Understanding Changes in the NIS 2 Directive and its Transposition into Maltese Law

Author: Nicholas Scerri

The NIS 2 Directive, marks yet another important step ahead in policy on cybersecurity from the European Union. Building from the NIS Directive, the NIS 2 Directive creates a high common level of cybersecurity across the European Union Member States in response to more sophisticated and frequent cyber threats. The NIS 2 Directive extends the scope of its regulations further, expands the security and incident reporting requirement, and brings in more stringent enforcement measures with a view to achieving better cybersecurity practices from essential entities. The NIS 2 Directive is being transposed into Maltese law in its consultation document, titled “Measures for A High Common Level of Cybersecurity Across The European Union Malta Order 2024” the Maltese Government is proposing some particular national adaptations (which are discussed further below in this paper).

Key Changes Introduced by NIS 2 Directive

The scope of NIS 2 Directive has been broadened to include more industries and a wider range of entities. Compared to the original NIS Directive, which focused on critical sectors like energy, transport, banking, and health, NIS 2 extends its scope to cover additional industries such as waste management, the manufacturing of critical products, space, public administration, and digital infrastructure providers of services like content delivery networks and social networking platforms. Most notably, NIS 2 applies to both large and medium-sized entities in these sectors, underlining the fact that cybersecurity is foundational throughout a supply chain. The NIS 2 Directive prescribes more far-reaching measures on cybersecurity risk management towards entities than the original NIS Directive. These measures cover key cybersecurity risk management topics such as incident handling, business continuity, supply chain security, vulnerability management, and crisis management policies. Therefore, affected entities will need to implement best industry practices that are appropriate for their particular risk appetite and must consider the overall cost of their operations and service delivery. The NIS 2 Directive also places emphasis on cybersecurity in supply chains where each company will be required to review the cybersecurity practices of its suppliers and service providers.

Stricter Reporting Requirements

The NIS 2 Directive lays down stricter reporting requirements in order to make sure responses to cybersecurity incidents, once they do occur, are swift and coordinated. Indeed, affected entities are now required to inform relevant national Computer Security Incident Response Teams (CSIRTs) about incidents that are considered significant within 24 hours from detection. This should then be followed by a detailed incident notification that is to be provided within 72 hours. This quick reporting requirement serves to increase the level of situational awareness across the EU and to allow for an effective response to such cybersecurity threats that could take on cross-border consequences.

Stronger Enforcement and Penalties

Under NIS 2, there is stronger enforcement with stiffer penalties. In particular, under an effective enforcement framework, EU Member States should establish a strong oversight regime, enabling themselves to impose severe fines on any entity that fails to take appropriate cybersecurity measures or fails to notify the relevant national authorities within the stipulated timeframes. It also provides for accountability on the part of the management bodies of companies in ensuring that such measures on cybersecurity risk management are implemented and periodically reviewed.

Governance and Accountability

Whilst still less prescriptive than the original directive, cybersecurity governance is one of the new key elements of NIS 2. In this respect, entities have to establish proper cybersecurity governance structures, including but not limited to, a specific security liaison officer, so that cybersecurity policies are implemented accordingly. In addition, the management bodies of essential and important entities are to go through mandatory cybersecurity training aimed at equipping them with the relevant skills to conduct their monitoring functions.

Malta’s Transposition of NIS 2

The NIS 2 Directive is being transposed into Maltese national law through the “Measures for A High Common Level of Cybersecurity Across The European Union (Malta) Order, 2024.” It seeks to enact national law comprising the fundamental provisions of NIS 2 such as incident reporting obligations, supply chain security obligations, crisis management frameworks, governance structure requirements for cybersecurity, amongst other key provisions, in addition to special measures of an exceptional nature regarding the specific national situation in Malta.

NIS 2 Directive vs Malta’s Transposition

The NIS 2 Directive lays down the basic framework of cybersecurity for the Union, in which the Directive aims to raise the level of security related to network and information systems across different sectors. The main divergences between the NIS 2 Directive and the Maltese draft transposition law, relates, inter alia, to specific adaptations to consider better the peculiarities of the economic and geographical situation of Malta. While the general essence of the NIS 2 Directive indeed refers to essential entities in the energy, transport, and health sectors, amongst many others, the draft Maltese Act focuses on critical local industries relevant to the economy, such as iGaming and digital services. The Maltese draft transposition prescribes the deadlines for reporting cases and introduces a national system of self-registration, which would impose obligations on an even broader circle of entities, (also including medium-sized enterprises), to be in a position to declare themselves registered, thus being subject to more strict supervision on its own accord. While both frameworks call for cybersecurity risk management and governance structures, the Maltese draft implementing Act seeks to place particular responsibilities pertaining to crisis management It focuses more on critical infrastructure protection, which are as a result of Government’s concerns about economic stability and public safety. This underscores Malta’s is commitment not only to adherence to standards at an EU level but also to the solution of its particular challenges and priorities in cybersecurity.

Competent Authorities

Malta has designated the Critical Infrastructure Protection Department as the Authority responsible for the implementation and application of the different requirements deriving from NIS 2. This Department will be responsible for supervising the application of measures related to cybersecurity, checking their application, and guiding entities accordingly. The Malta Communications Authority, MCA, has been designated as the competent Authority to supervise digital infrastructure, which consists of public electronic communications networks and services.

Establishment of CSIRT Malta

This is the national Computer Security Incident Response Team (‘CSIRT’) established within the Critical Infrastructure Protection Department in Malta tasked with improving incident response. It shall be responsible for activities related to monitoring, managing, and responding to cybersecurity incidents affecting Essential and Important Entities. CSIRT Malta also acts as an incident reporting coordinator and a liaison in cooperation with other CSIRTs in the EU. CSIRT Malta will further be providing early warnings, alerts, and guidance to the affected entities with a view to contributing to mitigating and recovering from the cybersecurity incident.

Focus on Critical Infrastructure Protection

The Maltese transposition places a strong emphasis on the protection of critical infrastructure, especially those sectors that depend on the vital functions of society, economic stability, and public safety. The Draft Act requires operators of critical infrastructures to elaborate and maintain detailed security and business continuity planning, regularly conduct risk assessments, and involve themselves in the use of simulation for testing their response.

Malta is proposing to establish a national cyber crisis management framework that will guide and support the management of large-scale cybersecurity incidents or crises. The Maltese Framework also determines the roles and responsibilities of the different national authorities and stakeholders concerned, establishes the procedure on how it manages the crisis and ensures integration within broader national crisis management structures. In this respect, the draft framework will, if implemented, contribute to enhancing Malta’s preparedness to respond more effectively in major cyber incidents, especially those with a cross-border element.

Key Obligations for Maltese Entities

The Maltese Implementing Act sets out several key requirements in the Cybersecurity framework that entities in Malta are expected to follow to enhance their cybersecurity preparedness. Essential and important entities must register through the national self-registration mechanism established by the Critical Infrastructure Protection Department, covering essential sectors like energy, transport, health, and digital services, including DNS and cloud computing providers. Entities will also be subject to strict incident notification obligations, whereby they will have to notify the relevant national Computer Security Incident Response Team of critical cybersecurity incidents within 24 hours from when an incident was detected and submit a detailed report within 72 hours. Thorough cybersecurity risk management practices will also be mandatory for all essential and important entities, given that respective incident-handling processes, business continuity planning, and assessments of suppliers and service providers’ cybersecurity practices will be required. Furthermore, organizations should establish appropriate governance arrangements by designating a security liaison officer and ensuring management bodies receive compulsory cybersecurity training. Most of the focus of the draft Act is on the security of critical infrastructures, which it does by laying requirements on operators to create particular security plans that are updated regularly on risks and engage in simulation exercises. The Maltese draft law also establishes a national cyber crisis management framework necessary for orchestrating large-scale incident responses, while sectoral rules set further security measures relevant to, inter alia, public administration, and financial services. Finally, the draft Act encourages coordinated vulnerability disclosure through CSIRT Malta, making submissions of the identification and mitigation of security weaknesses easier.

Sector-specific rules and provisions

The draft Act outlines specific provisions that are relative to sectors such as public administration, financial services, and digital service providers. Examples include how entities in public administration that are in charge of providing critical public services should have additional security measures. Similarly, the implementing Act takes into consideration sector-specific challenges posed to digital service providers and sets out tailored obligations with a view to further ensure their resilience against adverse cyber threats.

Registration of Key Entities and Oversight

Malta’s adoption will require critical entities, including those providing essential digital services to register with a national self-registration mechanism that will be set up by the Critical Infrastructure Protection Department. This includes essential entities across sectors such as energy, transport, health, water supply, banking, waste management, digital infrastructure, public administration, and the manufacturing of critical products. Additionally, digital service providers such as Domain Name System (DNS) service providers, cloud computing services, content delivery networks, online marketplaces, online search engines, and social networking services platforms will also be required to register. In this way, such a register will contribute to oversight in ensuring that entities comply with their cybersecurity obligations. It shall also be a requirement that entities periodically update their registration details as a means of ensuring accurate records reflecting their overall cybersecurity readiness and effectiveness in managing potential risks.

Emphasis on Coordinated Vulnerability Disclosure

Malta promotes open dialogue and specifically communication regarding vulnerability disclosures by leveraging CSIRT Malta as a trusted intermediary between entities and researchers. Malta aims to facilitate effective communication and collaboration when addressing identified liabilities through the CSIRT Malta. This should serve as an important process in the identification and mitigation of security weaknesses before they can be exploited, thus giving an enhanced general security of network and information systems in Malta.

Conclusion

The NIS 2 Directive is a sea change in EU cybersecurity policy, extending more stringent requirements to a wider variety of sectors and placing increased emphasis on coordinated incident response and governance. Malta’s recent work in its proposed transposition of the NIS 2 Directive underlines the country’s commitment not only to reinforcing national cybersecurity resilience but also to address specific local concerns such as Malta’s heavy economic reliance on critical sectors like iGaming and financial services, where cybersecurity breaches could significantly impact economic stability and public trust. Furthermore, local entities may encounter challenges in achieving compliance with the directive’s stringent requirements, particularly smaller organisations that may lack the necessary resources and expertise to effectively implement robust cybersecurity measures.

These new obligations and compliance issues can be quite a task to navigate, given the wide sweep and acropolis-like demands of these obligations. We at GVZH Advocates understand the regulatory implications very well and are here to guide your business toward compliance. For more information or any other advice on NIS 2 compliance in Malta, please get in touch with us. Our expert team is ready to help you through the process and ensure that your operations remain secure and compliant.