Skip to main content
Category

DORA

The EU AI Act
European Commission Proposes Updated EU Cybersecurity Act (The Cybersecurity Act 2) DORAGDPRTelecoms, Media & Technology

European Commission Proposes Updated EU Cybersecurity Act (The Cybersecurity Act 2)

On 20 January 2026, the Proposal for a Regulation for the EU Cybersecurity Act (‘The Cybersecurity Act 2’) was published by the European Commission to update and replace Regulation (EU) 2019/881 (the “2019 Cybersecurity Act”). The Proposal was introduced in response to major changes in cybersecurity threats as well as the weaknesses identified in the 2019 Cybersecurity Act. Since the adoption of the 2019 Cybersecurity Act, cyberattacks have become more frequent and sophisticated, increasingly targeting critical infrastructures, essential services and digital supply chains. At the same time, growing geopolitical tensions and the EU’s reliance on technologies from third countries have…
Mamo TCV Advocates
30th January 2026
NIS 2 and Critical Entities Resilience Framework Enter into Force in Malta DORAGDPRTelecoms, Media & Technology

NIS 2 and Critical Entities Resilience Framework Enter into Force in Malta

Two long-awaited Legal Notices published on Friday, 23rd January 2026 have brought into force key elements of Malta’s cybersecurity and resilience framework, implementing two recent EU legislative developments. Entry Into Force of the NIS 2 Directive Legal Notice 22 of 2026 brought Subsidiary Legislation 460.41, the Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, into force on Friday, 23rd January 2026. This Subsidiary Legislation transposes the EU Network and Information Systems Directive II (more commonly known as ‘NIS 2’) into Maltese law and is brought into force as already previously published without substantial substantive…
Mamo TCV Advocates
26th January 2026
DORA reporting timelines
DORA: Register of Information Reporting Timelines for 2026 and Beyond DORATelecoms, Media & Technology

DORA: Register of Information Reporting Timelines for 2026 and Beyond

On 3rd November 2025, the MFSA published a circular on the reporting timelines for submissions of the Register of Information (‘ROI’) pursuant to Article 28(3) of  Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector (‘DORA’). The circular outlines the reporting period for submitting the ROI from 2026 onwards, which falls between 1 January and 21 March of every reporting year. Financial entities falling within the scope of DORA must submit to the MFSA the updated ROI, containing all information regarding the contractual arrangements in place with ICT third-party service providers, annually and within the specified reporting period.…
Mamo TCV Advocates
3rd November 2025
Penetration Testing
Threat-Led Penetration Testing Regulatory Technical Standards under DORA Take Effect DORATelecoms, Media & Technology

Threat-Led Penetration Testing Regulatory Technical Standards under DORA Take Effect

As of today, 8 July 2025, the Regulatory Technical Standards (RTS) on Threat-Led Penetration Testing (TLPT) are now effective, including in Malta, following their publication in the Official Journal on 18 June 2025. These RTS supplement Article 26 of the Digital Operational Resilience Act (‘DORA’) and lay down a framework for the execution of TLPT. The RTS specify the criteria used for identifying the financial entities which are required to perform threat-led penetration tests and lay down organisational arrangements for financial entities. The RTS also include provisions on risk management and specify criteria for engaging TLPT providers. Moreover, the RTS…
Mamo TCV Advocates
8th July 2025
Traffic warning
DORA ICT Subcontracting RTS Published DORAIntellectual PropertyTelecoms, Media & Technology

DORA ICT Subcontracting RTS Published

Following the European Commission’s earlier rejection, the Regulatory Technical Standards (RTS) on ICT Subcontracting have been published in the EU Official Journal on 2 July 2025. The RTS will enter into force 20 days after publication, which means that they will come into effect on 22 July 2025. Financial entities and ICT providers must ensure to update their contractual arrangements to fulfil the conditions set out in the RTS to ensure compliance by 22 July 2025. To receive updates on this important development and related news please visit our website and consider subscribing to our newsletter. This document does not purport…
Mamo TCV Advocates
3rd July 2025
monochrome-photo-of-shapes-square-and-triangle
ICT Aspects of a MiCA Application DORAFinTech

ICT Aspects of a MiCA Application

On the 17th of June 2025, the Malta Financial Services Authority (“MFSA”) published a circular titled ‘Follow-Up Circular to the Industry on the Authorisation Process for MiCA Applicants’. The circular concerns the authorisation process for crypto-asset service providers (CASPs) under Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), as integrated in Maltese law through Chapter 647.  This circular supplements the Authority’s communication of the 10th December 2024 which was explained in a previous legal update. The June 2025 circular introduces two additional annexes that are now required as part of a complete MiCA application file. These are Annex AX05 (Digital…
Mamo TCV Advocates
20th June 2025