Navigating the DORA Malta regulation – A Simple Guide

DORA Malta

In today’s world where everything is interconnected and the world is rapidly evolving around a digital landscape, resilience and security of digital service providers is a critical aspect to handle. The goal to enhance cybersecurity has been on the agenda of multiple global agencies and governments in recent years. As a matter of fact, DORA was introduced by the European Union. DORA stands for Digital Operational Resilience Act and is a legislation that deals with the strengthening of digital worlds.

So let us look into the DORA Malta regulation.

As introduced by the EU, the Digital Operational Resilience Act launched on the 17th of January 2023 and will come into affect on the 17th of January 2025.. This will be applicable to:

  • Banks
  • Payment institutions
  • Investment firms
  • Crypto assets service providers
  • Credit institutions
  • Fund management companies
  • Data reporting service providers
  • Insurance and insurance intermediaries
  • Credit rating agencies
  • Crowdfunding service providers

It is also good to note that the DORA regulation also caters for third-party ICT service providers that provide digital and data services to clients on an ongoing basis. This can include:

  • Hardware and/or software as a service
  • Technical support via software/firmware updates 

Note that the Digital Operational Resilience Act is a regulation, not a directive and therefore all companies within the aforementioned industries have to abide by this regulation.

The ultimate aim of DORA is to promote Europe’s competitiveness and innovation in the financial sector. Financial entities hold and process various types of critical information and therefore they are particularly susceptible to IS attached.

This EU regulation will harmonize the rules and regulations of different member states – into a single, regulation to cover operational resilience and cybersecurity.

Chapter 2: Requirements of the Digital Operational Resilience Act and how these can be easily reached through ISO 27001 certification

Chapter 2 states that organizations have to have a risk-based approach in their digital operational activities. This is also the main pillar for ISO 27001:2022. As per the Digital Operational Resilience Act, the following elements have to be considered:

  • Identification
  • Protection and prevention
  • Detection
  • Response and recovery
  • Learning and evolving
  • Communication

The National Institute of Standards and Technology (NIST) has a standard that considered some of the above. The framework core of NIST covers 5 critical functions – which in turn talks about 23 categories, as follows:

  • Identify
    • Asset management
    • Business environment
    • Governance
    • Risk assessment
    • Risk management strategy
    • Supply chain risk management
  • Protect
    • Identity management and access control
    • Awareness and training
    • Data security
    • Information protection processes and procedures
    • Maintenance
    • Protective technology
  • Detect
    • Anomalies and events
    • Security continuous monitoring
    • Detection processes
  • Respond
    • Response planning
    • Analysis
    • Mitigation
    • Improvements 
  • Recover
    • Recovery planning
    • Improvements
    • Communications

The aforementioned categories were designed to cover as many of the cybersecurity threats as possible. However, there is not enough focus to cover all the requirements of DORA by following the NIST standards for IS.

Chapter 3: ICT risk management requirements

ICT risk management requirements revolve around:

  • Identifying business functions and determining what type of information assets are needed to support these functions.
  • Doing the best possible to ensure that such assets are protected.
  • Given that this is a system for the prevention of incidents, there is also a focus on detecting anomalous activities – ideally before the incident occurs.
  • Having systems and procedures in place, that include adequate communication with the relevant stakeholders, and including clients, should there be the need for recovery strategies.

Moreover, another important element of the Digital Operational Resilience Act relates to ICT-relates incidents management, classification and reporting. This element is strongly mentioned in ISO 27001:2022 in Clause 10, and referenced in other clauses. This is defined in Chapter 3 of the regulation.

Specific criteria for how incidents have to be classified will be made available. Possibly, the ENISA systems will be used – this is mentioned within the DORA Malta regulation– however other standards might be used. The classification of the incidents can be used in junction with the overarching requirements of ISO 27001.

Depending on the severity of the incident, organizations will need to communicate this with the regulator. Granted, for major incidents will only need to contact the national regulator – within a strict deadline. Going forward, a central platform might be created whereby all financial institutions will report all their ICT-related incidents on the same portal.


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

Chapter 4: Digital operational resilience testing

An element that all Information Security managers can’t get enough of. no matter how many actions one takes to improve their ISMS, issues might still happen. Hiring a 3rd party company to perform a vulnerability test or a penetration test, sheds critical light on any downfalls within the systems of the organisation. This is also mentioned in Chapter 4 of the Digital Operational Resilience Act.

To do this effectively DORA strongly recommends that tools for ICT are used to assist with penetration testing and should be based on the risks and threats available. A penetration test is to be carried out at least once every 3 years.

Chapter 5: ICT 3rd party risk management

An extremely important part of ISO 27001:2022 as defined within Annex A of the controls is the management of suppliers. This aspect is also mentioned in the Digital Operational Resilience Act through:

  • Having provisions included within the regulation of text that has to be added in contracts between your organization and your ICT suppliers.
  • Having the need to determine risks relating to suppliers.
  • Having a register of ICT suppliers.
  • Having the requirement to perform assessments to ICT suppliers before engaging them to perform services for your organization.

Chapter 6: information and intelligence sharing

And the best has been reserved for the last. In a true mindset of protecting information DORA promotes the idea of having firms exchange data and information between them relating to cyber treats. The main aim here is to have a system to continual improvement, whereby the industry is working together to combat information security related crimes.

Summary of the Digital Operational Resilience Act requirements when compared to ISO 27001:2022

In summary, there is a big overlap between DORA and ISO 27001:2022 requirements. The Digital Operational Resilience Act requirements are spread over the following 5 chapters:

  • ICT risk management
    • Accountable management team focused on continual improvement – Clause 5 of ISO 27001:2002.
    • Risk management practices employed by the organization – Clause 6 of ISO 27001:2002.
  • ICT incident reporting
    • Standards for incident classification that will be defined within DORA following an incident management process – Clause 10 of ISO 27001:2002.
    • Moreover, firms will be required to contact the national competent authority in the case of a major incident.
  • Digital operational resilience testing
    • Technical testing, including penetration testing & vulnerability analysis must be performed at a given frequency – Annex A of ISO 27001:2002.
    • A requirement of doing an advanced threat led penetration test (TLPT) every 3 years has been introduced by the Digital Operational Resilience Act.
  • ICT 3rd party risk management
    • Increased importance on having risks relating to suppliers identified, and the requirements of all interested parties defined – Clauses 4 & 6 of ISO 27001:2002.
    • Considering the technical capabilities of ICT suppliers is a good practice that is enforced by the Digital Operational Resilience Act.
  • Information and intelligence sharing
    • Having a system of information and intelligence sharing between all firms that must comply with DORA – for them to help each other create robust guidelines that will help the industry combat cybercrime – Annex A of ISO 27001:2002.

EAGER TO LEARN MORE the Digital Operational Resilience Act and how DORA Malta is developing?

As an ISO management system consultant Luke Desira will make it his personal mission to put your company on a class above all others! I invite you to read more about the Digital Operational Resilience Act here.

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter when implementing ISO in your organisation, specifically for when you’re implementing ISO 27001 in your business.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

fundamental audit concepts
ISO 27001

Fundamental audit concepts and principles for ISO 27001

In this blog, we will be going over the fundamental audit concepts and principles for ISO 27001. Dive in and learn these concepts! The 4 standards that relate to auditing are: Naturally, ISO 27001 is different from the above in the sense that companies from all industries can comply with its requirements and get their

Read More »
Information Security Management System
ISO 27001

What is an Information Security Management System (ISMS)?

A management system is a set of processes to achieve certain objectives. The scope of the management system can relate to one site or more multiple sites of the organization – and it can cover all or some of the processes of the company. Now an information security management system, or in short an ISMS,

Read More »
how to implement ISO 27001
ISO 27001

How to Implement ISO 27001 in your organisation

Are you a listener or are you a reader? In any case, we have got you covered. Dive into the details of how to implement ISO 27001 in your organisation, you can read all about it or listen to what Luke Desira has to say. Hi, I am Luke Desira and in this video, I

Read More »
Scroll to Top