MFSA Circular: Updates to the Rulebooks in relation to Outsourcing and MiCA-Related Rules

The Malta Financial Services Authority (MFSA) issued a circular  dated 9 March 2026 informing industry about amendments to various Investment Services Rulebooks in order to:

1. implement guidelines issued by the European Securities and Markets Authority (ESMA) as updated after the publication of the Digital Operational Resilience Act (Regulation (EU) 2022/2554, hereinafter DORA);
2. streamline the MFSA’s approach to the guidelines related to the Markets in Crypto Assets Regulation (MiCA) by replacing references to individual guidelines with a single overarching compliance requirement.

The Circular lists the following rulebooks necessitated amendments:

• Investment Services Rules for Investment Services Providers Part A: The Application Process
• Investment Services Rules for Investment Services Providers; Part BI: Investment Services License Holders which Qualify as MiFID Firms.
• Investment Services Rules for Investment Services Providers; Part BII: Standard Licence Conditions applicable to Investment Services Licence Holders which qualify as UCITS Management Companies.
• Investment Services Rules for Investment Services Providers; Part BIII: Standard License Conditions applicable to investment services license holders which qualify as Alternative Investment Fund Managers.
• Investment Services Rules for Investment Services Providers; Part BIV: Standard License Conditions applicable to investment services license holders which qualify as Depositaries.
• Investment Services Rules for Alternative Investment Funds; Part B Standard Licence Conditions applicable to Alternative Investment Funds.
• Investment Services Rules for Collective Investment Schemes; Part B Standard Licence Conditions: Part BII: Malta Based UCITS Collective Investment Schemes. Investment Services Rules for Retail Collective Investment Schemes Part B: Standard Licence Conditions Appendix VIII Supplementary Licence Conditions Applicable to Self-Managed Schemes

Investment Services Rules for Professional Investor Funds Part B: Standard Licence Conditions Appendix I Supplementary Licence Conditions

The applicability of DORA vs the ESMA Guidelines

DORA became applicable on 17 January 2025. DORA applies to the majority of the entities subject to the ESMA Guidelines, except for some of the depositaries referred to in Articles 21 of Alternative Investment Fund Managers Directive (AIFMD) and Article 23 of Undertakings for Collective Investment in Transferable Securities Directive (UCITSD). In light of the application of DORA, the ESMA Guidelines on Outsourcing to Cloud Service Providers cease to apply to those financial entities subject to DORA. However, the ESMA Guidelines shall apply to entities falling outside the scope of DORA.

Updates to MFSA rulebooks about MiCA related provisions

The existing MiCA-related provisions in the respective MFSA Rulebooks currently refer to specific ESA guidelines. In light of the continuously developing and expanding MiCA framework - including the ongoing publication of Guidelines and Delegated Acts/Regulatory Technical Standards by the European Supervisory Authorities - the proposed amendments aim to replace these specific references with a broader compliance requirement. This requirement would oblige licence holders to adhere to all applicable ESA Guidelines and technical standards, as incorporated into the MFSA’s MiCA Rulebook, taking into account their relevance to the authorised services and activities.

This approach is being applied to Investment Firms, AIFMs, and UCITS Management Companies to ensure regulatory consistency and to avoid the need for continual amendments as the MiCA framework evolves.

If required, do reach out to our team to help you understand these revisions.

How RMC Wise Can Support

RMC Wise supports clients across the investment services, funds, and financial advisory sectors in navigating complex EU regulatory developments. RMC Wise also provides specialized advisory and implementation support for both the Digital Operational Resilience Act and the Markets in Crypto-Assets Regulation, helping financial entities and crypto-asset service providers meet strict EU compliance deadlines.

Our services include:

• Regulatory impact assessments and gap analyses
• Governance and risk framework reviews
• Assistance with MFSA rulebook alignment
• Operational resilience and ICT risk advisory
• Regulatory compliance programme design

As the EU regulatory landscape continues to evolve, proactive regulatory readiness remains essential for maintaining supervisory compliance and operational resilience.