Cybersecurity ยท Malta
Cybersecurity law in Malta: NIS2 compliance (2026)
Malta shaded by its cybersecurity status
Cybersecurity in Malta: comprehensive law, anchored by Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (S.L. 460.41 / Legal Notice 71 of 2025), transposing EU Directive 2022/2555 (NIS2); supervised by the CIP Department (Malta Critical Infrastructure Protection) as national competent authority and CSIRT; MDIA as National Cybersecurity Certification Authority under the EU Cybersecurity Act.
Malta transposed the NIS2 Directive into national law via Legal Notice 71 of 2025 (S.L. 460.41), published on 8 April 2025. The Order was brought fully into force on 23 January 2026 by Legal Notice 22 of 2026, establishing binding risk-management and incident-reporting obligations for essential and important entities across critical and high-impact sectors. The CIP Department serves as the single national supervisory authority and hosts CSIRT-Malta, while the Malta Digital Innovation Authority (MDIA) acts as the National Cybersecurity Certification Authority under the EU Cybersecurity Act.
NIS2 & cybersecurity law in Malta
In Malta, baseline cybersecurity obligations come from the EU NIS2 Directive, transposed into national law, which sets risk-management and incident-reporting duties for essential and important entities.
- Framework
- the NIS2 Directive (EU) 2022/2555, transposed into national law
- Approach
- cybersecurity risk-management measures plus mandatory incident reporting for in-scope entities
- Applies to
- medium and large entities in critical sectors: energy, transport, banking, health, water, digital infrastructure, ICT and public administration
- Incident reporting
- an early warning within 24 hours and a full notification within 72 hours to the national CSIRT
- Maximum fine
- up to โฌ10 million or 2% of global annual turnover for essential entities
- Oversight
- the national competent authority and CSIRT designated under NIS2
NIS2 is a directive, so Malta implements it through national law; exact scope and deadlines can vary slightly by transposition.
NIS2 in Malta: FAQ
Yes. As an EU member, Malta has transposed the NIS2 Directive (EU) 2022/2555 into national law, covering essential and important entities in critical sectors.
Medium and large organisations in sectors such as energy, transport, banking, health, water, digital infrastructure and public administration.
An early warning within 24 hours of becoming aware and a fuller incident notification within 72 hours to the national CSIRT.
Up to โฌ10 million or 2% of global annual turnover for essential entities, with lower ceilings for important entities.
Key points
Legal Notice 71 of 2025 (S.L. 460.41) transposes NIS2 (EU Directive 2022/2555) into Maltese law. All provisions entered into force on 23 January 2026 via Legal Notice 22 of 2026, after missing the EU's 17 October 2024 deadline.
The CIP Department (Department for Critical Infrastructure Protection, maltacip.gov.mt) is designated as the single point of contact and national supervisory authority. It hosts CSIRT-Malta, which handles threat monitoring, early warnings, forensic analysis, and coordinates incident response at national level.
Essential and important entities must submit a 24-hour early warning upon becoming aware of a significant incident, a full incident notification within 72 hours, and a final report within one month of the full notification, mirroring the NIS2 tiered reporting framework.
Essential and important entities must implement technical, operational, and organisational measures covering risk analysis, incident handling, supply chain security, network/information system security, human resources security, and access control policies.
Non-compliance may attract administrative fines up to โฌ10 million or 2% of global annual turnover for essential entities, and up to โฌ7 million or 1.4% of global turnover for important entities, whichever is higher.
The Malta Digital Innovation Authority (MDIA) is Malta's designated National Cybersecurity Certification Authority (NCCA) under Regulation (EU) 2019/881 (EU Cybersecurity Act), overseeing EU certification schemes (including EUCC) for ICT products and services marketed in Malta.
Timeline - major decisions & events
Legal Notice 89 of 2026 amends S.L. 460.41 by replacing the original Advisory Board with a fully empowered Enforcement Committee authorised to issue administrative penalties, repositions the national CSIRT under MITA, and tightens auditor-independence requirements. This operationalised meaningful sanctions under the NIS2 framework.
GTG Legal โMalta's Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 took effect, transposing Directive 2022/2555, five months after the EU's 17 October 2024 deadline. It classifies entities as 'essential' or 'important', mandates 24-hour early-warning, 72-hour incident notification, risk-management measures, management-body accountability, and fines up to โฌ10 million / 2 % of global turnover.
European Commission โ Digital Strategy โEU Regulation 2022/2554 (DORA) became directly applicable across Malta's financial sector, imposing ICT risk-management, major-incident reporting, third-party risk oversight, and digital-resilience testing obligations. The Malta Financial Services Authority was designated as the national authority overseeing Threat-Led Penetration Testing.
Malta Financial Services Authority (MFSA) โMalta's second national cybersecurity strategy was unveiled at the Digital Malta Conference, built on four domains: governance, cyber resilience, cyber skills, and international cooperation. It set the current whole-of-society policy framework and aligned obligations with emerging EU instruments including NIS2 and the Cybersecurity Act.
NCC-MITA (National Coordination Centre) โMITA formally stood up the NCC-MT at the Cyber ROOT 2022 Conference in Valletta, fulfilling Malta's obligation under EU Regulation 2021/887. The NCC channels EU funding, coordinates research and industrial capacity-building, and connects Malta to the European Cybersecurity Competence Centre (ECCC) network.
Malta Information Technology Agency (MITA) โThe Information and Data Protection Commissioner imposed a โฌ65,000 fine on IT company C-Planet after finding it had failed to implement adequate technical and organisational security measures, resulting in the 2020 exposure of 337,000 voters' records. This was one of the largest GDPR enforcement actions in Malta to that date.
DataGuidance (citing IDPC decision) โA publicly accessible folder on C-Planet IT Solutions' server exposed the full Maltese electoral register, names, ID numbers, addresses, phone numbers, dates of birth, and political preferences for approximately 98 % of all voters. The breach was not notified to the IDPC by C-Planet, triggering the subsequent enforcement action.
MaltaToday โMalta transposed EU Directive 2016/1148 through the Measures for High Common Level of Security of Network and Information Systems Order, assigning the Critical Information Infrastructure Protection (CIIP) Unit as national competent authority and establishing CSIRT-Malta. Operators of essential services and digital service providers became subject to mandatory security and incident-reporting obligations for the first time.
Malta Critical Infrastructure Protection Department โThe GDPR began applying directly in Malta and was supplemented by Act XX of 2018 (Chapter 586), establishing the Information and Data Protection Commissioner (IDPC) as the independent supervisory authority. Controllers became subject to 72-hour breach notification to the IDPC and up to โฌ20 million / 4 % of turnover fines for serious infringements, creating the first binding cybersecurity-adjacent breach reporting duty in Malta.
Information and Data Protection Commissioner (IDPC) โMITA published Malta's inaugural National Cyber Security Strategy, establishing governance structures, designating CSIRT-Malta, and setting goals across five pillars: governance, resilience, capability, awareness, and international co-operation. This document served as the foundational policy framework for over six years until the 2023-2026 strategy superseded it.
Malta Information Technology Agency (MITA) โMalta incorporated computer-misuse offences into the Criminal Code, criminalising unauthorised access, data interference, and misuse of computer hardware, mirroring the Budapest Convention before its formal ratification. A dedicated Police Cybercrime Unit was subsequently established in 2003 to investigate offences where computers are the target or instrument of crime.
WIPO Lex โ Malta Criminal Code (Chapter 9) โMalta - other topics
Cybersecurity in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ