DORA Compliance for Malta iGaming Operators: What You Need to Implement Now
DORA came into force on 17 January 2025. Malta's iGaming operators — who process payments, serve EU players, and rely on extensive third-party ICT infrastructure — are squarely within its scope. Unlike many EU regulations that take years to enforce, DORA's competent authorities were fully operational from day one. Here's what you need to have in place right now.
DORA entered application on 17 January 2025. Enforcement is active.
Your DORA Compliance Checklist for Malta Operators
- ☐ ICT risk management framework documented and board-approved
- ☐ ICT risk appetite defined and communicated
- ☐ Critical ICT third-party providers identified and listed
- ☐ Contractual DORA requirements included in all critical vendor contracts
- ☐ Concentration risk assessment completed (e.g., too many critical functions with one provider)
- ☐ Incident classification and reporting procedures documented
- ☐ Digital resilience testing programme established (annual minimum)
- ☐ Threat-led penetration testing (TLPT) plan for significant operators
- ☐ Information sharing arrangements assessed
- ☐ Exit strategies documented for critical ICT providers
The Vendor Contract Problem
DORA requires specific contractual provisions in agreements with critical ICT providers. Most existing contracts don't include them. This means you'll need to renegotiate key vendor contracts — your PAM provider, CRM, payment processor — to include: minimum security standards, right to audit, incident notification requirements (within hours, not days), DORA-compliant sub-contracting provisions, and exit/data return rights. This is not a quick process — start now.
How Panorays Automates DORA Third-Party Compliance
The most operationally complex DORA requirement is ongoing third-party ICT risk management. Panorays was built specifically for this: it continuously monitors your vendor ecosystem, provides the evidence of ongoing oversight DORA requires, and alerts you to changes in vendor security posture before they become your problem.
Frequently Asked Questions
Is DORA enforced separately from MGA requirements?
Yes. DORA is EU legislation enforced by competent authorities in each member state. In Malta, the MFSA and potentially the MGA itself act as supervisory authorities. Non-compliance can result in penalties under DORA independently of any MGA action.
Which iGaming vendors count as "critical ICT third-party providers" under DORA?
Vendors whose failure would materially impact your operations: PAM provider, primary CRM, payment processor, primary KYC provider, main game aggregator. These require the full suite of DORA contractual obligations and ongoing monitoring.
Does DORA require us to test our ICT systems?
Yes. All in-scope entities must conduct annual digital operational resilience testing. Significant entities must conduct Threat-Led Penetration Testing (TLPT) every three years at minimum.
Get a DORA readiness assessment for your Malta operation
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.