Supervisory ICT Risk and Cybersecurity

Responsible for the supervision of licence holders in the areas of ICT Risk & Cybersecurity and the management of risks associated with ICT outsourcing, collectively the area of digital operational resilience.

FIND OUT MORE

Supervisory ICT Risk and Cybersecurity

Information and Communications Technology (ICT) has become a critical dependency for organisations and people alike. Inevitably, we are seeing an increased interest in ICT risk and Cybersecurity by standards organisations, policymakers, and regulators worldwide including within the financial services industry.

ICT risk and Cybersecurity continue to present significant challenges to, and potential severe consequences on, the resilience, performance, and stability of financial systems and economies, as highlighted by European and international Boards and Committees. We are also seeing an increased relevance on third party dependencies and risks associated with ICT outsourcing as part of ICT risk management.

The Authority places substantial importance on ICT risk and Cybersecurity which remains a cross-sectoral priority. The establishment of the Supervisory ICT Risk and Cybersecurity function as a cross-sector supervisory function was a critical milestone. The function works closely with the other supervisory functions and is responsible for the supervision of licence holders in the areas of ICT risk and Cybersecurity and the management of risks associated with ICT outsourcing, collectively the area of and Digital Operational Resilience.

Guidance Document

Download the Guidance Document

(1/2) Guidance Document

The Supervisory ICT Risk and Cybersecurity function has issued principle-based cross-sectoral guidelines (“Guidance Document”) in the areas of Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, setting out the Authority’s expectations. The guidelines are in line with the MFSA’s Strategic Plan 2019-2021 and the Authority’s efforts to ensure operational resilience within the financial services industry. It is recommended that all supervised entities make effective use of the Guidance document and approach it with a view to align with the Authority’s expectations therein.

The Nature and Art of Financial Supervision – Volume XI

Download Volume XI

(2/2) The Nature and Art of Financial Supervision – Volume XI: ICT Risk and Cybersecurity

On 3 September 2024, the Supervisory ICT Risk and Cybersecurity (SIRC) Function issued the publication ‘The Nature and Art of Financial Supervision – Volume XI: ICT Risk and Cybersecurity’. This publication offers a detailed and updated account of the work carried out by the Authority’s SIRC Function. This edition provides an in-depth look at how the Authority is adapting to key regulatory developments, such as the Digital Operational Resilience Act (DORA) and highlights its ongoing commitment to enhancing digital operational resilience and cyber-maturity within Malta’s financial sector.

The publication elaborates on several supervisory efforts made by the SIRC Function, including support for authorisations, ongoing supervision, incident reporting, management of ICT third-party risk, and threat-led penetration testing. It also offers insights into the SIRC Function’s common findings related to ICT and Cybersecurity.

Legislation

Major ICT-Related Incident Reporting

Significant Cyber Threat Notification

Information-Sharing Arrangement Notification

Threat-Led Penetration Testing

ICT Third-Party Risk

General

Legislation

Regulation (EU) 2022/2554 known as the Digital Operational Resilience Act (‘DORA’) is a Regulation applicable to entities within the financial services sector and it aims at enhancing entity’s digital operational resilience. It has come into effect on 16 January 2023 and it will be applicable from 17 January 2025. The Regulation also comes with the Directive (EU) 2022/2556. Member States are required to adopt the necessary provisions and measures to implement the DORA Regulation and to transpose Directive (EU) 2022/2556.

DORA is a complex, yet comprehensive Regulation which sets requirements on the following areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards which have different legal deadlines, ranging from January to July 2024.

Regulation (EU) 2022/2554

Directive (EU) 2022/2556

The European Supervisory Authorities (ESAs) Guidelines and the Supervisory ICT Risk and Cybersecurity Function’s Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’) have been cross-referenced in various of the Authority’s Prudential Supervision Rulebooks. Therefore, as applicable, entities within scope of these Rulebooks, are expected to comply to the ESAs Guidelines and the Guidance Document to the extent set out in the Rules.

Circular: MFSA releases its Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements

Update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements

Addendum to MFSA Circular dated 26 March 2024 bearing subject “Update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements

The current ICT and Cyber-related regulatory framework applicable for the financial services sector is comprised, inter alia, by the European Supervisory Authorities (ESAs) Guidelines. These Guidelines are sector-specific and, where applicable, they are used as supervisory benchmarks throughout various stages of an entity’s supervisory lifecycle, from Authorization to Supervisory Engagements. For Credit Institutions undergoing Supervisory Review and Evaluation Process (‘SREP’), Guidelines on ICT Risk Assessment Under SREP are also taken into account.

Building upon the ESAs Guidelines, the Supervisory ICT Risk and Cybersecurity function published in 2020 its Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’). The Guidance Document sets the Authority’s expectations towards financial entities that do not fall within the scope of Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (‘DORA’), within the area of ICT.

Guidelines Amending Guidelines EBA/GL/2019/04 on ICT and Security Risk Management

EBA Guidelines on Outsourcing Arrangements

ESMA Guidelines on Outsourcing to Cloud Service Providers

MFSA Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.

Guidelines on ICT Risk Assessment Under SREP

What is the Digital Operational Resilience Act (‘DORA’)?

DORA is a Regulation (EU) 2022/2554 that aims at increasing the digital operational resilience of financial entities within scope. It sets proportionate requirements in five key areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation is accompanied by Directive (EU) 2022/2556.

When will it become applicable?

DORA has entered into force on 16 January 2022 and it will be fully applicable by 17 January 2025. These dates also apply to the DORA Directive.

Does it apply to me?

The scope of the Regulation is outlined in Article 2. However, the Authority understands that some entities may need further clarity on the applicability of the Regulation due to home-grown regimes and other factors. If you are unsure if the DORA Regulation is applicable to you, please do not hesitate to contact us on [email protected].

However, as a way of clarification, it should be noted that pursuant to Article 2 of the DORA Regulation, Trustees & Fiduciaries, Company Service Providers and Virtual Financial Assets (VFA) Agents are not within scope of the DORA Regulation.

In turn, note that the DORA Regulation will apply to self-managed Alternative Investment Funds (AIF) and Undertakings for Collective Investment in Transferable Securities (UCITS).

How does proportionality under DORA works?

The DORA Regulation has a very robust proportionality principle made up of four layers that are build upon each other, respectively: (1) exceptions to scope as specified in Article 2(3) of the DORA Regulation; (2) the proportionality principle, in which entities are required to apply the requirements of the Regulation taking into account their size, risk profile, nature, scale and complexity of their services, activities and operations; (3) microenterprises are excluded from an element of requirements and/or benefit from lighter requirements, as applicable; and (4) Article 16 entities are also excluded and/or benefit from lighter requirements, as applicable.

Authorised Persons are expected to establish a proportionality self-assessment document, approved by the respective management body, that is kept up-to-date. From a supervisory perspective, this self-assessment document could help the Authority in better understanding the Authorised Persons’ approach vis-à-vis the application of proportionality. Therefore, it is important that Authorised Persons are able to duly justify a proportionate application and implementation of the requirements of the DORA Regulation to the Authority. When assessing what is proportionate, Authorised Persons should focus on all the criteria established by Article 4 of the DORA Regulation.

For the avoidance of doubt, the recommendation of establishing a proportionality self-assessment document does not emanate from the DORA Regulation and/or any other relevant applicable laws, regulations and guidelines. This is therefore a recommendation of good practice.

How should I go about classifying my financial entity’s size in terms of the DORA Regulation?

In order to classifying themselves as either micro, small and medium-sized enterprises, financial entities should be guided by Article 3 of the DORA Regulation. Considering that the DORA Regulation does not provide guidance on how such size calculation should be executed financial entities can, to the extent possible, refer to the guidance provided by the European Commission in terms of Commission Recommendation 2003/361/EU and additional material released by the Commission, namely the User Guide to the SME Definition and the SME Self-Assessment Questionnaire.

For clarity, for the purposes of applicability of the DORA Regulation, what shall ultimately apply are the definitions provided under Article 3 of the DORA Regulation. In the event of any inconsistency, conflict or overlap between the DORA Regulation and the Commission Recommendation, for the purposes of the DORA Regulation, the DORA Regulation shall prevail.

I noticed that the Regulation is non-technical in some instances, why?

The DORA Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards. For further details please refer to our Circular’s Annex 1 on Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal.

What will happen to the current applicable Guidelines (European Supervisory Authorities’ Guidelines and the MFSA’s Guidance Document)?

the applicability of the ESA’s Guidelines is expected to be reviewed by the ESAs in due course, taking into account the legal deadlines for the Regulatory and Implementing Technical Standards.

In terms of the Authority’s Guidance Document, financial entities should be guided to Circular titled Update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, published by the Authority in March 2024.

Is there any interaction between DORA and other cyber-related EU Directives? What about existing industry standards best practices?

There is a strong interaction between the DORA Regulation and Directives (EU) 2022/2555 and (EU) 2022/2557. For further details on such interaction, please refer to our Circular on Directives (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity and (EU) 2022/2557 on the Resilience of Critical Entities.

Note that the DORA Regulation has been drafted drawing inspiration from, inter alia, relevant Union law, sectoral guidelines, guidance from international financial institutions, and relevant industry standards and best practices. The upcoming Regulatory and Implementing technical standards currently being drafted by the European Supervisory Authorities (‘ESAs’) will also build upon industry standards and best practices. It should be noted however, that whilst the DORA Regulation takes into account industry standards and best practices, compliance with any specific industry standard and/or best practices should not be taken as compliance to the DORA Regulation in its entirety.

Why are ICT Third Party Providers (‘ICT TPPs’) included within scope of the DORA Regulation?

ICT TPPs are included within scope of the DORA Regulation due to the Oversight Framework of Critical ICT Third Party Providers (‘CTPPs’) pursuant to Chapter V section II of the Regulation. Under the DORA Regulation, CTPPs will be designated based on their systemic character, reliance of financial entities and difficulties in migrating relevant data from that particular provider. Upon designation, CTPPs will be subject to a European Union-level Oversight Framework made up by the Oversight Forum and, more importantly, the Lead Overseer. Competent authorities shall follow-up on the decisions made by the Lead Overseer.

It is also worth noting that, although the DORA Regulation does not set direct requirements to ICT TPPs, it does set key contractual provisions through Article 30. In this sense, financial entities should ensure that these key contractual provisions are included within their contract arrangements with ICT TPPs.

Is there a difference between Outsourcing and the ICT Third Party Providers (‘ICT TPPs’) under DORA?

DORA does not intend to regulate the definition of outsourcing and it should not be seen as changing current outsourcing practices.

Arrangements concluded with ICT TPPs under the DORA Regulation, on purpose, go beyond Outsourcing Arrangements as established by (inter alia) the current applicable Acts, Regulations, Rules and/or Sector Specific Guidelines.

The definition employed by the DORA Regulation for an ICT TPP is provided by Article 3 point (19) “ICT third-party service provider’ means an undertaking providing ICT services.” In turn, Article 3 point (21) of the DORA Regulation states: “ICT services’ means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.

The DORA Regulation therefore covers a broader array of arrangements concluded with ICT Third Party Providers, whether these qualify as outsourcing arrangements or not.

Article 5 of the DORA Regulation on Governance and Organisation places direct requirements onto the management body of a financial entity. What is to be considered as the management body?

By way of broad guidance, the management body of an entity is the one that sets the company’s strategy, objectives and overall direction, and which oversees and monitors management decision-making, and includes the persons who effectively direct the business of the company. In the same context, Article 3 point (30) of the DORA Regulation provides:

“‘management body’ means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law;”

Therefore, the legal definition of what is to be considered as the management body of a financial entity is largely sectoral. Therefore, financial entities are invited to refer to their relevant and applicable sectoral legislation as outlined above and, where applicable, also refer to their national transposition.

What is the relationship between Threat-Led Penetration Testing (‘TLTP’) and the TIBER-EU Framework? Will I be required to undergo TLTP under DORA?

The DORA Regulation distinguishes between digital operational resilience testing and advanced testing based on TLPT. Financial entities within scope – excluding microenterprises and Article 16 entities – may be required to undergo TLPT. The selection of entities that will be required to undergo TLPT must be done by the competent authorities. More specifically, Article 26(8) third subparagraph of the Regulation states that competent authorities shall identify the financial entities (taking into account proportionality) required to undergo TLPT based on impact-factors, financial stability concerns and ICT risk profile.

The most prominent framework for TLPT for the financial sector in the Union is the TIBER-EU Framework, developed by the European Central Bank (‘ECB’). The Regulatory Technical Standard on TLPT pursuant to Article 26(11) of the DORA Regulation will be developed jointly with the ECB and in accordance with the TIBER-EU Framework.

What are the different reporting mechanism under DORA? What will happen to the incident reporting mechanism under Directive (EU) 2015/2366 Payment Services Directive 2 (‘PSD2’)?

DORA has three different reporting mechanisms: (1) Major ICT-Related Incidents; (2) Significant Cyber Threats; and (3) Major Operational or Security Payment-Related Incidents.

The main difference that financial entities should be aware of is in regard to Major ICT-Related Incidents and Significant Cyber Threats. Financial entities will be required to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming Regulatory Technical Standard. Based on such classification, if the thresholds for a Major ICT-Related Incidents are met, then financial entities are required to report the incident to the competent authority. If the thresholds of a Significant Cyber Threat are met,financial entities may, this time on a voluntary basis, notify the Significant Cyber Threat to the competent authority. The reporting and notification templates for both Major ICT-Related Incidents and Significant Cyber Threats will be developed by the European Supervisory Authorities (‘ESAs’) as an Implementing Technical Standard pursuant to Article 20 of the DORA Regulation.

The third reporting mechanism is established by Article 23 of the DORA Regulation. Pursuant to such, credit institutions, payment institutions, account information service providers and electronic money institutions must report to the competent authority Major Operational or Security Payment-Related Incidents, irrespective of whether these incidents are ICT-Related or not. This report mechanism was introduced by the DORA Regulation due to its relationship with PSD2.

In the same vein, the DORA Amending Directive (EU) 2022/2556 amends PSD2. According to DORA recital (23):

“To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents which have been previously reported pursuant to that Directive, irrespective of whether such incidents are ICT-related.”

In preparation for the Digital Operational Resilience Act (DORA) Regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) periodically releases DORA Podcasts, which primarily aims at preparing our Authorised Persons. In this sense, Authorised Persons are encouraged to reach out to SIRC on [email protected] with any DORA-related queries or suggestions to be addressed on future DORA Podcasts.

Major ICT-Related Incident Reporting

Significant Cyber Threat Notification

The Significant Cyber Threat Notification Process contains the scope and applicability, the classification of notifying Significant Cyber Threat:

Significant Cyber Threat Notification Process

This is the standard template to be used by Authorised Persons to notify Significant Cyber Threat to the Malta Financial Services Authority (‘MFSA’):

DORA Significant Cyber Threat Notification Template

This is the User Guidelines for notifying Significant Cyber Threat to the Malta Financial Services Authority through the Licence Holder Portal:

Significant Cyber Threat Notification User Guide

Information-Sharing Arrangement Notification

Threat-Led Penetration Testing

Threat-Led Penetration Testing (‘TLPT’) has emerged as a critical measure for bolstering the digital resilience of Financial Entities (‘FEs’), driven by the need to simulate realistic and high-impact cyber threats. Unlike traditional penetration testing, TLPT mirrors real-world tactics, techniques, and procedures of sophisticated threat actors. This enables FEs to identify vulnerabilities and test their response capabilities under conditions similar to those of actual attacks. For certain FEs within the European Union, TLPT is not only best practice but also a regulatory requirement under the Digital Operational Resilience Act (‘DORA’) (Regulation (EU) 2022/2554), which mandates enhanced security and resilience standards to ensure the stability of the financial ecosystem.

In response to escalating cybersecurity threats, the European Union enacted DORA, which outlines stringent requirements for digital operational resilience in the financial sector. The Regulatory Technical Standards (‘RTS’) ((EU) 2025/1190) further specifies elements related to TLPT for the identified FEs under DORA, Article 26. As of 18 June 2025, the RTS has been officially published in the EU Journal and shall enter into force on 08 July 2025.

In May 2018, the European Central Bank (‘ECB’) published the first European-wide framework for Threat Intelligence-Based Ethical Red Teaming (‘TIBER-EU Framework’). This framework ensures mutual recognition of cyber resilience tests across the EU and was jointly developed by the ECB and the EU national central banks to help core European FEs enhance their protection, detection, and response capabilities. In February 2025, the ECB updated the TIBER-EU Framework to fully align it with the DORA RTS on TLPT.

DORA highlights the importance of TLPT as an integral component of digital resilience testing, ensuring that FEs are prepared to face sophisticated cyber threats and maintain operational continuity across the EU financial sector. Therefore, the TIBER-EU Framework will enable European and national authorities to collaborate with financial and other entities to achieve this goal.

As outlined in legal notice 166 of 2024, the Malta Financial Services Authority (‘MFSA’, the ‘Authority’) is the designated body responsible for overseeing Threat-Led Penetration Testing (‘TLPT’) as defined by Digital Operational Resilience Act (‘DORA’) (Regulation (EU) 2022/2554) at a national level. The MFSA shall ensure that Financial Entities (‘FEs’) comply with Articles 26 and 27 of DORA, along with the corresponding Regulatory Technical Standards (‘RTS’) ((EU) 2025/1190) specifying elements related to TLPT under Article 26 (11) of DORA.

The MFSA is also recognised as the TIBER-MT Authority, responsible for ensuring that the European framework for Threat Intelligence-Based Ethical Red Teaming (‘TIBER-EU Framework’) is adhered to throughout a TIBER-MT test. Moreover, the MFSA has published the “TIBER-MT and DORA TLPT-MT National Implementation Document” (‘Document’) to support the adoption of the TIBER-EU Framework within Malta. FEs licenced by the MFSA and within the scope of TLPT, as per Article 2 (1) & (2) of the TLPT RTS, are encouraged to consult the Document.

Additionally, the Authority has published a circular titled “MFSA releases its Guidance on Threat-Led Penetration Testing (‘TLPT’) within the Maltese Jurisdiction”, which provides an overview of how TLPT is to be performed within Malta.

Furthermore, entities seeking to contact the TCT and Test Managers within the SIRC Function at the MFSA, should view the published circular titled “The Supervisory ICT Risk and Cybersecurity (‘SIRC’) Function’s Contact Points”. FEs shall use the email address [email protected] for any correspondence related to TLPT and TIBER.

In May 2018, the European Central Bank (‘ECB’) published the first European-wide framework for threat intelligence-based ethical red-teaming (‘TIBER-EU Framework’) that provides an efficient solution for ensuring mutual recognition of cyber resilience tests across the EU. This framework was jointly developed by the ECB and the EU national central banks aiming to help the entities that form the core European financial infrastructure to test and enhance their protection, detection, and response capabilities. In February 2025, the ECB updated the TIBER-EU Framework to fully align it with the DORA Regulatory Technical Standards (‘RTS’) ((EU) 2025/1190) on Threat-Led Penetration Testing (‘TLPT’). The framework ensures a qualitative, controlled, and safe TLPT approach across the EU. It provides comprehensive guidance for cyber resilience testing and facilitates a uniform and harmonised approach for TLPT for financial entities across Europe.

The MFSA had published a feedback statement on 06 February 2024 with regards to the public consultation titled ‘Consultation on the Adoption of the TIBER-EU Framework in Malta’ that was published on 08 March 2023. The consultation was issued to firstly introduce the TIBER-EU framework to interested industry stakeholders as well as the relationship between its requirements and the requirements of DORA on advanced testing based on TLPT. Secondly, this consultation sought to gather the views of industry stakeholders on the adoption of the TIBER-EU framework in Malta.

Following discussions with the ECB and TIBER-Knowledge Centre, the MFSA has adopted the TIBER-EU Framework and published the “TIBER-MT and DORA TLPT-MT National Implementation Document” (‘Document’), which outlines the implementation of the TIBER-EU Framework within Malta. This Document can be found on the MFSA website, as well as on the ECB website.

The Malta Financial Services Authority (‘MFSA’, the ‘Authority’) has officially adopted the TIBER-EU Framework for the Maltese Jurisdiction. This adoption was implemented through the “TIBER-MT and DORA TLPT-MT National Implementation Document” (‘Document’) which has been officially published by the Malta Financial Services Authority (‘MFSA’, the ‘Authority’) on both the MFSA’s website and the European Central Bank (‘ECB’) website.

This publication signifies that the Document has been acknowledged and assessed by the TIBER-EU Knowledge Centre (‘TKC’), a forum hosted by the ECB in which national and European TIBER-EU cyber teams coordinate, discuss initiatives, and share details of their experiences. This recognition enables the Maltese jurisdiction to adopt the European framework for Threat Intelligence-Based Ethical Red Teaming (‘TIBER-EU Framework’), thereby allowing Financial Entities (‘FEs’) to utilise TIBER-EU through a TIBER-MT test.

The published Document does not contain a detailed prescriptive process, nor any specificities that differentiate it from the mandatory obligations set upon in the Digital Operational Resilience Act (‘DORA’) (Regulation (EU) 2022/2554) with regard to Threat-Led Penetration Testing (‘TLPT’), further expanded upon in the corresponding Regulatory Technical Standards (‘RTS’) ((EU) 2025/1190), or from the core foundational concepts and approaches mentioned in the TIBER-EU Framework. Therefore, a TIBER-MT test is aligned with the DORA Regulation, TLPT RTS, and TIBER-EU Framework.

Additionally, the Document identifies that the Supervisory ICT Risk and Cybersecurity (‘SIRC’) Function will be responsibility for the facilitation and monitoring of a TIBER-MT test. Thus, SIRC members will make up the roles of the TLPT & TIBER Cyber Team Malta (‘TCT-MT’), and Test Managers (‘TMs’).

Furthermore, it is specified within the Document that the target sectors in scope of performing a TIBER-MT test are:

Target 1 – FEs licenced by the MFSA and are in scope of Article 2 (1) RTS, emanating from the DORA Regulation ((EU) 2022/2554);
Target 2 – FEs licenced by the MFSA referred to Article 2 (2) RTS, emanating from the DORA Regulation ((EU) 2022/2554).

TIBER-MT and DORA TLPT-MT National Implementation Document

How can Financial Entities determine whether a Threat-Led Penetration Test is mandatory?

As stated in Article 26 (1) of DORA ((EU) 2022/2544), Financial Entities, other than entities referred to in DORA Article 16 (1), first subparagraph, and excluding microenterprises, which are identified in accordance with paragraph 8, third subparagraph of the Article, shall carry out at least once every 3 years advanced testing by means of TLPT.

Moreover, the RTS ((EU) 2025/1190), further defines that the MFSA, as the TLPT Authority, shall assess a Financial Entity’s impact, systemic characteristics, and ICT risk profile when determining if they are required to perform a TLPT, as per Article 2 (1) of the RTS. Additionally, the MFSA shall require Financial Entities that fit the criteria of Article 2 (2) to perform TLPT.

Does a Financial Entity require prior Notification from the MFSA before Initiating a Threat-Led Penetration Test?

Yes, the MFSA shall notify a Financial Entity to perform a TLPT. A Financial Entity is not able to perform a Threat-Led Penetration Test as defined under DORA ((EU) 2022/2544), if the notification by the MFSA was not provided.

Are there Specific Guidelines on the frequency with which Financial Entities should perform Threat-Led Penetration Tests?

Article 26 (1) of DORA ((EU) 2022/2544) necessitates Financial Entities in scope of TLPT to carry out at least once every 3 years advanced testing by means of TLPT, which mirrors the frequency stated in the TIBER-EU Framework, as per Chapter 2.1.1. However, based on the risk profile of the Financial Entity and considering operational circumstances, the MFSA may, where necessary, request the Financial Entity to reduce or increase this frequency.

What Functions should be in Scope of Threat-Led Penetration Tests under DORA?

As highlighted in Article 26 (2) of DORA ((EU) 2022/2544), each TLPT shall cover several or all critical or important functions of a Financial Entity and shall be performed on live production systems supporting such functions.

When should a Financial Entity start contracting Threat-Intelligence Provider and the Red Team Testers?

Financial Entities are recommended to initiate the process of contracting external testers upon following a notification from the MFSA that the entity is in scope of TLPT, as outlined in Articles 26 and 27 of DORA ((EU) 2022/2544). This proactive approach is advised to save time and facilitate better planning during the Preparation Phase. However, the actual contracting must be discussed with the MFSA and includes proper risk management measures as specified in Article 7 of the RTS ((EU) 2025/1190) and outlined in the TIBER-EU Guidance for Service Provider Procurement.

How can a Financial Entity determine if it can make use of Internal Testers or External Testers when performing Threat-Led Penetration Tests?

Financial Entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27 of DORA ((EU) 2022/2544). All Financial Entities in scope of TLPT as defined under DORA, except for Credit institutions that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, are able to use internal testers when performing TLPT. In addition, when Financial Entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests.

Use of internal testers must be aligned with the requirements set out in Article 15 of the RTS ((EU) 2025/1190) reflected in Chapter 3.6.3 of the TIBER-EU Framework and the TIBER-EU Guidance for Service Provider Procurement.

Will there be any Specific Guidelines or Standards that Financial Entities must follow regarding the Methodology for Conducting Threat-Led Penetration Tests?

The MFSA has published the TIBER-MT and DORA TLPT-MT National Implementation Document which states that the Maltese jurisdiction is following the TIBER-EU Framework for TLPT. This framework provides a comprehensive guide on the key phases, activities, deliverables, and interactions involved in a TIBER-MT test, which adheres to the RTS ((EU) 2025/1190) on TLPT as defined in DORA ((EU (2022/2544). TIBER-EU also provides additional guidance for the various deliverables, as well as procurement and implementation activities required throughout the TLPT phases.

If a Financial Entity conducts a TIBER-MT Test, is it complaint with the requirement set out in Article 26 and 27 of DORA and the RTS?

If the FE performs a TIBER-MT test, is issued with a TIBER-MT attestation, AND has followed all the mandatory requirements under the DORA ((EU (2022/2544) and RTS ((EU) 2025/1190), then yes the entity will be seen as compliant with DORA and the RTS.

How important is secrecy prior and during the TIBER-MT test?

Secrecy is crucial to maintain the realism of a TIBER-MT test. Without it, the TIBER-MT Attestation, which confirms the test’s compliance with DORA ((EU) 2022/2554), its RTS ((EU) 2025/1190), as well as the TIBER-EU Framework, may not be issued to the Financial Entity at the end of the TIBER-MT test.

To ensure confidentiality, it is important that Financial Entities review Article 4 (2) of the RTS and Chapter 4 of the TIBER-EU Framework to understand how to establish organisational and procedural measures that safeguard secrecy.

Who are my main stakeholders within a TIBER-MT test?

This table outlines potential, though not exhaustive, the stakeholders involved in a TIBER-MT test:

Responsibility Table
Roles in a TIBER-MT test	MFSA	Financial Entity	External
Management Body		✓
Control Team Lead		✓
Control Team		✓
TIBER and TLPT Cyber Team Malta	✓
Test Managers	✓
Threat Intelligence Provider			✓
Red Team Testers (Internal/External)		✓	✓
Blue Team		✓

All parties involved in a TIBER-MT test should take a collaborative, transparent, and flexible approach, where appropriate.

What, as a Financial Entity, will I have to undergo in Phase 1 of a TIBER-MT test?

The Financial Entity must adhere to Article 9 of the RTS ((EU) 2025/1190), reflected in Chapter 6 of the TIBER-EU Framework, to successfully meet the requirements of the Preparation Phase. This is a crucial step towards obtaining a TIBER-MT Attestation Letter, which confirms that the TIBER-MT test conducted complies with the core requirements set out in DORA ((EU) 2022/2554), TLPT RTS, as well as the TIBER-EU Framework.

What, as a Financial Entity, are the deliverables I will have to provide in Phase 1 of a TIBER-MT test?

The Financial Entity is expected to adhere to the following during the Preparation Phase:

Hosting a Meeting, Drafting, and Submitting the Initiation document;
[See: Annex 1 of the RTS ((EU) 2025/1190), and the TIBER-EU Initiation Document Guidance]
Hosting a Meeting, Drafting, and Submitting the Scope Specification document;
[See: Annex 2 of the RTS ((EU) 2025/1190), and the TIBER-EU Scope Specification Document Guidance]
Procuring and Hosting a Meeting for the Red Team Testers & Threat Intelligence Provider;
[See: Article 11 of the RTS ((EU) 2025/1190), and the TIBER-EU Guidance for Service Provider Procurement]
Drafting, Submitting, and Updating the Risk Assessment.

What should the TIBER-MT Risk Assessment contain for risk management?

Article 5 of the RTS ((EU) 2025/1190), reflected in Chapter 4 of the TIBER-EU Framework, discusses the risk management controls, processes, and procedures a Financial Entity must facilitate to have a controlled test. The Authority will assess whether these measures adequately address the risk associated with a TIBER-MT test.

Periods where the Financial Entity should consider updating Risk Assessment is:

before starting the Testing Phase;
after receiving the Targeted Threat Intelligence Report;
upon finalising the Red Team Test Plan.

What, as a Financial Entity, will I have to undergo in Phase 2 of a TIBER-MT test?

The Financial Entity must adhere to Article 10 & 11 of the RTS ((EU) 2025/1190), reflected in Chapter 7 & 8 of the TIBER-EU Framework respectively, to successfully meet the requirements of the Testing Phase. This is a crucial step towards obtaining a TIBER-MT Attestation Letter, which confirms that the TIBER-MT test conducted complies with the core requirements set out in DORA ((EU) 2022/2554), TLPT RTS, as well as the TIBER-EU Framework.

What, as a Financial Entity, are the deliverables I will have to provide in Phase 2 of a TIBER-MT test?

The Financial Entity is expected to adhere to the following during the Testing Phase:

Selecting the Test Scenarios;
[See: Article 10 (3) of the RTS ((EU) 2025/1190), and Chapter 7.3 of the TIBER-EU Framework]
Submitting the Targeted Threat Intelligence Report;
[See: Annex III of the RTS ((EU) 2025/1190), and the TIBER-EU Targeted Threat Intelligence Report Guidance]
Approving and Submitting the Red Team Test Plan;
[See: Annex IV of the RTS ((EU) 2025/1190), and the TIBER-EU Red Team Test Plan Guidance]
Updating the Risk Assessment;
Submitting Leg-Ups during Active Red Team Testing Phase.

What should a Financial Entity do if they are caught during a Threat-Led Penetration Test?

Awareness of the TLPT should be limited to a need-to-know basis. If an individual outside the designated group becomes aware of the test, proper crisis and incident escalation measures must be in place. In the event that testing activities are detected, there should be proposed measures to continue the test while maintaining secrecy, which must be validated by the MFSA.

Otherwise, where the continuation of the test is not feasible, while maintaining secrecy, it may be necessary to suspend the test or, as a last resort, continue the test using a Limited Purple Teaming Exercise for the duration of the Active Red Team Testing Phase.

What, as a Financial Entity, will I have to undergo in Phase 3 of a TIBER-MT test?

The Financial Entity must adhere to Article 12 of the RTS ((EU) 2025/1190), reflected in Chapter 9 of the TIBER-EU Framework, to successfully meet the requirements of the Closure Phase. This is a crucial step towards obtaining a TIBER-MT Attestation Letter, which confirms that the TIBER-MT test conducted complies with the core requirements set out in DORA ((EU) 2022/2554), TLPT RTS, as well as the TIBER-EU Framework.

What, as a Financial Entity, are the deliverables I will have to provide in Phase 3 of a TIBER-MT test?

The Financial Entity is expected to adhere to the following during the Closure Phase:

Submitting the Red Team Test Report;
[See: Annex V of the RTS ((EU) 2025/1190), and the TIBER-EU Red Team Test Report Guidance]
Drafting and Submitting the Blue Team Test Report;
[See: Annex VI of the RTS ((EU) 2025/1190), and the TIBER-EU Blue Team Test Report Guidance]
Performing and Hosting a Meeting for the Replay Exercise;
[See: Article 12 (5) of the RTS ((EU) 2025/1190), and Chapter 9.3 of the TIBER-EU Framework]
Performing and Hosting a Meeting for the Purple Team Exercise;
[See: Article 12 (5) of the RTS ((EU) 2025/1190), and the TIBER-EU Purple Teaming Guidance]
Drafting and Submitting the Test Summary Report;
[See: Annex VII of the RTS ((EU) 2025/1190), and the TIBER-EU Test Summary Report Guidance]
Drafting and Submitting the Remediation Plan;
[See: Article 13 (2) of the RTS ((EU) 2025/1190), and the TIBER-EU Remediation Plan Guidance]
Participating in the 360° feedback Meeting.
[See: Recital (2) of the RTS ((EU) 2025/1190), and Chapter 9.7 of the TIBER-EU Framework]

ICT Third-Party Risk

Introduction

This page details the Register of Information as specified in Chapter 5, Article 28 of the EU Digital Operational Resilience Act (DORA). This regulation is designed to enhance the digital operational resilience of financial entities within the European Union.

What is the Register of Information?

The Register of Information is a critical component of DORA, requiring financial entities to maintain a comprehensive and up-to-date record of all contractual arrangements with third-party ICT service providers. This register ensures that financial entities can effectively manage and mitigate ICT-related risks, thereby safeguarding their operations and the broader financial system.

Maintaining a detailed Register of Information helps financial entities to:

Enhance their digital resilience.
Ensure compliance with regulatory requirements.
Mitigate risks associated with third-party ICT services.

Additionally, Financial Entities in scope of DORA that are authorised by the MFSA must submit their RoI on a yearly basis to the Authority as stipulated in Article 28 (3) of the DORA Regulation.

More over, the EBA have equipped their webpage on DORA preparedness with helpful resources pertaining to the RoI reporting of 2025 onwards. This page includes all the files needed to create an RoI, the validation rules that the ESAs will apply to each RoI submission and an extensive FAQ list for queries pertaining to the RoI.

Lastly, regarding Significant Institutions (SIs), under Article 46(a) of DORA, the European Central Bank (ECB) ensures compliance for credit institutions classified as significant under Article 6(4) of Regulation (EU) No 1024/2013. The ECB outlines its interpretation of obligations under Article 28(3) DORA and Commission Implementing Regulation (EU) 2024/2956 (DORA ITS), including the requirement to establish and share an RoI with the ECB. The ECB shall provide further guidance on the submissions of the RoI for the credit institutions classified as significant under Article 6(4) of Regulation (EU) No 1024/2013.

Register of Information Submission User Guide

This user guide provides comprehensive instructions for financial entities on how to submit their Register of Information (RoI) to the MFSA. While the Authority’s returns system will check for validation errors and provide automatic feedback if the Data Point Model and validation rules provided by the ESAs are not followed, it is ultimately the responsibility of the financial entity to ensure their RoI complies with DORA.

What is included in the RoI Submission User Guide:

Introduction – Accessing and registering on the LH Portal
Uploading the RoI onto the LH Portal – File Upload/Structure/Naming Convention and Validation
Resubmissions – In case an entity must resubmit its RoI
Contact Us – Our contact details

Moreover, an LH Portal account is required to access the RoI submissions page. Compliance Officers will have automatic access; however, it is important to contact us, by emailing [email protected], if the person responsible to submit the RoI does not have access to the RoI submissions page. If someone other than a Compliance Officer intends to submit the RoI, they must create an LH Portal account and request access by emailing [email protected].

Download the User Guide:

User Guidelines for the Submission of the Register of Information

FAQs

This page provides a link to the official ESA FAQs, which offers detailed answers to frequently asked questions about the preparation and reporting of the RoI in compliance with DORA.

The Supervisory ICT Risk and Cybersecurity Function have also collected a number of our most frequently asked questions locally for your perusal:

Question 1: Will the ESAs or MFSA be providing Financial Entities with an updated RoI template and plain.csv conversion tool?

No, the ESAs have stated that the responsibility of obtaining a solution to create an RoI template and conversion tool falls with Financial Entities. The MFSA will also not be providing an RoI template and accompanying conversion tool. Additionally, the ESAs have also stated that the Dry-Run template and conversion tool are no longer supported and will not be accepted.

Question 2: Will I be notified if my submission has passed or failed the ESA validation checks?

Yes, the MFSA will be applying the ESA validation rules to the RoI submissions page on the LH Portal. Upon submission, Authorised Persons will receive a report via email detailing the quality of their RoI submission and the errors it may contain.

Question 3: Who from the Financial Entities will have access to submit the RoI on LH Portal?

The Authority will be granting access to approved Compliance Officers. It is important to note that a user must have an LH Portal account to receive access rights to the RoI submissions system. Kindly refer to the RoI submission user guide on how to create an LH Portal account.

Question 4: Are we able to submit a consolidated RoI through a parent company who is based outside of Malta?

Yes, DORA states that you can submit at either sub-consolidated or consolidated level. In the case that your entity would prefer to submit at consolidated level through your parent company outside of Malta, the MFSA is requesting the following in writing via email: