Malta’s NIS2 Competent Authority: CIPD, MCA, and What Malta’s iGaming Sector Must Know
Three Bodies, One Framework: How Malta Divided NIS2 Oversight
Malta’s NIS2 implementation, which came fully into force on 23 January 2026 under Legal Notice 22 of 2026 [9], distributed regulatory responsibility across three distinct institutions. Most EU member states assigned all NIS2 functions to a single body; Malta created a layered model where the national supervisory authority, a sector-specific competent authority, and the national CSIRT each sit in a different organisation. A subsequent amendment—Legal Notice 89 of 2026—moved the CSIRT to a fourth body entirely.
Understanding the division matters practically: registering with the wrong authority, reporting incidents to the wrong endpoint, or seeking audit guidance from the wrong office are real compliance risks. The table below maps the three bodies and their functions as they stand today.
| Function | Responsible body |
|---|---|
| National supervisory authority (NCA) + Single Point of Contact (SPOC) | Critical Infrastructure Protection Department (CIPD) |
| Most NIS2 sectors: energy, transport, banking, health, water, public administration, manufacturing, space | CIPD |
| Digital infrastructure: IXPs, DNS service providers, TLD registries, cloud computing providers, telecoms | Malta Communications Authority (MCA) |
| Postal and courier services | MCA |
| National incident response + vulnerability disclosure coordination | CSIRT-Malta at MITA (from L.N. 89/2026) |
| Administrative penalty decisions | Enforcement Committee (from L.N. 89/2026) |
CIPD: Malta’s National Supervisory Authority and SPOC
The Critical Infrastructure Protection Department is the central NIS2 institution for Malta. Subsidiary Legislation 460.41 (the “Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025,” published as Legal Notice 71 of 2025) designated CIPD as both the national supervisory authority and the Single Point of Contact. That dual designation satisfies Article 8 of the directive, which requires member states to designate at least one competent authority and establish a dedicated SPOC to coordinate cross-border cooperation with other member states, the European Commission, and ENISA [1].
In practice, CIPD’s role breaks into four functions: it maintains the national self-registration mechanism that in-scope entities must use; it monitors compliance across the sectors it supervises; it can request evidence of compliance and order entities to undergo CSIRT monitoring; and, following L.N. 89/2026, it refers penalty decisions to the newly created Enforcement Committee, which has direct administrative penalty authority without requiring civil court proceedings [6].
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
CIPD covers the bulk of NIS2 sectors—energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, ICT service management (B2B), public administration, space, waste management, chemicals, food production, and manufacturing [5]. If your organisation operates in any of these sectors and meets the size thresholds, CIPD is your competent authority.
MCA: Sector-Specific Authority for Digital Infrastructure
The Malta Communications Authority holds competent authority status for a defined subset of sectors. Its original mandate under L.N. 71/2025 covered digital infrastructure—specifically, public electronic communications networks and services—plus postal and courier services [10].
Legal Notice 89 of 2026 expanded that mandate substantially. MCA’s digital infrastructure scope now expressly includes internet exchange points, DNS service providers, top-level domain name registries, and cloud computing providers [6]. This expansion mirrors the broad definition of digital infrastructure in Annex I of the directive and closes the gap that existed in the original subsidiary legislation.
If your organisation provides any of these services—DNS resolution, cloud hosting, TLD registry management, or operates as an internet exchange—MCA is your competent authority for NIS2 compliance matters, not CIPD. You still register through the central CIPD portal, but correspondence on audit findings, sector-specific technical requirements, and supervisory guidance goes through MCA.
This distinction matters particularly for digital infrastructure operators that may hold both MCA telecom licences and be in scope under NIS2: the MCA’s dual role as sector regulator and NIS2 competent authority means a single regulator will oversee both frameworks, reducing the risk of conflicting instructions.
CSIRT-Malta: The Move from CIPD to MITA
Under the original L.N. 71/2025 framework, Malta’s national Computer Security Incident Response Team sat within the CIPD alongside the Critical Infrastructure Protection Advisory Board. The two bodies together constituted CSIRT-Malta and were responsible for monitoring cyber threats, providing early warnings, facilitating coordinated vulnerability disclosure (CVD), and receiving incident notifications from in-scope entities [4].
Legal Notice 89 of 2026 restructured this arrangement. The CSIRT moved to the Malta Information Technology Agency (MITA), creating functional separation between compliance supervision (CIPD and MCA) and incident response and vulnerability coordination (MITA) [6]. The Enforcement Committee—also created by L.N. 89/2026—simultaneously replaced the Advisory Board as the body empowered to issue penalty decisions directly.
For in-scope entities, the operational consequence is straightforward: all significant incident notifications under the 24-hour, 72-hour, and 30-day reporting framework go to CSIRT-Malta at MITA, not to CIPD or MCA. Article 10 of the directive requires that member states’ CSIRTs have adequate resources, operate 24/7, and participate in the EU CSIRTs network [2]. Malta’s CSIRT additionally serves as the designated coordinator for the Coordinated Vulnerability Disclosure process under Article 13 of the directive, protecting good-faith reporters from criminal liability under Article 337C of the Criminal Code [8].
Scope: Does NIS2 Apply to Your Malta Organisation?
NIS2 applies to organisations that operate in one of the 18 covered sectors and meet a minimum size threshold. The size threshold is the medium-enterprise ceiling under Recommendation 2003/361/EC: 50 or more employees or €10 million or more in annual turnover. Below both thresholds, the directive generally does not apply—though Malta retains the right to designate smaller entities if their services are sufficiently critical [3].
Within scope, entities fall into one of two tiers defined by Article 3 of the directive [3]:
Essential entities are Annex I sector organisations above 250 employees and €50 million annual turnover, plus certain categories that are essential regardless of size: qualified trust service providers, top-level domain name registries, DNS service providers, and entities identified as critical under the CER Directive (EU 2022/2557). Essential entities face proactive, ex-ante supervision from CIPD or MCA.
Important entities are all other in-scope Annex I or Annex II organisations that do not meet the essential threshold—typically 50–249 employees or €10M–€50M turnover. Important entities receive reactive, ex-post supervision and are typically audited on a complaint-triggered or incident-triggered basis.
Use this decision tree to establish your starting position:
| Question | If Yes | If No |
|---|---|---|
| Does your organisation operate in an Annex I or Annex II sector? | Continue | Likely out of scope—stop |
| Do you have 50+ employees OR €10M+ annual turnover? | In scope—continue | Likely out of scope (unless Malta designates you) |
| Do you have 250+ employees AND €50M+ turnover, or hold a qualified trust service provider / DNS / TLD status? | Essential entity — CIPD proactive supervision | Important entity — reactive supervision |
| Do you provide digital infrastructure (DNS, cloud, IXP, TLD, telecom)? | MCA is your competent authority | CIPD is your competent authority |
For a detailed breakdown of entity classification, see the guide on essential vs important entities under NIS2 and the full NIS2 scope analysis.
Malta’s iGaming Sector and NIS2—Europe’s Densest Compliance Concentration
Malta hosts the most concentrated cluster of licensed online gaming operators in the European Union. The Malta Gaming Authority (MGA) issues B2B (“Critical Gaming Supply”) and B2C (“Gaming Service”) licences to hundreds of operators and technology suppliers who collectively generate a disproportionate share of Malta’s GDP. The MGA reported 14,797 people employed in Malta with MGA-licensed operators as of mid-2025. Mainland European member states with far larger populations have nothing comparable in scale or concentration.
NIS2 does not list gambling as a named sector in Annex I or Annex II. MGA licensees qualify under the directive through two pathways instead, as confirmed by DLA Piper’s 2025 analysis of NIS2 and the gaming sector [7]:
Digital service providers (Annex II): Online gaming platforms that provide services comparable to online marketplaces or social networking functions in terms of the scale of digital infrastructure they operate and the volume of personal and transactional data they process. B2C gaming operators running platforms at this scale—particularly those above 50 employees or €10M turnover—almost certainly meet the Annex II digital service provider definition.
Managed service providers: B2B gaming technology suppliers—platform providers, cloud infrastructure vendors, data centre operators, and cybersecurity solution providers servicing the gaming sector—may qualify as managed service providers under Annex II, bringing them into scope independently of the B2C pathway.
The size threshold is the decisive filter in practice. Large MGA-licensed operators with 250+ employees or €50M+ revenue may qualify as essential entities; most mid-tier operators will be important entities. Either way, the compliance authority is CIPD—not the MGA. The two regulatory frameworks run as parallel tracks: the MGA governs your gaming licence, and CIPD governs your NIS2 cybersecurity obligations. Satisfying MGA’s existing information security requirements does not discharge NIS2 obligations, though operators should map their existing MGA security controls against the Article 21 risk management requirements before building parallel programmes. The MGA recorded 123 information security incident reports in 2024 alone, which suggests the sector’s incident reporting infrastructure is already partially developed—NIS2’s 24-hour initial notification timeline imposes a materially tighter standard than most existing MGA compliance cycles.
Malta’s government transposition documents explicitly name iGaming and digital services as critical local industries that the NIS2 framework must serve [10]. That acknowledgement signals that CIPD will not treat gaming operators as fringe cases; they are among the primary audiences for the national supervisory regime.
Penalties and the Enforcement Committee
Legal Notice 89 of 2026 replaced the original Critical Infrastructure Protection Advisory Board with a dedicated Enforcement Committee empowered to issue administrative penalty decisions directly. This removes the previous requirement to route penalty decisions through civil court proceedings and accelerates enforcement timelines [6].
| Entity type | Maximum administrative fine |
|---|---|
| Essential entities | €10,000,000 or 2% of total worldwide annual turnover (whichever is higher) |
| Important entities | €7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher) |
| Public bodies | No fines—corrective orders only |
Article 20 of the directive establishes a separate enforcement vector: management bodies can be held personally liable for approving and overseeing cybersecurity risk management measures [4]. A finding that your organisation’s board never formally approved its Article 21 security programme is independently enforceable—it is not subsumed into a technical controls finding. The Enforcement Committee can act on an Article 20 governance failure even if the underlying technical controls are otherwise sound.
Malta’s first formal NIS2 audits are scheduled to begin in H2 2027, giving in-scope entities a compliance runway. However, the Enforcement Committee retains authority to act before that date where a significant incident, whistle-blower complaint, or cross-border concern triggers a review.
For comparison with how other small EU member states have structured NIS2 penalty enforcement, see the guides on Cyprus’s NIS2 competent authority and Estonia’s integrated single-body model.
Incident Reporting Timelines
All significant incident notifications go to CSIRT-Malta at MITA. An incident is significant when it causes or could cause severe operational disruption, financial loss to the organisation, or considerable material or non-material damage to other persons.
| Stage | Deadline | Content required |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Initial notification that an incident occurred; suspected cause; known impact |
| Detailed notification | Within 72 hours | Impact assessment; attack vector or root cause (if known); mitigating actions taken |
| Final report | Within 30 days | Root-cause analysis; full impact description; remediation steps; cross-border relevance |
The 24-hour window is the one that most organisations find operationally challenging. It requires that incident detection, initial triage, and the decision to notify CSIRT-Malta all occur within a single business day, regardless of when the incident is discovered. For a detailed breakdown of what each stage must contain, see the guide on Article 23 incident notification obligations.
Malta NIS2 Compliance Checklist
| Step | Action | Status / deadline |
|---|---|---|
| 1 | Determine essential or important entity status using Annex I/II sector check and size thresholds | Immediately if not yet done |
| 2 | Identify your competent authority: CIPD (most sectors) or MCA (digital infra, telecom, postal) | At classification step |
| 3 | Register via the CIPD self-registration portal at maltacip.gov.mt | Existing entities: September 2025 deadline; new entrants: within 3 months of qualifying |
| 4 | Implement Article 21 cybersecurity risk management measures (policies, access controls, supply chain, incident response, encryption, MFA) | Ongoing—first formal audits H2 2027 |
| 5 | Designate a cybersecurity liaison contact for CSIRT-Malta at MITA; update registration with contact details | Before any reportable incident |
| 6 | Implement 24h/72h/30-day incident notification workflows and document the chain of command for notification decisions | Before any reportable incident |
| 7 | Obtain management body formal approval of cybersecurity risk programme (Article 20 obligation) | Board resolution—document and retain for audit |
| 8 | Assess whether to formalise a Coordinated Vulnerability Disclosure policy under Article 13 | Best practice before first external disclosure |
Frequently Asked Questions
Is the MCA the primary NIS2 authority in Malta?
No. The Critical Infrastructure Protection Department (CIPD) is Malta’s national supervisory authority and Single Point of Contact. The MCA is a sector-specific competent authority for digital infrastructure and postal services only. If your organisation is not in one of those sectors, your NIS2 compliance authority is the CIPD.
Where does CSIRT-Malta sit after the 2026 amendments?
Following Legal Notice 89 of 2026, CSIRT-Malta moved from the CIPD to the Malta Information Technology Agency (MITA). All incident notifications under the 24-hour, 72-hour, and 30-day reporting framework are directed to CSIRT-Malta at MITA.
My organisation holds an MGA iGaming licence. Does NIS2 apply?
Possibly. If your operation has 50 or more employees or generates €10 million or more in annual revenue, and your services qualify as digital service provision under Annex II (online platforms, managed IT services, data centres), you are likely in scope as an important entity. Your NIS2 compliance authority is the CIPD, not the MGA. The two regulatory frameworks operate independently, and MGA compliance does not satisfy NIS2 obligations.
When does Malta begin formal NIS2 enforcement?
The legal framework came fully into force on 23 January 2026. Malta’s first formal audits are expected to begin in H2 2027. However, the Enforcement Committee created by L.N. 89/2026 can act before scheduled audits where a significant incident or complaint triggers a review.
What changed with Legal Notice 89 of 2026?
Three structural changes: (1) CSIRT-Malta moved from the CIPD to MITA; (2) the Enforcement Committee replaced the Advisory Board, with direct administrative penalty authority; (3) MCA’s digital infrastructure mandate expanded to expressly cover IXPs, DNS service providers, TLD registries, and cloud computing providers. A National Cyber Security Steering Committee was also established under a new Article 15A.
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
Sources
- NIS2 Directive — Article 8: Competent Authorities and Single Points of Contact
- NIS2 Directive — Article 10: Computer Security Incident Response Teams (CSIRTs)
- NIS2 Directive — Article 3: Essential and Important Entities
- NIS2 Directive Malta: Legal Notice 71 of 2025 Explained — GVZH Advocates
- Malta’s Transposition of the NIS 2 Directive: S.L. 460.41 — Mamo TCV
- Malta NIS2 Legal Framework Update — L.N 89 of 2026 — GTG Legal
- NIS 2 and Gambling — A Strategic Imperative for Gaming Operators and their Suppliers — DLA Piper
- NIS2 Directive Regulations and Implementation in Malta — Copla
- NIS2 Transposition Officially in Full Force — Fenech Law
- Understanding Changes in the NIS 2 Directive and Its Transposition into Maltese Law — Mondaq / GVZH
Get the NIS2 Article 21 Compliance Checklist
90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.
