The Enforcement Shift: Why Cyber-Negligence in Malta Now Carries Direct Liability

Author: Erika Criscione

For many organisations, cybersecurity has traditionally been viewed as a technical or operational concern delegated to IT teams and external service providers. However, the legal and regulatory environment has evolved significantly. Cybersecurity is no longer merely an issue of system resilience; it is now a matter of corporate governance, regulatory compliance and risk management.

Recent legislative developments at both European and national level have fundamentally altered the liability landscape surrounding cyber-negligence in Malta. In Malta, organisations operating within essential and important sectors face increased regulatory scrutiny, more direct enforcement mechanisms, and heightened expectations regarding cyber-risk management. As a result, failures in cybersecurity governance can now expose both organisations and their directors to significant legal and financial consequences.

The Domestic Shift: Legal Notice 89 of 2026

When the NIS2 Directive was first transposed into Maltese law through Legal Notice 71 of 2025 (Subsidiary Legislation 460.41), the enforcement framework retained a degree of procedural restraint. Regulatory intervention was primarily exercised through advisory mechanisms, with more intrusive enforcement measures remaining subject to judicial oversight.

This position has changed significantly following the enactment of Legal Notice 89 of 2026.

The amendments introduce two structural changes to the enforcement framework, both of which have important practical implications that organisations should consider carefully:

The Enforcement Committee

The former Advisory Board has been replaced by a dedicated Enforcement Committee vested with the authority to issue binding decisions and impose administrative penalties directly. This represents a substantial shift toward a more immediate and proactive enforcement model, reducing reliance on court proceedings as a prerequisite to regulatory action.

MITA as the National CSIRT

The Malta Information Technology Agency (MITA) has been formally designated as Malta’s national Computer Security Incident Response Team (CSIRT). Under the revised framework, the Critical Infrastructure Protection (CIP) Department serves as the supervisory authority, while MITA is responsible for incident handling and reporting coordination.

Cybersecurity in an Era of AI-Enabled Threats

These regulatory developments come at a time when the cyber threat landscape is becoming increasingly sophisticated and difficult to predict.

Cybercriminals are now making extensive use of generative artificial intelligence to enhance the scale, speed and credibility of their attacks. AI-powered tools enable threat actors to produce highly convincing phishing emails, business email compromise (BEC) schemes and other forms of social engineering that closely replicate legitimate communications. Unlike traditional phishing campaigns, these attacks can be tailored to the recipient, drawing on publicly available information to produce messages that are contextually relevant, professionally drafted and considerably more difficult to detect.

Against this backdrop, organisations can no longer regard employee awareness training as a sufficient standalone safeguard. While staff training remains an essential component of any cybersecurity programme, regulators increasingly expect organisations to demonstrate that they have implemented a broader set of proportionate technical and organisational measures designed to prevent, detect and respond to contemporary cyber threats.

This expectation is consistent with Malta’s wider cybersecurity policy framework, which recognises cybersecurity as a shared responsibility between public authorities and the private sector. In practice, organisations are expected to adopt a risk-based approach and to maintain security measures that are commensurate with the nature of their operations and the risks they face. As cyber threats continue to evolve, the absence of widely recognised safeguards – such as multi-factor authentication, zero-trust access controls, continuous security monitoring and resilient backup and recovery capabilities – may increasingly be regarded by regulators as indicative of weaknesses in an organisation’s cybersecurity governance and overall risk management framework.

Reframing Cybersecurity as a Board-Level Responsibility

For directors, in-house counsel and compliance professionals, effective cybersecurity governance requires a shift away from passive or checklist-based compliance.

Organisations operating within sectors covered by the NIS2 framework including transport, logistics, manufacturing, digital infrastructure, and other critical services should establish a defensible governance framework before an incident occurs.

The following measures can help strengthen both operational resilience and legal defensibility:

Strengthen Vendor and Supply-Chain Contracts

Third-party risk management should be treated as a core element of an organisation’s cybersecurity governance framework.

It is critical that supplier agreements include clearly defined cybersecurity obligations, ongoing commitments to maintain compliance with applicable legal and regulatory requirements, robust incident notification provisions requiring the prompt reporting of security events, and appropriate indemnity clauses to allocate responsibility for regulatory and financial consequences arising from a supplier’s failure to meet those obligations.

Document Board Oversight and Risk Governance

Cybersecurity should be treated as a standing board-level risk. Board minutes and governance records should demonstrate that directors have actively considered cyber risks, reviewed security controls, assessed supply-chain vulnerabilities and taken informed decisions regarding risk mitigation. Such documentation may prove critical in demonstrating compliance with directors’ duties and governance obligations.

Conduct Independent Cybersecurity Audits

Legal Notice 89 of 2026 also reinforces the role of the qualified auditor by strengthening the criteria governing appointment, including an express requirement for independence supported by a Declaration of Independence, together with enhanced qualification and experience requirements. These amendments underscore the importance of objective and competent assurance as part of an organisation’s cybersecurity governance framework.

Organisations should therefore consider engaging suitably qualified and independent professionals to undertake periodic cybersecurity assessments, technical audits and penetration testing. Independent assurance can assist in identifying vulnerabilities at an early stage, validating the effectiveness of existing security measures and demonstrating a proactive approach to regulatory compliance. In an increasingly robust supervisory environment, this can materially reduce both operational risk and regulatory exposure.

The Takeaway

The treatment of cybersecurity as a purely technical matter is no longer consistent with Malta’s current regulatory environment. The enhanced enforcement powers introduced by Legal Notice 89 of 2026, combined with the increasing sophistication of AI-enabled cyber threats, have elevated cybersecurity to a core legal, governance and business continuity concern.

For organisations operating within regulated sectors, proactive cybersecurity governance is no longer simply a matter of best practice. It is an essential component of regulatory compliance, corporate resilience and effective risk management.