On 8 March 2025, Legal Notice 71 of 2025 was issued to transpose the NIS2 Directive (Directive (EU) 2022/2555) into Malta's national law through the Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025 (the "NIS2 Order"). This long-anticipated legal framework replaces the previous NIS1 regime that was still applicable in Malta and introduces stricter cybersecurity obligations, reporting requirements, and enforcement mechanisms for entities deemed to be "essential" or "important".
The NIS2 Order aims to align Malta's cybersecurity strategy with EU-wide resilience objectives and national strategies, in addition to several important local adaptations.
As discussed in a previous article, the NIS2 Order mandates entities to establish comprehensive cybersecurity frameworks which as depicted below, focus mainly on three pillars:
The 'CIPD' & 'CSIRT'
As established by virtue of L.N. 306 of 2024, the newly designated Critical Infrastructure Protection Department (the "CIPD") will act as the primary regulatory authority for cybersecurity, overseeing compliance, conducting security audits, and enforcing penalties for non-compliance.
On the other hand, Malta's Computer Security Incident Response Team (the "CSIRT") will play a central role in coordinating cybersecurity responses, facilitating coordinated vulnerability disclosure ("CVD") processes and actively supporting captured entities in mitigating cybersecurity risks.
Coordinated Vulnerability Disclosure
A key national adaptation of the local implementation of the NIS2 Directive relates to the formalisation of CVD related matters.
Enshrined by virtue of Article 13 of the NIS2 Order, a dedicated framework that encourages natural or legal persons to report potential vulnerabilities in ICT products, processes, or services to the relevant entities has been established. Of course, the raison d'être being to address vulnerabilities before they are exploited maliciously.
Collaboration is the lynchpin of the mechanism, with CSIRT fostering such collaboration between the reporting party and the affected organisation by being the designated national coordinator for such disclosures. In this role, CSIRT acts as a trusted intermediary, with the objective of facilitating communication and follow-up between researchers, ethical hackers, and impacted entities. Among its responsibilities, CSIRT is tasked with identifying and contacting affected entities, assisting reporters, managing multi-party disclosures, and maintaining a register of CVD policies
Importantly, as long as the disclosure complies with an entity's CVD policy, the reporter is considered to have acted with lawful authorisation therefore shielding them from criminal liability under Article 337C of the Criminal Code.
Reporting Obligations
In addition, under the new regime established by the NIS2 Order, captured entities must report significant cyber incidents to 'CSIRT', according to the following timeline:
- An early warning notification must be submitted without undue delay and not later than 24-hours of becoming aware of the incident, indicating whether it is believed that such incident is caused by unlawful or malicious acts;
- Within 72-hours, a full incident notification must be filed, detailing the impact and severity;
- A final report must be issued not later than 1 month from the full incident notification, including: a detailed description of the incident, its severity and impact, the type of threat or root cause that is likely to have triggered the incident, applied and ongoing mitigation measures, where applicable, the cross-border impact of the incident.
Failure to adhere to these reporting obligations could result in administrative fines and enforcement measures.
Significant Penalties for Non-Compliance
Failure to comply with NIS2 Order's obligations can result in hefty administrative fines, including:
- Up to €10 million or 2% of global turnover for essential entities
- Up to €7 million or 1.4% of global turnover for important entities
Regulators will also have the power to suspend operations, mandate corrective actions, or impose daily fines on entities that repeatedly fail to meet their obligations.
Management Body Responsibility & Liability
In terms of the NIS2 Order, the management body of an essential or important entity is required to approve and oversee the implementation of the necessary cybersecurity risk measures.
The natural persons composing the management bodies may be held personally liable in certain instances.
A legal obligation upon the management bodies to undertake training as needed to carry out their tasks is also included.
With cybersecurity risks escalating globally, Malta's approach to implementing the NIS2 Directive sets a new benchmark for regulatory oversight and industry responsibility in safeguarding digital infrastructure. This transposition undoubtedly marks a transformative step in Malta's cybersecurity landscape.
As the regulatory framework unfolds, captured entities must proactively, amongst other things, adopt robust security measures and update incident response protocols...
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
