Malta’s NIS2 transposition has been put into force through L.N 22 of 2026. The Minister responsible for critical infrastructure protection established the 23^rd of January 2026 as the date on which all the provisions of the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (S.L. 460.41) are implemented.

For entities operating in Malta that fall within the scope of NIS2, new obligations have now come into full effect.

Entities are now responsible for determining whether they fall under the NIS2 framework as either essential or important entities. They need to notify the Critical Infrastructure Protection Department (CIPD) accordingly and designate an internal or an autonomous Computer Security Incident Response Team (CSIRT). The CSIRT inter alia would be responsible for monitoring threats, providing early warnings, responding to incidents, collecting data and incident analysis and conducting proactive internal network scanning. 

To be fully compliant, organisations must prioritise the implementation of cybersecurity risk management measures. This includes ensuring that employees receive adequate training to recognise risks and assess cybersecurity risk management practices. Entities also have a responsibility to evaluate third party and supply chain risks, particularly when outsourcing ICT services.

Entities should also be ready to undergo security audits and respond to requests for information, data, or documented cybersecurity policies to demonstrate compliance.

In addition, organisations must maintain documented business continuity arrangements and operator security plans. Non-compliance with NIS2 obligations may result in significant administrative penalties.