NIS 2 Status in Malta
What the directive requires, how Malta transposes it, and where the national authority sits.
Overview
The NIS 2 Directive is the EU layer. It binds every Member State, Malta included, with a single minimum floor for essential and important entities. Malta has to carry that floor into Maltese law and run a competent authority below it.
Malta transposes NIS 2 through Legal Notice 71 of 2025, the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, published in the Government Gazette on 8 April 2025 and held as subsidiary legislation 460.41. Malta missed the 17 October 2024 EU deadline, but transposed before the European Commission escalated to a reasoned opinion in May 2025, when Malta was not on the list of nineteen Member States that received one.
The Critical Information Infrastructure Protection unit at the Ministry for Home Affairs and National Security is listed by the European Commission as the single point of contact and the competent authority for both essential and important entities. CSIRTMalta is the national CSIRT for incident handling and coordination.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. It sets the obligations every Member State has to transpose, including the size and sector test for essential and important entities.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Malta, no national transposition required.
Maltese transposition
Legal Notice 71 of 2025 (SL 460.41), published 8 April 2025
Malta's NIS 2 transposition, formally the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order. As subsidiary legislation it sits beneath a parent Act; operational detail comes through the competent authority's guidance.
Legal Notice 71 of 2025
Brings the NIS 2 obligations into Maltese law as subsidiary legislation 460.41. Defines the essential and important entity categories, the powers of the competent authority, reporting duties and penalties. As a Legal Notice it can be updated faster than primary legislation, so practitioners should track the legislation.mt entry rather than rely on a static print version.
Competent authority and single point of contact
The European Commission lists the Critical Information Infrastructure Protection unit at the Ministry for Home Affairs and National Security as Malta's competent authority and single point of contact under NIS 2. It is the channel for cross-border coordination with other Member States, ENISA and the cooperation group.
Registration and reporting
The directive requires Member States to identify essential and important entities by 17 April 2025. Malta's Legal Notice took effect close to that window. Significant incidents follow the directive timing: early warning within 24 hours, notification within 72 hours, final report within one month. Where the Maltese order specifies a national portal or contact form, the competent authority publishes the channel.
On Maltese soil, Maltese law applies
Activity on Maltese territory follows the Maltese transposition. A foreign parent with a Maltese subsidiary reads Legal Notice 71 of 2025 for that subsidiary, not the BSIG or any other Member State's law. The directive obligations are identical. Procedure, registration channel and penalties live in Maltese law.
Malta cannot drop below the EU floor
The directive is minimum harmonisation. Malta may go stricter. Malta cannot fall below the directive, neither on the duties for essential and important entities, nor on incident reporting timelines, nor on management body accountability.
Critical Information Infrastructure Protection unit
The competent authority and single point of contact listed by the European Commission, hosted at the Ministry for Home Affairs and National Security. Coordinates supervision of essential and important entities, fulfils the cross-border single-point-of-contact role, and channels enforcement under Legal Notice 71 of 2025.
CSIRTMalta
Malta's national CSIRT for incident handling and coordination under NIS 2. Receives significant-incident notifications, supports affected entities, and participates in the EU CSIRTs Network. The exact NIS 2 reporting channel and any technical portal sit with CSIRTMalta and the competent authority; check their published guidance for the current submission form.
ENISA
The EU cybersecurity agency. Publishes guidelines, runs the European vulnerability database and coordinates across borders. Not the supervisor for Maltese entities. That sits with the national competent authority.
We follow what our German parent does, so NIS 2 is covered.
The directive obligations are identical, the national procedure is not. A Maltese subsidiary registers in Malta with the Maltese competent authority, reports incidents through CSIRTMalta and faces penalties under Maltese law. The German BSIG drives the German entity. The Maltese Legal Notice 71 of 2025 drives the Maltese entity. Group-level compliance does not replace the Maltese filing.
There is no Maltese NIS 2 registration channel yet, so we wait.
The directive obligations apply from the moment the entity is in scope, not from the moment a portal looks polished. Where Malta has not yet stood up an online registry, the competent authority publishes an interim contact path. Sitting on the sidelines is not a defence under Article 21 of the directive once the size and sector test is met.
NIS 2 in Malta only hits the obvious critical sectors.
The size and sector test default caps at medium and large enterprises, but the directive also catches smaller entities where they are sole providers, operate cross-border, or are named in national law. Public administrations and certain digital providers are in regardless of size. The applicability check has to run case by case, not on company size alone.
Most Maltese operators we meet treat NIS 2 as the next compliance file after GDPR. That is fine as a project framing. The substance is different: the directive talks about service continuity, supply chain risk and management accountability, not just personal data. The directors of a Maltese company under NIS 2 personally sign off on the risk management baseline and on their own training. That sign-off is not delegable to the parent group or to an external consultant.
The practical sequence is the same across the EU: run the applicability check against the directive, register with the national competent authority once the channel is open, set up the four continuing duties (keep registration data current, incident reporting, supply chain risk, management body oversight), and document the minimum. Where CSIRTMalta or the competent authority publishes sector guidance, use it. Where they do not, the directive text and the implementing regulation are the fallback.
We build the NIS 2 obligation register on the EU layer, not on a single national transposition. The same checklist fits a Maltese subsidiary under Legal Notice 71 of 2025, a German parent under BSIG and a Dutch sister under the Cyberbeveiligingswet. The article references change per country, the substantive duties do not.
For the Maltese scope, start with the applicability check, then incident timing, supply chain clauses and management body sign-off. Where CSIRTMalta or the competent authority publishes sector guidance, we link it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Commission Implementing Regulation (EU) 2024/2690
- Legal Notice 71 of 2025, Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order — legislation.mt (SL 460.41)
- European Commission, NIS 2 implementation page for Malta — digital-strategy.ec.europa.eu
- European Commission, May 2025 reasoned opinions on NIS 2 transposition (Malta not listed)
- CSIRTMalta — Malta's national CSIRT
- ENISA — European Union Agency for Cybersecurity