Skip to content
World Watch/Malta/Cybersecurity

Cybersecurity ยท Malta

Cybersecurity law in Malta: NIS2 compliance (2026)

Comprehensive lawMeasures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (S.L. 460.41 / Legal Notice 71 of 2025), transposing EU Directive 2022/2555 (NIS2); supervised by the CIP Department (Malta Critical Infrastructure Protection) as national competent authority and CSIRT; MDIA as National Cybersecurity Certification Authority under the EU Cybersecurity ActCountry index 96 ยท A+

Malta shaded by its cybersecurity status

Cybersecurity in Malta: comprehensive law, anchored by Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (S.L. 460.41 / Legal Notice 71 of 2025), transposing EU Directive 2022/2555 (NIS2); supervised by the CIP Department (Malta Critical Infrastructure Protection) as national competent authority and CSIRT; MDIA as National Cybersecurity Certification Authority under the EU Cybersecurity Act.

Malta transposed the NIS2 Directive into national law via Legal Notice 71 of 2025 (S.L. 460.41), published on 8 April 2025. The Order was brought fully into force on 23 January 2026 by Legal Notice 22 of 2026, establishing binding risk-management and incident-reporting obligations for essential and important entities across critical and high-impact sectors. The CIP Department serves as the single national supervisory authority and hosts CSIRT-Malta, while the Malta Digital Innovation Authority (MDIA) acts as the National Cybersecurity Certification Authority under the EU Cybersecurity Act.

NIS2 & cybersecurity law in Malta

In Malta, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.

Framework
the NIS2 Directive (EU) 2022/2555, transposed into national law
Approach
cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
Applies to
medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
Incident reporting
an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
Maximum fine
up to โ‚ฌ10 million or 2% of global annual turnover for essential entities
Oversight
the national competent authority and CSIRT designated under NIS2

NIS2 is a directive, so Malta implements it through national law; exact scope and deadlines can vary slightly by transposition.

NIS2 in Malta: FAQ

Does NIS2 apply in Malta?

Yes. As an EU member, Malta has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.

Who must comply with NIS2 in Malta?

Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.

What are the NIS2 incident-reporting deadlines in Malta?

An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.

What are the penalties under NIS2 in Malta?

Up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.

Key points

Governing Legislation

Legal Notice 71 of 2025 (S.L. 460.41) transposes NIS2 (EU Directive 2022/2555) into Maltese law. All provisions entered into force on 23 January 2026 via Legal Notice 22 of 2026, after missing the EU's 17 October 2024 deadline.

Competent Authority

The CIP Department (Department for Critical Infrastructure Protection, maltacip.gov.mt) is designated as the single point of contact and national supervisory authority. It hosts CSIRT-Malta, which handles threat monitoring, early warnings, forensic analysis, and coordinates incident response at national level.

Incident Reporting Obligations

Essential and important entities must submit a 24-hour early warning upon becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month of the full notification, mirroring the NIS2 tiered reporting framework.

Risk Management Obligations

Essential and important entities must implement technical, operational, and organisational measures covering risk analysis, incident handling, supply chain security, network/information system security, human resources security, and access control policies.

Enforcement & Penalties

Non-compliance may attract administrative fines up to โ‚ฌ10 million or 2% of global annual turnover for essential entities, and up to โ‚ฌ7 million or 1.4% of global turnover for important entities, whichever is higher.

EU Cybersecurity Certification (Cybersecurity Act)

The Malta Digital Innovation Authority (MDIA) is Malta's designated National Cybersecurity Certification Authority (NCCA) under Regulation (EU) 2019/881 (EU Cybersecurity Act), overseeing EU certification schemes (including EUCC) for ICT products and services marketed in Malta.

Timeline - major decisions & events

Jan 1, 2026law
NIS2 Amendment Order L.N. 89/2026: Enforcement Committee and CSIRT Restructure

Legal Notice 89 of 2026 amends S.L. 460.41 by replacing the original Advisory Board with a fully empowered Enforcement Committee authorised to issue administrative penalties, repositions the national CSIRT under MITA, and tightens auditor-independence requirements. This operationalised meaningful sanctions under the NIS2 framework.

GTG Legal โ†—
Apr 8, 2025lawofficial
NIS2 Transposition Enters into Force: S.L. 460.41 (L.N. 71/2025)

Malta's Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 took effect, transposing Directive 2022/2555, five months after the EU's 17 October 2024 deadline. It classifies entities as 'essential' or 'important', mandates 24-hour early-warning, 72-hour incident notification, risk-management measures, management-body accountability, and fines up to โ‚ฌ10 million / 2 % of global turnover.

European Commission โ€“ Digital Strategy โ†—
Jan 17, 2025lawofficial
DORA Applies: MFSA Designated as TLPT Supervisor for Financial Sector

EU Regulation 2022/2554 (DORA) became directly applicable across Malta's financial sector, imposing ICT risk-management, major-incident reporting, third-party risk oversight, and digital-resilience testing obligations. The Malta Financial Services Authority was designated as the national authority overseeing Threat-Led Penetration Testing.

Malta Financial Services Authority (MFSA) โ†—
Nov 23, 2022guidanceofficial
National Cybersecurity Strategy 2023-2026 Launched

Malta's second national cybersecurity strategy was unveiled at the Digital Malta Conference, built on four domains: governance, cyber resilience, cyber skills, and international cooperation. It set the current whole-of-society policy framework and aligned obligations with emerging EU instruments including NIS2 and the Cybersecurity Act.

NCC-MITA (National Coordination Centre) โ†—
Oct 27, 2022decisionofficial
Malta National Cybersecurity Coordination Centre (NCC-MT) Officially Launched

MITA formally stood up the NCC-MT at the Cyber ROOT 2022 Conference in Valletta, fulfilling Malta's obligation under EU Regulation 2021/887. The NCC channels EU funding, coordinates research and industrial capacity-building, and connects Malta to the European Cybersecurity Competence Centre (ECCC) network.

Malta Information Technology Agency (MITA) โ†—
Jan 1, 2022enforcement
IDPC Fines C-Planet โ‚ฌ65,000 for Voter-Database Breach

The Information and Data Protection Commissioner imposed a โ‚ฌ65,000 fine on IT company C-Planet after finding it had failed to implement adequate technical and organisational security measures, resulting in the 2020 exposure of 337,000 voters' records. This was one of the largest GDPR enforcement actions in Malta to that date.

DataGuidance (citing IDPC decision) โ†—
Feb 29, 2020incident
C-Planet Voter Data Breach: 337,000 Records Exposed

A publicly accessible folder on C-Planet IT Solutions' server exposed the full Maltese electoral register, names, ID numbers, addresses, phone numbers, dates of birth, and political preferences for approximately 98 % of all voters. The breach was not notified to the IDPC by C-Planet, triggering the subsequent enforcement action.

MaltaToday โ†—
Jul 6, 2018lawofficial
NIS Directive Transposed: L.N. 216/2018 (S.L. 460.35)

Malta transposed EU Directive 2016/1148 through the Measures for High Common Level of Security of Network and Information Systems Order, assigning the Critical Information Infrastructure Protection (CIIP) Unit as national competent authority and establishing CSIRT-Malta. Operators of essential services and digital service providers became subject to mandatory security and incident-reporting obligations for the first time.

Malta Critical Infrastructure Protection Department โ†—
May 25, 2018lawofficial
GDPR Applies; Malta Enacts Data Protection Act (Cap. 586)

The GDPR began applying directly in Malta and was supplemented by Act XX of 2018 (Chapter 586), establishing the Information and Data Protection Commissioner (IDPC) as the independent supervisory authority. Controllers became subject to 72-hour breach notification to the IDPC and up to โ‚ฌ20 million / 4 % of turnover fines for serious infringements, creating the first binding cybersecurity-adjacent breach reporting duty in Malta.

Information and Data Protection Commissioner (IDPC) โ†—
Jan 1, 2016guidanceofficial
Malta's First National Cybersecurity Strategy Published by MITA

MITA published Malta's inaugural National Cyber Security Strategy, establishing governance structures, designating CSIRT-Malta, and setting goals across five pillars: governance, resilience, capability, awareness, and international co-operation. This document served as the foundational policy framework for over six years until the 2023-2026 strategy superseded it.

Malta Information Technology Agency (MITA) โ†—
Jan 1, 2001lawofficial
Computer Misuse Provisions Added to Malta's Criminal Code (Subtitle V, Title IX)

Malta incorporated computer-misuse offences into the Criminal Code, criminalising unauthorised access, data interference, and misuse of computer hardware, mirroring the Budapest Convention before its formal ratification. A dedicated Police Cybercrime Unit was subsequently established in 2003 to investigate offences where computers are the target or instrument of crime.

WIPO Lex โ€“ Malta Criminal Code (Chapter 9) โ†—

Malta - other topics

Cybersecurity in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’