Financial Services & Fintech

DORA: Register of Information submission deadline approaching

20 Mar 2025 | 2 min read
Financial Services & Fintech

DORA: Register of Information submission deadline approaching

20 Mar 2025

2 min read

Under the Digital Operational Resilience Act (“DORA”) certain financial entities (“FEs”) must establish and maintain an updated Register of Information (“RoI”) documenting all contractual relationships which FEs have with ICT Third-Party Service Providers (“ICT TPPs”). This standardized register captures the scope, nature, duration, and risks of each ICT service, enabling FEs to monitor dependencies on ICT TPPs and assess potential impacts to the FE’s operations in the case of issues attributable to the ICT TPP, such as service outages, data breaches, delayed processing, or compliance failures. In so doing, the FE will be required to work towards rendering its operational resilience more robust and ensuring business continuity even in the light of such issues

The RoI must be maintained as follows:

  • At entity level: If the FE is a standalone entity, it must update and maintain its own RoI.
  • At consolidated level: For FEs which are part of a group of FEs of which the parent undertaking is an EU parent undertaking, the RoI must be kept by the parent undertaking of the group of FEs and must contain information on all the FEs within the group.
  • At sub-consolidated level: if the FE is part of a group of FEs the parent of which is an undertaking outside the EU, then the RoI must also be maintained and updated by the FE.

The Malta Financial Services Authority (“MFSA”) has specified that all FEs licensed on or before 31 March 2025 must submit their RoI between 1 April and 8 April 2025 (both dates inclusive). Entities authorised after 31 March 2025 are exempt from the 2025 filing but are still required to maintain their RoI and produce it upon request. Failure to comply may translate into regulatory actions, including administrative fines, enforcement measures, or reputational consequences. Specifically, the MFSA may publish any decision to impose an administrative penalty or measure on its website, including the nature of the breach, the identity of the responsible parties, and the administrative penalty or measure imposed. Exceptions to this disclosure requirement depend on the circumstances.

All FEs were to develop their own RoI. To do so, FEs must abide by Commission Implementing Regulation (EU) 2024/2956, which sets out the instructions for completing the RoI.  Furthermore, the MFSA has published a User Guide explaining how to submit the RoI through its License Holder Portal within the deadline stipulated above.

Share
Recent Insights
Newsletters
GVZH Newsletter Q1 March 2025
Read More
Articles
Corporate and Mergers & Acquisitions (M&A)
Should Directors or Shareholders be Responsible for Representations & Warranties in a Share Purchase Agreement?
Read More
Articles
Financial Services & Fintech
Stablecoins Unstable in Europe
Read More
Articles
Whistleblowing
Domestic Whistleblower Protection laws: Ensuring Compliance and Building Ethical Cultures
Read More
Articles
Intellectual Property
Cross-Border Litigation in the EU: Simplifying Dispute Resolution for Businesses
Read More
News
Employment and Industrial Relations Law
Extension of Urgent Family Leave under Maltese Law
Read More
Articles
iGaming Law
Maltese Courts Dismiss Austrian Gambling Loss Reimbursement Claims
Read More
Publications
Technology, Media & Telecommunications (TMT)
Chambers Global Practice Guides – TMT 2025
Read More