Regulatory scrutiny on digital operational resilience keeps increasing as supervisors including the Malta Financial Services Authority (‘MFSA’) continue to seek to ensure effective compliance in practice. This in a context of various factors such as trade disputes, knowledge gaps and next-generation threats from disruptive technologies such as AI which continue pushing third party and cyber-risk higher up on governance agendas.
To face this new threat landscape, many organisations have decided to invest further into their risk budgets. According to PwC’s 2026 Global Digital Trust Insights, over two-thirds of organisations are increasing their cyber risk investment in response to geopolitical risks.
Cyber strategy changes in response to current geopolitical landscape
(% that ranked in their top 3 areas)
Source: PwC 2026 Global Digital Trust Insights
While many organisations have started laying the foundation for effective cyber and regulatory processes, operating in an increasingly complex regulatory landscape requires business leaders to focus much more on their response strategies and planning ahead before a crisis happens.
What does the thematic review cover?
Against this backdrop, the MFSA has launched thematic reviews on Digital Operational Resilience under the Digital Operation Resilience Act (‘DORA’) and the relevant Regulatory/ Implementing Technical Standards (RTS/ ITS) to assess the level of compliance of targeted businesses against DORA requirements.
Selected businesses are expected to complete a detailed, audited assessment, following which they are required to submit the required documentation within prescribed timelines and to prepare a detailed remedial plan which is to be approved at board level.
The breadth and scope of the MFSA’s review will require strategic planning and investment, as it spans across core regulatory domains under DORA and includes dozens of sub-requirements, including under ICT and cybersecurity documentation, ICT risk management, and ICT third-party risk management.
Key dates
Where an entity is selected for the MFSA’s thematic review, three timing milestones typically apply.
First, the entity must acknowledge receipt of the official MFSA request within the established time limit.
Second, the entity has a time limit (for example, 5 months) within which to provide its full submission covering the thematic review deliverables and the remedial action plan to the MFSA.
Finally, implementation of any required remediation must be completed within the set time limit (for example within 6 months) from the MFSA’s submission deadline.
In parallel, the MFSA has reminded all financial entities within the scope of DORA of their obligation to submit their Register of Information (‘RoI’) during the reporting period running from 1 January 2026 to 21 March 2026, using 31 December 2025 as the applicable reference date, as outlined in the MFSA Circular and in accordance with the relevant provisions of the applicable ITS.
How can we help
To ensure that the regulatory risks in this area are appropriately managed, cybersecurity and compliance teams can leverage the support of external help including through managed services. This allows organisations to focus on what matters most to them – to grow, innovate and compete across various verticals – without losing momentum. We can help you address your compliance requirements in a simple effective manner by helping you build an agile framework that can:
- Map, stress-test, and enhance your DORA compliance status – including responding to thematic review requirements and RoI submission.
- Reduce supply chain ICT risks and improve your overall third-party risk management processes.
- Consolidate your ICT-related incident reporting processes and functions.
- Provide key insights to the board into your ICT risk and regulatory posture.
This article was written by Maegan Grech
Contact us
