”) Circular General Observations on Digital Operational Resilience in Authorisation Applications Received in 2025 offers valuable insights into the evolving state of digital operational resilience across the financial services sector. Drawing on observations gathered during the review of authorisation applications, the Circular highlights common themes and recurring challenges encountered by applicants seeking to demonstrate compliance with the Digital Operational Resilience Act (DORA). [1]

The observations reveal that while awareness of digital operational resilience requirements continues to grow, many applicants still face difficulties in translating regulatory obligations into effective operational practices. In particular, the Circular emphasises the importance of developing robust governance arrangements, sound ICT risk management processes, effective incident management procedures, and well-structured oversight of third-party ICT service providers.

A key message emerging from the Circular is that digital operational resilience extends beyond the preparation of policies and documentation. Applicants are expected to demonstrate a clear understanding of how resilience measures operate in practice and how they support the continuity, security, and reliability of their business activities. The Authority also notes the importance of ensuring that all submissions are appropriately tailored to the applicant’s specific business model and risk profile.

The Circular also identifies areas where applicants generally demonstrated stronger levels of preparedness, particularly in relation to digital operational resilience testing. At the same time, it emphasises the need for continued industry-wide efforts to strengthen resilience frameworks and enhance the practical implementation of DORA requirements.

By sharing these observations, the Authority seeks to support both prospective and existing licence holders in their preparation for authorisation processes. The publication also reinforces the Authority’s commitment to promoting a resilient financial sector capable of managing ICT-related risks and adapting to an increasingly complex digital environment.

 


[1] REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.