top of page
Search

NIS2 in Malta: Strengthening Cybersecurity for Maltese Entities

  • Writer: Efrem Borg
    Efrem Borg
  • Mar 20
  • 5 min read

Updated: May 15

The ever-evolving cyber threat landscape has prompted the European Union to introduce NIS2, a significant update to the original Network and Information Systems (NIS) Directive in terms of entities falling within scope and also the obligations of such entities. This new directive aims to enhance cybersecurity resilience across essential and important sectors within the EU, including Malta. Following a consultation exercise held by Critical Information Protection Directorate (CIPD) in the last quarter of 2024, the transposition of NIS2 into Maltese law set for early 2025, therefore it is imperative that Maltese organisations understand the implications of the Directive and use this time to prepare accordingly.


What is NIS2?


NIS2 replaces the original NIS Directive to address inconsistencies in enforcement and adapt to the growing sophistication of cyber threats. It broadens the scope of regulatory obligations, imposes stricter security requirements, and enhances governance and enforcement mechanisms. Key objectives of NIS2 include:


  • Strengthening cybersecurity for critical sectors, including energy, healthcare, transport, and financial services.

  • Expanding the scope to include a wider range of entities, categorised as Essential Entities and Important Entities.

  • Introducing stricter reporting obligations, including mandatory reporting of near-miss incidents.

  • Establishing a European vulnerability database to enhance transparency and preparedness.

  • Requiring national large-scale cybersecurity incident and crisis response plans.

  • Implementing peer reviews across EU Member States to ensure consistency and effectiveness.


Key Differences between NIS and NIS2


Who is Affected in Malta?


NIS2 applies to a broad range of organisations operating in Sectors of High Criticality and Other Sectors, as well as specific entities regardless of their size.


Entities operating in Sectors of High Criticality, such as energy, transport, banking, financial market infrastructures, healthcare, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, and space, must comply with NIS2. Additionally, Other Sectors, including postal and courier services, waste management, manufacture and distribution of chemicals (pharmaceutical companies included), food production and processing, manufacturing, digital providers, and research, are also covered under the directive.


Beyond sector-based classification, NIS2 applies to medium-sized (or larger) private entities operating in these sectors, defined as companies employing more than 50 employees and whose annual turnover or annual balance sheet exceeds 10 million euros. Moreover the directive applies to certain organisations regardless of size, including public administration entities, providers of publicly available communications networks, trust service providers, top-level domain name registries, and domain name system service providers. It also extends to sole providers of essential services in Malta, entities whose disruption could significantly impact public safety, security, or health, and those that pose systemic risks or are considered nationally critical.



Key Differences Between NIS and NIS2


NIS2 introduces several key improvements over its predecessor:

  • Expanded Scope: While NIS applied mainly to Operators of Essential Services (OES) and Digital Service Providers (DSPs), NIS2 broadens its applicability to a wider range of sectors, categorising entities as Essential Entities and Important Entities.

  • Stricter Security Requirements: NIS2 mandates stricter cybersecurity risk management measures, including supply chain security, vulnerability disclosure, and business continuity planning.

  • More Comprehensive Reporting Obligations: Organisations must report cybersecurity incidents within 24 hours of becoming aware, with a full report required within 72 hours. Near-miss incidents must also be reported.

  • Enhanced Supervision and Enforcement: NIS2 introduces stricter penalties for non-compliance, with fines reaching up to €10 million or 2% of annual turnover, compared to the original NIS penalties which varied across Member States.

  • Introduction of Peer Reviews: EU Member States will conduct peer reviews to assess the effectiveness of national cybersecurity measures, improving collaboration and standardisation.

  • Creation of a European Vulnerability Database: This new requirement ensures that vulnerabilities in critical infrastructure are documented and shared at an EU level for improved response and mitigation.


Key Cybersecurity Requirements


Under NIS2, Essential and Important Entities must implement robust cybersecurity risk management measures, such as:


  • Adopting appropriate technical, operational, and organisational measures to mitigate cyber risks.

  • Appointing a Security Liaison Officer to oversee compliance and risk management.

  • Establishing or subscribing to CSIRT (Computer Security Incident Response Team) monitoring services.

  • Implementing best practices in business continuity, risk management, 3rd Party Risk Management, secure communications, multi-factor authentication, and system logging.

  • Ensuring mandatory cybersecurity training for management and employees.


The directive also encourages the use of European cybersecurity certification schemes and alignment to security standards such as ISO 27001 and ISO 22301.


Governance, Supervision, and Fines


NIS2 introduces enhanced enforcement mechanisms, including:

  • Binding instructions from regulatory authorities.

  • Regular audits and compliance assessments.

  • Significant fines for non-compliance, which can reach up to €10 million or 2% of an entity’s global annual revenue, depending on the severity of the breach.


How Can Effected Organisations in Malta Prepare?


To ensure compliance with NIS2, organisations should:

  1. Conduct a comprehensive cybersecurity risk assessment.

  2. Identify whether they fall under Essential or Important Entities.

  3. Implement robust cybersecurity policies and procedures.

  4. Establish a dedicated Security Liaison Officer.

  5. Establish a CSIRT (Information Security Monitoring).

  6. Ensure regular training and awareness among employees.

  7. Engage with external cybersecurity advisory services for guidance and support.



How We Can Help


At Undisrupted, we offer Fractional CISO services, providing expert cybersecurity leadership to help organisations comply with NIS2 efficiently and cost-effectively. Our service catalogue includes, but is not limited to:


  • Governance, Risk, and Compliance support

  • Risk Management and Business Continuity planning

  • Adoption of InfoSec tooling and security monitoring

  • Incident response and regulatory reporting

  • Training and awareness programmes


Conclusion and Next Steps


NIS2 compliance is not just a regulatory obligation, but rather it is an essential step in strengthening Malta’s cybersecurity resilience. By proactively preparing, organisations can safeguard their operations, protect sensitive data, and ensure a secure digital future, focusing on thier core operations with peace of mind, unDisrupted.


We anticipate that the draft legislation will be formalised through a legal notice following approval by the Maltese Parliament. Additionally, an information campaign and further technical guidelines are expected to be issued by the Critical Information Protection Directorate (CIPD) to provide organisations with the necessary direction for compliance.


Now is the time for organisations to assess their readiness and take the necessary steps to align with the evolving regulatory framework.



Join the Conversation

We’d love to hear your thoughts! How is your organisation aligning with NIS 2 ? Share your insights and experiences in the comments below.


For more insights on cybersecurity and digital resilience, visit our blog at Undisrupted.net or connect with us on LinkedIn.


unDisrupted provide wide variety of tailored Information Security Professional Services intended to improve the organisation's cyber security posture. Reach out on hello@undisrupted.net or +356 79464820 for further information.


Learn about our professional services on https://www.undisrupted.net/professional-services 


bottom of page