Implementation of NIS2 into Maltese Law

Author: Erika Criscione

On 8 April 2025, the Maltese Government published Legal Notice 71 of 2025, entitled “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025” (Order), which effectively transposes the operational provisions of Directive (EU) 2022/2555 (Directive or NIS2) into national law by means of a subsidiary legislative instrument (S.L. 460.41).

This Legal Notice has not yet been given the force of law. Its provisions will only become enforceable on such date/s as shall be specified by the Minister responsible for critical infrastructure protection. The Order may be implemented either in full or through a phased approach. However, the Government has not yet clarified which method it intends to adopt.

Scope

The Maltese Order applies to all public or private entities that:

• are of the type listed in the First or Second Schedule of the Order,
• qualify as medium-sized enterprises under regulation 2 of the Annex to Commission Recommendation 2003/361/EC, or
• exceed those thresholds for medium-sized enterprises as defined in the same regulation.

Regardless of their size, the Order also applies to entities of a type listed in the First or Second Schedule when certain conditions are met, such as when they provide critical digital or communications services, act as the sole provider in Malta of essential services critical for societal or economic functions, are designated as critical entities under Directive (EU) 2022/2557 or they provide domain name registration services.

The Order carves out significant exclusions, such as public administration entities involved in national security, defence, law enforcement, or the prevention, detection and prosecution of crimes.

The following list provides a general overview of the sectors that are deemed to constitute “essential” and “important” services for the purposes of the Order:

Essential Entities

• Entities in sectors listed in the First Schedule that exceed medium-sized thresholds;  
• Qualified trust service providers, top-level domain registries, Domain Name System (DNS) service providers, regardless of size;   
• Providers of public electronic communications networks/services that are medium-sized enterprises;
• Public administration entities of the central government;        
• Any other entity from the First or Second Schedule designated as essential due to national criticality (e.g., sole providers, systemic risk, cross-border impact);
• Entities designated as critical entities under the Critical Entities Resilience Order (transposing Directive 2022/2557);
• Entities previously identified as Operators of Essential Services (OES) under the original NIS Directive (EU) 2016/1148;

Important entities

• Entities listed in the First or Second Schedule that do not qualify as Essential Entities;
• Entities designated by the Critical Infrastructure Protection Department (CIP Department) as important based on national significance but not meeting the Essential criteria.

Competent Authorities and Single Points of Contact

The Order provides the appointment of a Critical Infrastructure Protection Advisory Board (Advisory Board) whose members shall be appointed by the Minister. The Advisory Board shall issue recommendations and give its advice to the CIP Department in relation to the imposition of administrative penalties on essential and important entities.

The Order designates the CIP Department as the single point of contact and the national supervisory authority responsible for overseeing its implementation at national level. The CIP Department is tasked with ensuring compliance, enforcing the relevant provisions of the Order and supervising the sectors, sub-sectors, and types of entities that fall within the scope of the Order. Additionally, the Prime Minister may designate additional competent authorities for specific sectors.

It is important to emphasise that the Malta Communications Authority is designated as the competent authority in relation to digital infrastructure and postal and courier services. 

Computer Security Incident Response Team (CSIRT)

The Order establishes a national CSIRT within the CIP Department whose tasks include monitoring and analysing cyber threats, vulnerabilities and incidents at national level, providing early warnings, alerts, announcements and dissemination of information to relevant entities on cyber threats, vulnerabilities and incidents, collecting and analysing forensic data and providing dynamic risk and incident analysis.

The order also defines two specific types of CSIRTs:

• “Internal” CSIRTs which operate within the structure of an entity, providing CSIRT monitoring services and;
• “Autonomous” CSIRTs, defined as outsourced CSIRTs which provide monitoring functions to essential or important entities.

National Cybersecurity Strategy

The Order delegates responsibility for the national cybersecurity strategy to the National Cyber Security Steering Committee.

The strategy outlines several key policies aimed at enhancing cybersecurity resilience. These include securing the ICT supply chain, integrating cybersecurity requirements in public procurement, managing vulnerabilities through coordinated disclosure. It also promotes advanced technologies, education, research, information sharing, and support for SMEs to strengthen overall cyber resilience.

The Order also provides the establishment of a national cyber crisis management framework encompassing the management and coordination of large-scale cybersecurity incidents and crises in Malta.

Self Registration Mechanism

The CIP Department is required to establish a national self-registration mechanism for:

• essential and important entities providing services in Malta;
• the CSIRTs providing monitoring services within such entities, and;
• entities providing domain name registration services in Malta.

The Order provides that the register shall be established by the CIP Department not later than the 30 October 2025. However, the Government has yet to announce an implementation date.

Essential and important entities providing services in Malta as well as entities providing domain name registration services in Malta shall register on the national self-registration mechanism established by the CIP Department and shall provide specific information as indicated under the Order.

Registry of Entities

The Order provides that entities, such as DNS service providers, cloud computing service providers, data centre service providers, providers of online marketplaces, of online search engines and of social networking services platforms, must submit certain information – including a detailed list of computer, network, and operational technology resources used by the entity – to the CIP Department by a prescribed date.

Whilst the deadline for submission of this information has not yet been specified, we expect that this will be issued shortly.

It is also provided that by 17 April 2025 and every two (2) years thereafter, the CIP Department shall notify:

• the European Commission and the Cooperation Group, advising them about the number of essential and important entities listed pursuant to regulation 7(2)(i) for each sector and sub-sector on the First or Second Schedule and;
• the European Commission, providing them with the relevant information about the number of essential and important entities identified pursuant to sub-regulations (1)(b) to (e) the sector and sub-sector provided for in the First or Second Schedule to which they belong, the type of service that they provide, and the provision, from among those established in sub-articles (1)(b) to (e), pursuant to which they were identified.

Supervision

The CIP Department shall effectively supervise and take the measures necessary to ensure compliance with the Order.

In respect of essential entities, the order specifies that the CIP Department shall ensure that the supervisory or enforcement measures imposed on essential entities are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. The CIP Department supervisory power includes on-site inspections, audits, security scans, information requests, and access to data. Additional powers include requesting evidence of CSIRT monitoring services and compliance with CSIRT policies. 

Malta’s CIP Department has similar ex-post supervisory powers over important entities, triggered by evidence of non-compliance.

Enforcement Mechanisms

Malta’s CIP Department is also tasked with enforcement powers, which include warnings, binding instructions, orders to cease infringements, orders to comply with risk management and reporting, orders to inform affected parties, designate monitoring officers, publicize infringements, order entities to receive CSIRT monitoring services and request the imposition of administrative penalties by the Civil Court.

Penalties

Malta sets the same maximum administrative penalties as the Directive: up to euro 10,000,000 or 2% of worldwide turnover, whichever is higher for essential entities and fines up to euro 7,000,000 or 1.4% of worldwide turnover, whichever is higher for important entities.