ARTICLE
22 January 2026

Malta Transposes The Critical Entities Resilience Directive (CER)

GA
GVZH Advocates

Contributor

GVZH Advocates logo
GVZH Advocates is a modern, sophisticated legal practice composed of top-tier professionals and rooted in decades of experience in the Maltese legal landscape. Built on the values of acumen, integrity and clarity, the firm is dedicated to providing the highest levels of customer satisfaction, making sure that legal solutions are soundly structured, rigorously tested, and meticulously implemented.
Explore Firm Details
On 16 January 2026, Malta transposed the EU Critical Entities Resilience Directive (Directive (EU) 2022/2557) ("CER") into national law through the Resilience of Critical Entities and Infrastructures...
Malta Technology
Erika Criscione
Your Author LinkedIn Connections
GVZH Advocates are most popular:
  • within Criminal Law, Litigation, Mediation & Arbitration and Real Estate and Construction topic(s)

On 16 January 2026, Malta transposed the EU Critical Entities Resilience Directive (Directive (EU) 2022/2557) ("CER") into national law through the Resilience of Critical Entities and Infrastructures (Identification, Designation and Protection) Order, 2026 (L.N. 5 of 2026) (the "Order"). Although the Order has been published, it has not yet entered into force, as its provisions will only become enforceable on such date or dates as may be determined by the Minister responsible for the resilience of critical entities and infrastructure.

Sectors in Scope

The order covers several sectors including energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space, and the production, processing, and distribution of food.

Each sector is further divided into sub-sectors, such as electricity undertakings, air carriers, credit institutions, healthcare providers and food businesses.

Competent Authorities

The Critical Infrastructure Protection Department (CIP Department) is designated as Malta's national supervisory authority for the purposes of monitoring compliance with, and enforcing, the Order at national level. Its remit extends to the sectors, sub-sectors and categories of entities set out in the Schedule.

The Malta Communications Authority (MCA) is designated as the competent authority in respect of digital infrastructure entities, as specified in the Schedule.

Identification of Critical Entities

Each competent authority is tasked with identifying the critical entities operating within the sectors and sub-sectors listed in the Schedule that fall within its area of competence.

In carrying out this exercise, competent authorities must rely on the national risk assessments and the national resilience strategy, as further explained below.

In addition, they are required to apply the criteria set out in the Order, including the following:

  • the entity concerned must be providing an essential service
  • the entity must operate critical infrastructure in Malta, and
  • the entity be capable of causing significant disruption to essential services if an incident occurs.

Once identified, competent authorities must create and maintain a list of critical entities, which must be reviewed and updated at least every four years.

Critical Entities Resilience Committee

The Order establishes a Critical Entities Resilience Committee, composed of senior public officials appointed by the Minister. The Committee's role is to promote the consistent application of the Order, enhance the resilience of critical entities and mitigate unnecessary administrative burden, particularly where critical entities are interconnected, share critical infrastructure, operate on a cross-border basis, or form part of the same group or corporate structure.

Strategy on The Resilience of Critical Entities

The CIP Department is required, together with other sectors-competent authorities, to adopt a national strategy aimed at strengthening the resilience of critical entities in Malta.

The strategy must set Malta's key resilience priorities for critical entities, define who is responsible for implementing them, explain how critical entities are identified and supported and ensure coordination and information-sharing between resilience and cybersecurity authorities.

National Risk Assessments

The CIP Department, in cooperation with the relevant sector competent authorities, is also responsible for conducting National Risk Assessments based on the EU list of essential services established by the European Commission.

The outcomes of these assessments are then used to support identified critical entities in implementing appropriate and proportionate technical, security and organisational measures, aimed at strengthening their overall resilience.

The Order mandates that risk assessments must cover both natural and man-made risks, including cross-border and cross-sector threats such as accidents, natural disasters, public health emergencies, hybrid threats and terrorism. They must also take account of relevant EU and sector-specific risk assessments, as well as the interdependence between essential sectors, including reliance on entities in other Member States and third countries.

Obligations for critical entities

The Order places clear operational duties on critical entities including:

  • Conducting risk assessments which take into account all relevant risks that could disrupt the delivery of their essential services. This includes both natural and man-made risks (e.g., accidents, disasters, public health emergencies, hybrid threats and terrorism) and must also consider cross-border/cross-sector dependencies and interdependencies.
  • Implementing resilience measures to prevent incidents, physically protect premises and infrastructure, respond and mitigate impacts, recover and maintain business continuity.
  • Preparing and maintaining a resilience plan, including internal quality control mechanisms to monitor compliance.
  • Appointing a Security Liaison Officer.
  • Notifying competent authorities of incidents that significantly disrupt or have the potential to disrupt essential services. As a general rule, they must submit an initial notification within 24 hours, followed by further reporting (including mitigation measures and a final report identifying the suspected root cause).

Supervision and Enforcement

The Order gives the CIP Department and sector-competent authorities strong supervisory powers including the right to carry out inspections, to conduct audits and to request for documents and proof that resilience measures have been implemented. If breaches are found, entities may be required to remedy their non-compliance within specified deadlines.

Compliance is assessed by competent authorities through reports in which findings are classified into four categories "fully compliant", "compliant but improvement desired", "not compliant" or "not compliant with serious breaches".

Conclusion

The Order is clearly designed to promote a coordinated and streamlined compliance framework, in particular by requiring cooperation and information-sharing under the supervision of the CIP Department.

It is also important to note that the Order is intended to operate closely alongside the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order (SL460.41) – transposing the NIS 2 directive in Malta – with the aim of reducing duplicated obligations and avoiding overlapping supervisory requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Erika Criscione
Erika Criscione
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More