Malta’s Transposition of the NIS 2 Directive: S.L. 460.41

Following Malta’s Draft Order transposing the EU NIS 2 Directive, which closed for public consultation on 7 October 2024, as an EU Member State, Malta was obliged to transpose EU Directive 2022/2555 (‘NIS 2’) by 17 October 2024. The transposition was finally implemented on 8 April 2025 through Legal Notice 71 of 2025 which creates the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 as Subsidiary Legislation 460.41 (S.L. 460.41). It should however be noted that at time of writing, S.L. 460.41 is not yet in force, though it is expected to come into force imminently.

The overarching aim of NIS 2 is for national authorities to have better oversight over critical sectors, especially where an interruption of services could cause nation-wide disruption. NIS 2 also repeals Directive (EU) 2016/1148 (‘NIS 1’) which was narrower in scope and applied to less sectors and entities.

Applicability

S.L. 460.41 is applicable to all the entities listed in its First and Second Schedule, which fall under the following sectors:

Sectors of High Criticality (First Schedule):

1. Energy
2. Transport
3. Banking
4. Financial market infrastructures
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management (business-to-business)
10. Public administration
11. Space

Other Critical Sectors (Second Schedule):

1. Postal and courier services
2. Waste management
3. Manufacture, production and distribution of chemicals
4. Production, processing and distribution of food
5. Manufacturing
6. Digital providers
7. Research

S.L. 460.41 does not introduce any new sectors beyond those already introduced in NIS 2. It is however worth noting that the scope has widened significantly from NIS 1 to NIS 2. For instance, under the First Schedule, ‘digital infrastructure providers’, which previously only included IXPs, DNS service providers and TLD name registers, now also includes cloud computing service providers, data centre service providers, providers of public electronic communications networks and providers of publicly available electronic communications services.

Under the Second Schedule, besides online marketplaces and online search engines, digital providers now also include providers of social networking services platforms. Moreover, the postal and courier services, waste management, manufacturing and research sectors were not previously listed under NIS 1.

All the above entities are classified as either ‘essential’ or ‘important’ entities. Article 4 of S.L. 460.41 provides a list of the entities listed in the First and Second Schedules which are classified as ‘essential’, depending on certain criteria such as their size, or whether they fall within definitions provided under other laws. Any entities listed in the First and Second Schedules that do not fall within the ‘essential’ classification, automatically fall under the ‘important’ classification instead.

Competent Authorities

The Critical Infrastructure Protection Department (‘CIPD’) is established as the national supervisory authority responsible for monitoring the application of this legislation in Malta, whereas the Malta Communications Authority (‘MCA’) is the competent authority in relation to the following sectors:

• the Digital Infrastructure sector; and
• the Postal and Courier Services sector.

The Critical Infrastructure Protection Advisory Board and the Critical Infrastructure Protection Department

Additionally, S.L. 460.41 establishes the Critical Infrastructure Protection Advisory Board, which together with the CIPD, make up the Maltese Computer Security Incident Response Team (CSIRT). As part of the Maltese transposition, several additional tasks have been introduced for these entities. For instance, the CSIRT, acting as the coordinator for coordinated vulnerability disclosure, is tasked with establishing and maintaining a register of coordinated vulnerability disclosure policies.

Furthermore, the CSIRT is required to carry out the necessary technical operations to assess risks or threats to entities. This is essential in order to notify the relevant manufacturer or provider of the potentially vulnerable ICT product/service/process used by the essential or important entity concerned. An essential or important entity may also appoint an auditor for the verification of the cybersecurity risk-management measures implemented by that entity.

Additional Compliance Obligations under S.L. 460.41

S.L. 460.41 introduces certain compliance obligations of which entities falling within the scope of NIS 2 should be aware.  All essential and important entities are required to appoint a Security Liaison Officer with the necessary expertise to ensure the entity is up to standard. The law also obliges essential and important entities to receive CSIRT monitoring services. Furthermore, entities in the digital provider sector, the digital infrastructure sector and the ICT service management (B2B) sector, are required to submit a detailed list of computer, network and operational technology resources used to the Critical Infrastructure Protection Department.

Supervisory and Enforcement Measures

Additional supervisory measures have also been introduced. The CIPD may request evidence from essential and important entities of CSIRT monitoring services as well as evidence of operator security and business continuity plans.

Malta also places its focus on additional enforcement measures which the CIPD may take, including ordering the essential and important entity to receive CSIRT monitoring services and registering under the national self-registration mechanism. This register helps ensure that entities are meeting their legal obligations in line with S.L. 460.41.

Entities will also be required to adhere to stringent incident reporting obligations, wherein entities must warn the CSIRT of any critical cybersecurity incidents within 24 hours of becoming aware of the incident and submit an incident notification together with a risk assessment within 72 hours.

If you would like to verify whether your organisation falls within the scope of the NIS 2 Directive and/or discuss your legal obligations thereunder, please feel free to contact us.