Adoption of NIS2 in Malta

Introduction

The NIS 2 Directive (Directive (EU) 2022/2555), published in the Official Journal of the European Union, has been transposed into Malta’s national law on 8 April 2025 through Legal Notice 71 of 2025 and supersedes the NIS 1 Directive (Directive (EU) 2016/1148). NIS 2 establishes more stringent cybersecurity requirements for organisations in the EU Member States that are considered as “essential” or “important”, depending on whether they fall within the specific sectors covered by NIS 2.

Sectors covered by NIS 2

NIS 2 only applies to organisations within specific sectors that have at least 50 employees and/or at least an annual turnover of EUR 10 million. The in-scope entities are categorised into two groups:

Essential entities: Organisations within the essential sectors outlined in the figure below, with at least 250 employees, an annual turnover exceeding EUR 50 million, and a balance sheet total over EUR 43 million, are considered essential entities. Additionally, supervisory authorities have the discretion to designate any other organisation within both the essential and important sectors as an essential entity, based on its importance at national or regional level.

Important entities: Any organisation within either the essential sector or important sector which do not qualify as essential entities will be considered as important entities.

Supervisory Authorities

The Critical Infrastructure Protection Department (CIPD) has been appointed as the national supervisory authority responsible for overseeing compliance with NIS 2 at national level and enforcing penalties for non-compliance for all sectors. The Malta Communications Authority (MCA) has been designated as the competent authority for the following sectors:

• Digital infrastructure
• Postal and courier services

The MCA is thus empowered to exercise the functions, obligations and powers assigned to them under NIS 2. The CIPD will serve as the competent authority for the remaining sectors.

Additionally, the Malta's Computer Security Incident Response Team (CSIRT) is tasked with coordinating cybersecurity responses, facilitating coordinated vulnerability disclosure, and assisting entities in managing cyber threats, vulnerabilities, and incidents at the national level.

Reporting obligations

Entities will be required to adhere to stringent incident reporting obligations, wherein entities must provide the CSIRT with an early warning within 24 hours of becoming aware of a significant incident and an incident notification within 72 hours. A final report must be submitted not later than 1 month after the submission of the incident notification.

A significant incident is one which:

• Has caused or can cause severe operational disruption of the service or financial loss for the entity concerned; or
• Has affected or can affect other natural or juridical persons by causing considerable material or non-material damage.

Penalties for non-compliance

Failure to comply with the obligations set forth by NIS 2 can result in severe penalties, including the following:

• Fines up to 10 million EUR or 2% of the total global annual turnover for essential entities;
• Fines up to 7 million EUR or 1.4% of the total global annual turnover for important entities; and
• Temporary suspension of services or activities carried out by essential entities.

Governing bodies of essential entities might also face personal liability and temporary bans on managerial duties.

Achieving compliance with NIS 2

Depending on the cyber maturity of your organisation, we recommend the following activities to ensure that your organisation achieves compliance and strengthens its cyber posture:

• Assess whether your organisation is in scope for NIS 2;
• Assess current level of compliance with NIS 2 requirements by performing a gap assessment;
• Secure funding of cybersecurity;
• Manage the risks related to network and information systems, including development of policies and procedures on risk analysis, incident handling, business continuity, security in network and information systems acquisition, development and maintenance, asset management, cryptography, human resources security, and access control;
• Perform training and awareness of management and staff;
• Streamline incident reporting and enhance incident management procedures;
• Assess security of your supply-chain and establish appropriate third-party risk management procedures; and
• Develop or enhance your business continuity and disaster recovery plans.
  

How can Deloitte help?

Deloitte can assist your organisation along your journey towards achieving compliance with NIS 2. Our services include conducting a gap assessment to identify key development areas for NIS 2 and implementing essential cybersecurity measures such as risk management, business continuity planning, third-party risk management and training.