Ivan Spiteri
Director of Technology Advisory & Assurance
DORA compliance requires a structured and proactive approach. BDO Malta encourages in-scope entities to establish a clear compliance programme that supports long-term resilience and regulatory adherence
Compliance will be ensured by the entity’s competent authority
Compliance is overseen by the entity’s competent authority. The European Supervisory Authorities (ESAs) - including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) - have developed technical standards applicable across financial services, from banking and insurance to asset management. National competent authorities are responsible for compliance oversight and enforcement to ensure adherence to DORA requirements.
EU Member States will have the right to impose penalties for breach of obligations
This means significant penalties can be imposed by the Lead Overseer for non-compliance. These significant penalties will take the form of a periodic penalty payment of 1% of the average daily global turnover of the organisation in the preceding business year. This will be applied by the Lead Overseer daily until compliance is achieved for no more than a period of six months.
Requirements of DORA
DORA consists of 58 articles and is structured around 5 (five) key pillars:
ICT Risk Management Requirements (Article 5 to 16)
ICT-related incidents management, classification and reporting (Articles 17 to 23)
Digital operational resilience testing (Articles 24 to 27)
Managing of ICT third-party risk (Article 28 to 44)
Information sharing arrangements (Art. 45)
