Against a backdrop of ransomware-predominant cybersecurity threats, supply chain disruption, and data breaches in the critical infrastructure, the European Union has made one thing clear: cybersecurity is no longer an option. Directive (EU) 2022/25551 (the “NIS2 Directive”) establishes new norms for digital resilience in both public and private sectors. It replaces its predecessor in scope and strategic vision.
On the 8th of April 2025, Malta transposed NIS2 into its local law through Legal Notice 71 of 2025, Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (the “NIS2 MT Order”). Whilst in theory this legislation appears to be very comprehensive, it raises the question as to whether Malta is indeed ready to put this new paradigm into practice. Will the Maltese transposition of the NIS2 be a “hit” that strengthens Malta's cybersecurity culture, or a “miss” that amounts to a compliance box-ticking exercise?
NIS2 – The directive that changed the cybersecurity game
The original Directive (EU) 2016/1148 (the “Original Directive”) – now repealed by virtue of the NIS2 Directive – was innovative but often criticized for lacking consistency. Member States implemented it unevenly, with limited sectoral application and weak enforcement. The NIS2 Directive seeks to address these shortcomings by extending its scope, harmonising obligations across member states and emphasising accountability as a central pillar.
The NIS2 Directive significantly broadens the scope of the Original Directive, covering a wider range of sectors and imposing stricter cyber security requirements, particularly focusing on supply chain security and third-party risks. It also introduces obligations around incident response planning, encryption and business continuity measures. Under the NIS2 Directive, entities in scope are also required to report severe cyber incidents, with an initial alert within 24 hours and a detailed report within 72 hours.
The NIS2 Directive enables enforcement in each Member State through the use of heavy fines, that could amount to ten million Euro (€10,000,000) or 2% of global annual turnover for critical organisations. Combined with more effective cooperation among EU Member States through national Computer Security Incident Response Teams (CSIRTs)2, the European Union Agency for Cybersecurity (ENISA)3, and the Network and Information Systems Cooperation Group (NIS Cooperation Group)4, NIS2 Directive lays the grounds for more united, stronger digital Europe.
From directive to domestic law
Malta implemented the NIS2 Directive through Legal Notice 71 of 2025, enacting the NIS2 MT Order. Structurally, the NIS2 MT Order makes a commendable effort to adhere to the EU blueprint, adopting its risk-based approach to distinguishing between essential and important entities, and including a multi-layered governance framework in the pursuit of national resilience.
In addition to the requirements of the NIS2 Directive, it establishes that essential and important entities must appoint a Security Liaison Officer. This person is responsible for internal coordination on cybersecurity, including risk assessments, business continuity plans and acting as a contact point with the national authority. It also provides an express requirement for system logging and traceability.
Malta has also established a multi-body regulatory regime, designating the Critical Infrastructure Protection (CIP) Department5 as the primary authority, supported by a new Advisory Board, the Malta Communications Authority (MCA)6 for digital infrastructure and an enhanced national CSIRT. This multi-layered framework, complemented by the establishment of a National Cybersecurity Strategy and a self-registration regime, suggests an aspiration to shift from formal compliance to systemic preparedness.
Even though enforcement is yet to commence, pending an official date of implementation, the legal framework set out manifests a considered and well-structured response to the EU's call to cybersecurity reform.
Where the uncertainty lies – legal and operational gaps
While there is the official alignment of the NIS2 MT Order with the NIS2 Directive, much uncertainty abounds which may be detrimental to its effectiveness. At the top of the list is the absence of a particular enforcement date. While it has been published as a Legal Notice, it still has not been enacted. The Government has kept under consideration to implement the Order in full or by phasing but has yet to issue a formal strategy and timescale.
The second significant challenge is duplication with existing regulatory frameworks, and indeed the most heavily regulated sectors such as financial services and digital infrastructure. Firms that fall under both the NIS2 Directive and other regimes — i.e., the Digital Operational Resilience Act (DORA)7, European Electronic Communications Code (EECC)8, the General Data Protection Regulation (GDPR)9, or the Payment Services Directive (PSD2)10 — are at risk of conflicting or duplicative requirements. In the absence of proper cross-regulatory guidance, these companies may dedicate undue resources to duplicate streams of compliance, or worse yet, not understand where requirements diverge.
There is also concern relating to capacity and readiness both at the enterprise and institutional level. While the Order projects a robust supervisory system on paper, there are questions about whether the CIP Department and other competent authorities have the technical capabilities, personnel and enforcement tools to monitor industries as diverse as gaming, health, logistics, and telecoms.
Real impacts – sector spotlights & compliance pressure points
As Malta moves forward with implementing the NIS2 Directive, the compliance burden will vary across sectors. Each faces distinct threats, operational challenges and regulatory contexts that will shape adoption and enforcement. While some are supported by mature governance frameworks, others may struggle with limited resources and guidance.
The iGaming sector, traditionally known for its robust licensing environment and electronic emphasis, will likely be drastically impacted. Most gaming operators are already over the threshold of significant entities under the NIS2 Directive and are already handling sensitive data, cross-border infrastructure, and third-party platforms. Integrating the NIS2 Directive requirements into existing procedures established by the Malta Gaming Authority (MGA)11 and global standards of compliance – for instance, that of the UK Gambling Commission (UKGC)12 – adds operational complexity. Under the NIS2 Directive, cyber incidents must be reported not only to gaming regulators, but also, most likely, to the CIP department and the CSIRT within strict timeframes.
The financial industry finds itself at the centre of several European regulations — including DORA, PSD2, and GDPR. The NIS2 Directive adds a subsequent layer of obligations around supply chain security, incident reporting, and governance. For banks, Payment Service Providers (PSPs)13, and virtual asset service providers (Virtual Asset Service Providers)14, the NIS2 Directive will compel them to revisit current risk management frameworks and seek coherence among compliance regimes. Personal management liability under the NIS2 Directive may also induce board-level reconsideration of cyber risk exposure.
Public Services: Low Capacity, High Risk Public administration facilities, are at the center of national resilience. Those organizations, now classified as “essential”, will have to implement advanced security capabilities such as access controls, backup continuity and encryption.
Final verdict: Hit, miss, or work in progress?
Malta's implementation of the NIS2 Directive is an important move toward embedding cybersecurity in the centre of national government and private-sector accountability. The legislative framework, as set by the NIS2 MT Order , is well-organized, closely adhering to the NIS2 Directive and all-encompassing in scope. It reflects a declared aim to protect digital infrastructure, key services and the wider economy from rising cyber threats. In this sense, the foundations are set solidly in place.
However, regulation is only as effective as implementation. Without a guaranteed enforcement date, sector-specific published guidance, and showing supervisory capacity, there is a risk that Malta will wait far too long for the cultural and operational change that the NIS2 Directive was intended to provide. Moreover, sectors like iGaming, health, and financial services will have the added task of incorporating NIS2 obligations into existing compliance frameworks, an endeavour which will require not just legal harmonization, but pragmatic support and cross-regulatory coherence.
Overall, it appears that the implementation of the NIS2 Directive in Malta is still a work in progress, one with genuine potential to be a cybersecurity success story, provided that legal transposition is preceded by institutional readiness, sectoral engagement and regulatory certainty.
Footnotes
1. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive) [2022] OJ L333/80
2. The department responsible for strengthening and ensuring the function and resilience of Malta's Critical Entities and Essential Services.
3. The European Union's agency dedicated to achieving a high common level of cybersecurity across Europe.
4. Established by the NIS2 Directive to ensure cooperation and information exchange among Member States.
5. Acts according the objectives defined by L.N. 434 of 2011 on Critical Infrastructures and European Critical Infrastructures (Identification, Designation and Protection) Order as well as the objectives defined by L.N. 216 of 2018 on Measures for High Common Level of Security of Network and Information Systems Order of 2018
6. The Regulator for promoting and safeguarding a communications environment that is conducive to investment, innovation, economic growth and social well-being.
7. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Digital Operational Resilience Act) [2022] OJ L333/1.
8. Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code [2018] OJ L321/36.
9. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L119/1.
10. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (PSD2) [2015] OJ L337/35.
11 The Authority responsible for regulating the various sectors of the gaming industry that fall under the Maltese jurisdiction by ensuring gaming is fair and transparent, preventing crime, and protecting minor and vulnerable players.
12. The Commission responsible for licensing, regulating, advising and providing guidance to the individuals and businesses that offer gambling in Great Britain, including the National Lottery in the UK.
13. a company that allows businesses to accept electronic payments, such as credit cards, debit cards, and other digital payment methods.
14. businesses that offer services related to virtual assets, like cryptocurrencies, under specific regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
