Malta’s NIS2 rules were first put in place through Legal Notice 71 of 2025 (Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025).
In 2026, Malta issued Legal Notice 89 of 2026 (Measures for a High Common Level of Cybersecurity across the European Union (Malta) (Amendment) Order, 2026), which makes several important structural and operational changes.
NIS2 is now more clearly structured, more enforceable, and more operational with tighter incident reporting mechanics, a revamped enforcement model, and clearer role separation between the supervisory authority and the incident response function.
Below is an explanation of what changed and what it means in practice.
1. Enforcement becomes formal: an Enforcement Committee can impose penalties
Under NIS2 Malta LN 71 of 2025, enforcement was supported by an Advisory Board which issued recommendations to the CIP Department in relation to administrative penalties, with penalties pursued through court-based processes.
LN 89 of 2026 replaces this with a new Enforcement Committee structure:
-
A dedicated Enforcement Committee is established and tasked with issuing decisions on administrative penalties.
-
The Enforcement Committee is expressly given the power to impose administrative fines for non‑compliance.
-
Enforcement Committee acts on cases reported by the CIP Department or other competent authority.
Why this matters: enforcement under NIS2 is now more clearly structured around an administrative penalty process with a dedicated decision‑making body, rather than relying on the earlier advisory-and-court pathway.
2. Key correction: Malta Information Technology Agency (MITA) is now the national CSIRT
LN 89 of 2026 amends the “National CSIRT” provision so that under the amended framework, MITA is the appointed national CSIRT (i.e., the national incident response team), while the CIP Department remains the national supervisory authority.
Practical impact: organisations should assume that significant incident notifications and CSIRT operational coordination flow to the national CSIRT at MITA, with the national CSIRT then coordinating onward notifications to the CIP Department and sector competent authorities where applicable.
3. Clearer split of responsibilities: supervisory authority vs incident response
Critical Infrastructure Protection (CIP) Department
In the amended framework, the CIP Department’s supervisory role is expanded and clarified, including responsibilities such as:
-
setting criteria for identifying/designating essential and important entities,
-
establishing national self‑registration and maintaining a register,
-
supervising and enforcing compliance,
-
and coordinating vulnerability disclosure.
National CSIRT (now at MITA)
The amended framework now gives the national CSIRT a clearly defined operational role, including monitoring/analysis, alerts, incident response support, and—importantly—being the primary recipient of incident reporting.
Why this matters: governance is more “two‑pillar” now: CIP supervises and enforces; MITA (national CSIRT) handles national incident response operations and reporting intake.
4. Mandatory self‑registration (and tight change notification)
Both the original and amended frameworks require essential/important entities (and certain digital service types) to register via a national self‑registration mechanism.
In LN 89 of 2026, the registration obligations are explicitly stated to include at least:
-
entity name,
-
details of the CSIRT providing monitoring services,
-
address and up‑to‑date contact details (including email, IP ranges and telephone numbers),
-
sector/sub‑sector where applicable,
-
and Member States where services are provided where applicable.
Entities must also notify changes without delay and in any event within two (2) weeks.
Why this matters: keeping registration details current is now a core compliance obligation, not an administrative afterthought.
5. Incident reporting is tightened and formally routed to the national CSIRT
The amended framework now makes the routing and timelines of incident reporting very explicit.
Where do notifications go?
Under LN 89 of 2026, essential and important entities must notify the national CSIRT of any incident that has a significant impact.
The national CSIRT must then notify in writing the CIP Department and any other designated competent authority, where relevant.
Key deadlines (aligned to NIS2)
Entities must submit to the national CSIRT:
-
within 24 hours: an early warning,
-
within 72 hours: an incident notification including an initial assessment,
-
within 1 month: a final report including severity/impact, likely root cause, and mitigation measures (and additional progress reporting for ongoing incidents).
Why this matters: reporting is now explicitly a national CSIRT‑led process (now MITA), with the supervisory authority and sector competent authorities brought in via structured onward notification.
6. Coordinated Vulnerability Disclosure (CVD) moves to the CIP Department
In LN 71 of 2025, the CSIRT was designated as the coordinator for coordinated vulnerability disclosure.
In LN 89 of 2026, the CVD article is substituted so that:
-
the CIP Department is designated as the coordinator for CVD,
-
and the CIP Department must notify the national CSIRT of vulnerabilities reported to it.
Why this matters: vulnerability reporting and coordination is now CIP‑coordinated, even though operational incident response is national CSIRT‑led.
7. Expanded powers to audit, investigate and penalise (including daily penalties)
The amended framework supports stronger supervisory and enforcement mechanisms, including:
-
targeted security audits (with costs generally borne by the audited entity),
-
administrative fines imposed by the Enforcement Committee,
-
and daily penalty payments for continuing breaches (specified as €100 per day per breach).
It also continues to include strong measures impacting management accountability, including the ability (via relevant bodies/courts/tribunals) to temporarily prohibit a responsible natural person from exercising managerial functions in an essential entity.
8. Updated scope: schedules replaced and competent authorities clarified
LN 89 of 2026 replaces the First and Second Schedules, listing sectors/sub‑sectors/types of entities and identifying competent authorities for certain areas. most sectors are supervised by CIP Department, with MCA specifically designated for certain digital infrastructure, postal/courier services and digital providers, as the Schedules show.
Why this matters: organisations should re‑check scope classification and sector authority mapping against the updated schedules, because the list and the authority assignment are part of enforceable compliance expectations.
Practical next steps for organisations
Given these changes, organisations that may be essential/important entities should prioritise:
-
Confirm scope (sector/type of entity) against the updated schedules.
-
Register (or validate registration details) and ensure change notification within two weeks.
-
Update incident response playbooks to ensure the reporting workflow and evidence collection can meet the 24h/72h/1‑month timelines, with notifications directed to the national CSIRT (MITA).
-
Ensure governance and board awareness of potential managerial accountability and enforcement consequences.
How BDO can help
BDO Malta supports organisations across critical and regulated sectors to translate NIS2 obligations into practical, defensible cybersecurity and governance outcomes.
Drawing on our experience in technology risk, regulatory compliance and digital resilience, we can assist organisations at every stage of the NIS2 journey, including:
-
NIS2 scoping and applicability assessments, helping organisations determine whether they qualify as essential or important entities and identifying the relevant competent authority;
-
Gap assessments and readiness reviews against LN 71 of 2025 and LN 89 of 2026, aligned to recognised standards such as ISO/IEC 27001 and NIST;
-
Design and enhancement of cybersecurity risk‑management frameworks, including policies, incident response plans, business continuity and supply‑chain security measures;
-
Incident reporting and response preparedness, ensuring processes, roles and evidence collection support the 24‑hour, 72‑hour and one‑month reporting timelines to the national CSIRT;
-
Governance and management body support, including training and awareness to address NIS2 accountability, oversight and personal liability considerations;
-
Ongoing compliance and assurance support, including internal audits, independent assessments and regulatory engagement support.
Through our multidisciplinary teams, BDO helps organisations move beyond compliance on paper, supporting them to build practical cyber resilience that stands up to regulatory scrutiny and real‑world incidents.
