ARTICLE
16 April 2025

Malta Transposes NIS 2 Directive Into National Law Through LN 71 Of 2025

GA
Ganado Advocates

Contributor

Ganado Advocates is a leading commercial law firm with a particular focus on the corporate, financial services and maritime/aviation sectors, predominantly servicing international clients doing business through Malta. The firm also promotes other areas such as tax, pensions, intellectual property, employment and litigation.
The NIS 2 Directive, the European Union's latest legislative instrument aimed at enhancing cybersecurity resilience across the bloc, has officially been transposed into Maltese law.
Malta Technology

The NIS 2 Directive, the European Union's latest legislative instrument aimed at enhancing cybersecurity resilience across the bloc, has officially been transposed into Maltese law. This was done through Legal Notice 71 of 2025, published on 8 April 2025.

This landmark regulation significantly broadens the scope of cybersecurity obligations across a range of critical and high-impact sectors. These include Energy, Transport, Health, Pharmaceuticals, Drinking Water manufacture, supply and distribution, Manufacturing, and Online Marketplaces, among others.

The legislation introduces a stronger and more harmonised framework for the protection of network and information systems, reflecting the EU's strategic push to mitigate growing cyber threats in an increasingly digital and interconnected landscape.

Snapshot of Key Obligations for Essential and Important Entities:

Entities falling under the "essential" or "important" category as defined by the law are now subject to a set of stringent compliance requirements, including:

  1. Registration – Obligatory inclusion in the national registry of essential and important entities.
  2. Governance – Implementation of clear internal structures for cybersecurity oversight and accountability, including training.
  3. Risk Management Measures – Adoption of technical, operational and organisational measures to manage risks to their network and information systems, including policies on risk analysis, incident handling, supply chain security, network and information systems acquisition, development and maintenance, and human resources security, coupled with CSIRT services.
  4. Incident Reporting – Timely notification of significant cyber incidents to the competent national authority.
  5. Appointment of a Qualified Auditor to verify that the necessary measures have been implemented.

Entities operating within the affected sectors are advised to familiarise themselves with the new obligations and initiate compliance planning without delay.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More