NIS2 in Malta

1. Quick SME Applicability Snapshot in Malta

Does NIS2 apply to SMEs in Malta?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Malta and, in certain cases, foreign digital providers serving the Maltese market.

SMEs should assess qualification under Malta's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Malta

Malta has transposed the NIS2 Directive through Legal Notice 71 of 2025 (S.L. 460.41 — NIS2 Order), published 8 April 2025 and brought fully into force on 23 January 2026 via L.N. 22 of 2026.

The NIS2 Order replaces the previous NIS1 framework (L.N. 216 of 2018) in its entirety and establishes a split supervisory model: the Critical Infrastructure Protection Department (CIPD) acts as primary national supervisor, while the Malta Communications Authority (MCA) is designated competent authority for digital infrastructure and postal/courier services. The Critical Infrastructure Protection Advisory Board (CIPAB) advises the CIPD on administrative penalties.

A national CSIRT (CSIRT Malta) has been established within the CIPD to coordinate incident response. In-scope entities are required to designate an internal or autonomous CSIRT and to register with the CIPD via the national self-registration mechanism.

3. Scope of Application in Malta

Malta's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Malta

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Maltese authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Malta

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Malta follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Malta

Malta's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Malta risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Maltese cybersecurity guidance is encouraged.

Supply chain oversight includes vendor due diligence and contractual cybersecurity safeguards.

7. Management Liability and Governance in Malta

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Malta's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Malta expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Malta

9. Supervisory Authorities and Enforcement Model in Malta

Primary supervisor: Critical Infrastructure Protection Department (CIPD). Competent authority for digital infrastructure and postal/courier: Malta Communications Authority (MCA). Incident response: CSIRT Malta (within the CIPD). The Prime Minister may designate additional sector authorities by order.

Malta operates a split supervisory model: the CIPD covers most sectors while the MCA is competent for digital infrastructure and postal/courier services. The CIPAB advises the CIPD on administrative penalties.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements.

10. NIS2 Fines and Sanctions in Malta

Malta applies Directive-aligned administrative penalties.

NIS2 fines Malta enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Maltese legislation.

11. NIS2 Supply Chain and Vendor Security in Malta

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Malta's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Malta

Entities within scope must:

• Register with the national self-registration mechanism maintained by the CIPD (active since 23 January 2026) and notify the CIPD of essential or important entity classification
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

All NIS2 obligations are operative since 23 January 2026. Entities must designate an internal or autonomous CSIRT for ongoing monitoring, maintain documented business continuity arrangements, and implement operator security plans.

Self-identification is mandatory. Entities must assess essential/important status by sector and size and register with the CIPD.

13. Interaction With GDPR and Other Laws in Malta

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination
• Parallel cybersecurity and data protection investigations
• Sector-specific Maltese cybersecurity legislation

A cyber incident may trigger reporting obligations under both regimes.

14. Cross-Border Applicability

Entities with their main establishment in Malta are supervised by Maltese authorities for cross-border services.

Foreign digital providers offering services in Malta may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Maltese market.

15. Implementation Timeline in Malta

• Directive adoption: 2022
• National legislative amendments: Legal Notice 71 of 2025 (S.L. 460.41 — NIS2 Order) published 8 April 2025; L.N. 306 of 2024 establishing the CIPD
• Entry into force: Fully in force 23 January 2026 via L.N. 22 of 2026
• Commission notification: Initial 17 October 2024 deadline missed; resolved upon full commencement
• Compliance milestone: All obligations operative since 23 January 2026; self-registration and CSIRT designation required; first formal audits expected H2 2027

The NIS2 Order is fully in force since 23 January 2026 and all obligations are operative. Entities not yet registered with the CIPD or that have not yet designated a CSIRT should act immediately.

16. Key Takeaways for SMEs in Malta

• Medium-sized entities in covered sectors are automatically within scope.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory; management bodies must approve and oversee cybersecurity risk-management measures and undertake cybersecurity training as needed; personal liability may apply for compliance failures.
• Incident reporting follows 24h / 72h / 1 month deadlines, submitted to CSIRT Malta; digital infrastructure and postal/courier entities report via the MCA.
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• All NIS2 obligations are operative since 23 January 2026; entities must self-register with the CIPD and designate an internal/autonomous CSIRT. First formal audits are expected in H2 2027; entities not yet compliant should act immediately.

FAQ: NIS2 Malta SME Guide