NIS2 Country Guide

NIS2 Malta: Compliance, Authorities & Key Requirements

Understand how Malta implements the NIS2 Directive (EU) 2022/2555, which entities are in scope, how registration works, who supervises compliance, and the key steps to get ready.

Get Ready Checklist Get Consultation
Malta In force: 8 Apr 2025 Register target: 30 Oct 2025

Introduction: NIS2 Directive & the Maltese context

The NIS2 Directive strengthens cybersecurity across the EU. Malta has transposed NIS2 via Legal Notice 71 of 2025 — Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order (S.L. 460.41), effective 8 April 2025. If you operate in Malta (or offer services there), assess whether you are an essential or important entity and prepare accordingly.

Quick link: Read our overview “What is NIS2?” and “NIS vs NIS2” for background before diving into Malta’s specifics.

NIS2 Directive implementation in Malta

Malta transposed NIS2 through Legal Notice 71 of 2025 (S.L. 460.41), in force since 8 April 2025.

Status

Transposed; in force since 8 April 2025.

Legal instrument

Measures for a High Common Level of Cybersecurity Across the EU (Malta) Order — Legal Notice 71 of 2025.

Registration

Register operated by the Critical Infrastructure Protection Department (CIP Department). Target operational by 30 October 2025.

CategoryNotes
Essential sectorsEnergy, transport, banking & FMIs, health, drinking & wastewater, digital infrastructure, public administration.
Important sectorsPostal & courier, waste management, food, manufacturing, chemicals, digital providers, research.
Size criteriaTypical NIS2 baselines: Essential ≥250 employees or >€50m turnover (or >€43m balance sheet). Important ≥50 employees or >€10m turnover.
ExclusionsCertain bodies relating to national security, defence, and law enforcement are excluded.

NIS2 Malta: what you need to know about compliance & certification

Malta follows NIS2’s two-tier model (Essential / Important) and applies EU size criteria in line with the directive.

Obligations

  • Risk management & security policy across IT/OT
  • Incident handling & reporting (24h early warning, 72h initial, 1-month final)
  • Business continuity & crisis management
  • Supply-chain security & vendor risk
  • Vulnerability disclosure (VDP) & secure development
  • Executive/board accountability & training

Standards & alignment

No single certification mandated. Alignment with ISO/IEC 27001:2023, NIST CSF 2.0, and relevant sector standards (e.g., IEC 62443) is recommended.

Evidence & audits

Maintain policies, risk registers, supplier due diligence, incident logs, and training records to demonstrate compliance during supervisory checks.

Tip: Map NIS2 Article 21 requirements to your current controls and log evidence quarterly to stay audit-ready.

Competent authorities & CSIRT

Supervision and incident response are coordinated nationally, with sector oversight where applicable.

RoleAuthorityNotes
National competent authority / SPOCCritical Infrastructure Protection Department (CIP Department)Operates the register and supervises compliance.
National CSIRTCSIRT-MaltaReceives incident reports; supports coordination 24/7.
RegistrationCIP DepartmentRegister target operational by 30 Oct 2025; entities self-register when open.

National NIS2 timeline & key dates

27 Dec 2022 — NIS2 published in the EU Official Journal.
17 Oct 2024 — EU transposition deadline for Member States.
8 Apr 2025 — Malta’s Legal Notice 71/2025 enters into force.
30 Oct 2025 — CIP Department register target operational.
2027 → — Regular supervisory audits scale up.

Sector-specific notes (Malta)

  • Public administration: most administrative bodies are covered; exclusions apply for defence, law enforcement, and national security bodies.
  • Digital infrastructure & providers: DNS, TLD, cloud, data centres, CDNs — typically in scope, often irrespective of size.
  • Finance/health/energy: expect alignment with parallel EU regimes (e.g., DORA in finance) and sectoral guidance.

Penalties for non-compliance

In line with NIS2, Malta provides turnover-based fines:

  • Essential entities: up to €10m or 2% of global turnover (whichever higher).
  • Important entities: up to €7m or 1.4% of global turnover (whichever higher).

Supervisory powers include audits, binding orders, and, in serious cases, service restrictions.

How to prepare for NIS2 in Malta

  1. Determine scope: confirm Annex I/II services and size thresholds; classify EE/IE.
  2. Prepare for registration: compile entity details to register with the CIP Department once the portal opens.
  3. Governance: secure board-level accountability and budget for cybersecurity.
  4. Risk management: map and implement controls aligned to Article 21 (IT/OT, VDP, BC/DR).
  5. Supply chain: assess MSPs/MSSPs and critical suppliers; add contractual security requirements.
  6. Incident readiness: implement detection, escalation and 24/7 reporting workflow to CSIRT-Malta (24h/72h/1-month).
  7. Train & evidence: leadership training, staff awareness, and auditable records.
Run Eligibility Check Start Readiness Test

Official links & resources

📘 Legal Notice 71 of 2025 — S.L. 460.41 (PDF)
🏛️ Critical Infrastructure Protection Department — national competent authority (registration & supervision)
🛡️ CSIRT-Malta — national CSIRT (incident reporting and coordination)
📚 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Malta

When did NIS2 enter into force in Malta?
On 8 April 2025 via Legal Notice 71/2025 (S.L. 460.41).
Who do I register with and when?
With the CIP Department. The register’s target operational date is 30 October 2025.
Does NIS2 apply regardless of size?
General size thresholds apply (≥50 employees or ≥€10m), but some providers (e.g., DNS/TLD, trust services) may be covered regardless of size.
Is a specific certification required?
No. Alignment with ISO/IEC 27001:2023, NIST CSF 2.0, and sector standards is recommended.
What are the fines?
Essential: up to €10m or 2% global turnover; Important: up to €7m or 1.4% global turnover.
Information provided for general guidance; consult official Maltese sources for updates. Last updated: 9 Nov 2025 (Europe/Bucharest)