MFSA Q1 2026 Circulars: Compliance & DORA Rules

Alejandro Martínez · 2026-05-04

Welcome to our breakdown of the Malta Financial Services Authority (MFSA) circulars from the first quarter of 2026. If you're a financial institution or a professional keeping tabs on EU payment system news, you know DORA is a big deal. These updates cover everything from compliance reporting to cybersecurity. Let's dive into the key takeaways. ### Annual Compliance Reports: The Grace Period Ends On January 27, 2026, the MFSA dropped a bombshell about the first batch of Annual Compliance Reports (ACRs). They reviewed submissions under Chapters 2 and 3 of the Financial Institutions Rulebook. The findings weren't pretty. Many reports were missing board-approved Compliance Monitoring Plans (CMPs). Some were unsigned. A few had no plans at all. But it's not just about paperwork. The MFSA spotted deeper issues: missing risk assessments, incomplete testing schedules, and CMPs that focused way too much on anti-money laundering (AML) while ignoring other rules. For 2026, the MFSA is offering a grace period. But here's the catch: future submissions must meet the bar. No more excuses. ### DORA Register of Information: Don't Miss the Deadline On January 28, 2026, the MFSA reminded everyone about the DORA Register of Information (RoI). You need to submit it via the MFSA's LH Portal. The reference date is December 31, 2025. The reporting window runs from January 1 to March 21, 2026. If you miss it, you could face regulatory action under L.N. 166 of 2024 and the MFSA Act. So mark your calendars. ### Heightened Cyber Threat Advisory: Time to Lock Down On March 5, 2026, the MFSA issued a warning about an elevated threat environment. They urged all Authorised Persons (APs) to strengthen their cybersecurity. Here's what they want you to do: - Enforce multi-factor authentication everywhere. - Patch vulnerabilities as soon as they pop up. - Centralize your log monitoring. - Join threat intelligence-sharing networks. - Test your incident response playbooks regularly. They also reminded everyone about mandatory reporting timelines for major ICT-related incidents under Commission Delegated Regulation (EU) 2025/301. This isn't optional. ### DORA RoI Data Quality Checks: Accepted Isn't Good Enough On the same day, March 5, 2026, the MFSA confirmed that the European Supervisory Authorities (ESAs) will run extra data quality checks on RoI submissions in April 2026. Here's the kicker: just because the portal says "Accepted" doesn't mean you're in the clear. If the ESAs flag your submission, you'll need to resubmit by April 30, 2026. So double-check your data. ### TLPT Codes of Conduct: Guidance for Penetration Testing Finally, on April 23, 2026, the MFSA published guidance on codes of conduct for Threat-Led Penetration Testing (TLPT). They worked with the TIBER-EU Knowledge Centre on this. The guidance helps external testers, threat intelligence providers, and financial entities using internal testers. It's all about structuring compliant and ethically sound codes of conduct. Think of it as a playbook for staying on the right side of DORA. ### Why This Matters for US Professionals Even if you're based in the United States, these European payments news updates matter. DORA sets a global standard for digital operational resilience. If your firm works with EU entities or plans to expand, you need to know these rules. The MFSA's focus on cybersecurity and compliance is a wake-up call for everyone. Stay ahead by understanding these requirements now.