12 March 2026 Update - The transposition of NIS 2 in Malta
In Malta, the NIS 2 Directive has recently been transposed through subsidiary legislation, not a primary statute, and where the operational implementation has been phased over several steps.
Before the NIS 2 Directive, Malta implemented the earlier NIS Directive (Directive 2016/1148) through national regulations governing operators of essential services and digital service providers. Oversight of cybersecurity and critical infrastructure protection has traditionally been exercised through institutions such as the Critical Infrastructure Protection Department (CIPD) and CSIRT-Malta, which functions as the national computer security incident response team. The regulatory scope of the NIS 1 framework was comparatively limited, reflecting the narrower coverage of the original directive.
Under Article 41 of Directive (EU) 2022/2555, Member States were required to adopt national implementing measures by 17 October 2024. Malta did not complete the legislative process by that deadline and therefore initially appeared among the Member States whose transposition had not yet been notified to the European Commission. The Maltese government subsequently adopted implementing legislation during 2025.
The main legal instrument implementing the directive is: Legal Notice 71 of 2025 – “Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025.”
This legal notice introduces Subsidiary Legislation 460.41 and formally transposes the provisions of Directive (EU) 2022/2555 into Maltese law.
The Order establishes the Maltese cybersecurity framework aligned with the NIS 2 Directive and significantly expands cybersecurity obligations across sectors of high criticality such as energy, health, transport, digital infrastructure, and manufacturing.
The transposition was adopted in April 2025 and incorporated into Maltese subsidiary legislation.
The Maltese implementing order establishes a comprehensive regulatory architecture consistent with the directive. It introduces the classification of essential entities and important entities, which must comply with cybersecurity risk-management obligations, incident-reporting requirements, and supervisory oversight by national authorities.
Entities falling within the scope of the order must implement organisational cybersecurity governance structures, adopt technical security measures, and notify significant cybersecurity incidents to CSIRT-Malta within the reporting timelines required by the directive. The regulatory framework also introduces administrative sanctions and enforcement powers for supervisory authorities in cases of non-compliance.
Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025
EU - Transposition, Member States