When I first read about the European Union tightening its cybersecurity rules through the Network and Information Security 2 (NIS2) Directive, I couldn’t help but wonder how each member state would tackle this formidable challenge. Malta, with its dynamic financial and ICT sectors, presents a particularly fascinating case. As of April 2025, Malta’s implementation strategy is crystallizing, offering a blueprint that is both rigorous and deeply tailored to its national landscape. Without further ado, let me walk you through the key elements of NIS2 implementation in Malta, unpacking what organisations need to know and prepare for.
Key take-aways: where Malta stands now
Malta has taken a decisive step forward by issuing the “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025,” formally documented as Legal Notice 71 of 8 March 2025. Colloquially known as the “NIS2 Order,” this regulation repeals the earlier 2018 NIS-1 regulations and adapts the full spirit of the European Union’s updated cybersecurity framework.
Before diving deeper, it helps to frame Malta’s current NIS2 progress with the following overview:
Overview of Malta’s NIS2 implementation
| Theme | Details |
| Transposition Law | Legal Notice 71 of 8 March 2025 (“NIS2 Order”), revoking 2018 regulations |
| Timeline | Draft order consultation (Sept–Oct 2024), final order published 8 March 2025, enforced 24 March 2025 |
| Scope | All 18 sectors from NIS2 plus research organisations |
| Entity Classes | Essential (≥250 FTE / €50M) and Important (≥50 FTE / €10M) |
| Maximum Fines | Essential: €10M / 2% global turnover; Important: €7M / 1.4% |
| Reporting | 24h early warning, 72h detailed report, 30-day final report to CSIRT-Malta |
| Supervisory Bodies | Critical Infrastructure Protection Department (CIPD), CSIRT-Malta, sector regulators |
| Public Sector | Ministries/municipalities >50k inhabitants subject only to corrective measures |
The official text and timelines can be accessed through Malta’s CIP portal and the GTG Legal analysis.
Relevant deadlines and timelines
Understanding Malta’s NIS2 implementation requires a clear picture of the milestones that entities must adhere to. The law is designed with a progressive compliance journey in mind, providing organisations with time to adapt while setting firm deadlines to ensure momentum.
Key dates for Malta’s NIS2 implementation
| Date | Milestone |
| 6 Sep 2024 | Consultation draft published |
| 7 Oct 2024 | Public consultation closed |
| 8 Mar 2025 | Legal Notice 71/2025 officially published |
| 24 Mar 2025 | NIS2 Order enters into force |
| Jun 2025 | CIPD self-registration portal opens |
| Sept 2025 | Self-registration deadline (3 months after portal opens) |
| Mar 2026 | Deadline for compliance with organisational controls |
| Mar 2027 | Deadline for technical controls compliance |
| H2 2027 | First CIPD-led audit cycle begins |
Entities operating in critical sectors must be particularly vigilant about these dates to ensure they remain compliant and avoid punitive actions.
How Malta is implementing the NIS2 directive
Malta’s adaptation of the NIS2 directive is both comprehensive and practical. By formally integrating the directive into national law, Malta ensures a direct, clear framework for compliance. Importantly, the country has also introduced national “twists” to better align with its specific administrative and sectoral needs.
The NIS2 Order spans several key parts:
Structure of Malta’s NIS2 Order
| Part | Key Elements |
| I–II | Citation, scope, and detailed sector definitions |
| III | Risk management duties aligning with ISO 27001 standards |
| IV | Incident notification protocols via CSIRT-Malta |
| V | Jurisdiction and self-registration obligations |
| VI–VII | Supervisory and enforcement powers granted to CIPD and regulators |
| VIII | Sanctions and escalation mechanisms |
One notable innovation is the formalisation of Co-ordinated Vulnerability Disclosure (CVD), with CSIRT-Malta acting as a trusted intermediary.
Sanctions and management liability
The stakes for non-compliance under Malta’s NIS2 Order are steep. Financial penalties are significant, and management accountability is now codified in law. Rather than relying solely on fines, Malta’s model emphasizes progressive enforcement, culminating in potentially severe consequences for repeated or systemic negligence.
Sanctions structure in Malta’s NIS2 Order
| Entity Type | Maximum Fine | Other Penalties |
| Essential Entities | €10M / 2% global turnover | Suspension of licences, director disqualification (up to 3 years) |
| Important Entities | €7M / 1.4% global turnover | Daily €100 penalty for persistent breaches |
| Public Bodies | Corrective orders only | No monetary fines |
Management boards must formally approve cybersecurity programs and can face bans from holding directorial roles if negligence is proven. This places cyber resilience firmly on the boardroom agenda.
Impact on industries
The Malta NIS2 directive brings significant changes across a wide range of sectors. Industries that previously operated outside NIS-1’s narrow scope are now subject to stringent cybersecurity requirements.
Sectoral impact of NIS2 in Malta
| Sector | New Requirements |
| Manufacturing | New regulation for companies ≥50 FTE; OT/IT segmentation, supplier audits, annual red-team tests |
| Energy & Utilities | Expanded to include LNG and hydrogen; quarterly board KPIs and continuous monitoring |
| Healthcare | Governance expanded to >60 providers; ISO 27001 compliance and 24h incident reporting |
| Digital Infrastructure | Obligations apply regardless of size; 24×7 Security Operations Center (SOC) in the EU |
| Finance | Alignment with DORA; dual reporting to CSIRT-Malta and MFSA |
| Public Administration | Ministries and councils over 50k inhabitants must comply, though monetary fines do not apply |
More information on sector-specific impacts can be found in the Malta CIP portal’s detailed sector guidance.
What companies should know and do next
For businesses navigating the complexities of Malta NIS2 implementation, proactivity is key. Companies should begin by verifying their classification as either essential or important based on employee headcount and turnover thresholds.
Preparation steps include:
- Registering via the CIPD portal within three months of the enforcement date
- Conducting a gap analysis against the risk management controls outlined in the directive
- Establishing incident reporting procedures that synchronize with General Data Protection Regulation (GDPR) requirements
- Scheduling executive-level briefings to secure board-level approval for cybersecurity strategies
Helpful resources like GTG Legal’s guide offer in-depth operational insights.
Are you ready to meet Malta’s NIS2 challenge?
Malta’s approach to implementing the NIS2 directive underscores a national commitment to building a resilient digital economy. Organisations that act now to align with the “NIS2 Order” will not only achieve compliance but position themselves as trustworthy partners in an increasingly interconnected marketplace.
For those operating in critical sectors or across multiple jurisdictions, this is more than a regulatory exercise—it is a competitive differentiator. With the enforcement clock ticking, the time for action is very much now.
