Cybersecurity regulation in Malta (2026)

Legal Notice 71 of 2025 (S.L. 460.41) transposes NIS2 (EU Directive 2022/2555) into Maltese law. All provisions entered into force on 23 January 2026 via Legal Notice 22 of 2026, after missing the EU's 17 October 2024 deadline.

The CIP Department (Department for Critical Infrastructure Protection, maltacip.gov.mt) is designated as the single point of contact and national supervisory authority. It hosts CSIRT-Malta, which handles threat monitoring, early warnings, forensic analysis, and coordinates incident response at national level.

Essential and important entities must submit a 24-hour early warning upon becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month of the full notification — mirroring the NIS2 tiered reporting framework.

Essential and important entities must implement technical, operational, and organisational measures covering risk analysis, incident handling, supply chain security, network/information system security, human resources security, and access control policies.

Non-compliance may attract administrative fines up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of global turnover for important entities, whichever is higher.

The Malta Digital Innovation Authority (MDIA) is Malta's designated National Cybersecurity Certification Authority (NCCA) under Regulation (EU) 2019/881 (EU Cybersecurity Act), overseeing EU certification schemes (including EUCC) for ICT products and services marketed in Malta.