The Impact of DORA with special focus on Maltese payment service providers

Abstract

The European Commission prioritised making Europe suitable for the digital age by building a future-ready economy. The Digital Operational Resilience Act (DORA) bolsters a new digital finance strategy to ensure that the EU epitomises the digital revolution and drives it with ingenious European firms in the lead. The regulation covers a range of financial institutions that are regulated at EU level to guarantee consistency among the Information and communication Technology (ICT) risk-management requirements that are pertinent to the financial sector. The DORA has been ratified by the European Parliament in November 2022 and entered into force in January 2023. Its main objective is to consolidate and upgrade ICT risk requirements throughout the financial sector that all participants of the financial system are subject to a common set of standards to alleviate ICT risks. Moreover, the regulation increases requirements on ICT risk management and ICT-related incident reporting which are more stringent than the Network and Information Security Directive. The regulation is based on five core pillars setting out an extensive range of legislative requirements across ICT risk management and operational resilience. The first pillar is ICT risk management and sets out the objective for financial institutions to create an ICT risk management framework around a set of key principles and requirements. The second pillar is that incident reporting with the main objective being to harmonise ICT incident classification and reporting. The third pillar is based on setting out digital operational resilience testing with the objective to have harmonisation of standards across the EU for digital operational resilience testing. The fourth pillar focuses on ICT third-party risk. The fifth pillar is that of critical Third-Party oversight which creates a direct oversight framework for critical third-party providers. The objective of this dissertation is to delve into the aims, impact, implications and improvements of DORA and cover the key obligations under this new regulation which is directly applicable to all Member States of the Union. The research will have a mixed approach of both qualitative and quantitative research. Firstly, the researcher will delve into the implication and developments that DORA introduces in the financial services sector. Additionally, the research will take a mixed approach by collecting data by means of a questionnaire from Payment Service Providers licensed by the MFSA, in order to help the researcher, determine difficulties and challenges, if any, when implementing the Regulation in the institution’s respective policies and procedures.