NIS2 Malta: NCSA Malta’s Role, iGaming Obligations, and Your Compliance Roadmap

Malta’s NIS2 Legislation: S.L. 460.41 at a Glance

Malta missed the EU’s 17 October 2024 transposition deadline by several months. Legal Notice 71 of 2025, published on 8 April 2025, created Subsidiary Legislation 460.41 — the Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025. Legal Notice 22 of 2026 subsequently confirmed 23 January 2026 as the date all provisions entered force. A further instrument, Legal Notice 89 of 2026, introduced material changes to Malta’s enforcement architecture before the ink on the first framework was dry.

Three instruments now govern NIS2 compliance in Malta. Organisations that read only LN 71/2025 are working from an incomplete picture.

Instrument	Date	Key effect
LN 71/2025 (S.L. 460.41)	8 April 2025	Transposes NIS2 Directive into Maltese law; establishes CIPD, MCA roles, penalties, and registration mechanism
LN 22/2026	January 2026	Confirms 23 January 2026 as commencement date for all provisions
LN 89/2026	2026	Relocates national CSIRT from CIPD to MITA; replaces Advisory Board with Enforcement Committee; expands MCA competence to cloud, DNS, CDN providers

For a broader introduction to the EU-wide directive and its legal basis, see our guide to What Is the NIS2 Directive.

Who Regulates NIS2 in Malta? The CIPD, MCA, and CSIRTMalta

The term “NCSA Malta” — Malta’s notional national cybersecurity supervisory authority — appears frequently in compliance commentary, but it is not an official designation under S.L. 460.41. In practice, NIS2 supervisory functions are split across three bodies, with two sector-specific regulators playing parallel enforcement roles.

Critical Infrastructure Protection Department (CIPD)

The CIPD, operating within the portfolio of the Ministry for Home Affairs, National Security and Employment, is Malta’s designated single point of contact and primary national supervisory authority under S.L. 460.41. It manages the national self-registration mechanism, conducts on-site inspections and audits, issues binding instructions, requests security scans, and can assign mandatory CSIRT monitoring to non-compliant entities. When enforcement proceedings reach the penalty stage, the CIPD (under LN 71/2025) referred matters to the Civil Court. Under LN 89/2026, that function shifted to the new Enforcement Committee, which issues administrative penalty decisions directly. Appeals proceed to the Administrative Review Tribunal, then to the Court of Appeal on points of law only.

One clarification matters here: the Malta Digital Innovation Authority (MDIA) oversees AI, blockchain, and DLT certification. It plays no role in NIS2 enforcement. The two bodies are frequently conflated in search results; they are legally and operationally separate.

Malta Communications Authority (MCA)

The MCA is the designated competent authority for digital infrastructure and postal and courier services. Following LN 89/2026, the MCA’s competence was explicitly expanded to cover cloud computing service providers, DNS service providers, data centre operators, and content delivery network providers. Entities in these sub-sectors register with and report to the MCA, not the CIPD.

CSIRTMalta

The national CSIRT was initially housed within the CIPD under LN 71/2025. LN 89/2026 relocated it to the Malta Information Technology Agency (MITA). Incident notifications, cooperation duties, and threat intelligence flows are now routed through the MITA-hosted CSIRTMalta. The contact address remains csirtmalta@gov.mt. Organisations that configured their incident reporting workflows before this change should update their procedures accordingly.

Sector-specific authorities

Two sector regulators hold parallel cybersecurity enforcement powers under Malta’s framework:

• Malta Gaming Authority (MGA): holds cybersecurity licensing and enforcement powers for iGaming operators, operating alongside CIPD NIS2 supervision.
• Malta Financial Services Authority (MFSA): is Malta’s designated competent authority for DORA (the Digital Operational Resilience Act), which applies in parallel to NIS2 for financial entities.

Does NIS2 Apply to Your Organisation in Malta?

Two criteria determine scope: sector classification and organisational size. The CIPD retains discretion to designate additional entities as essential or important based on national security or economic significance, regardless of size thresholds. For the standard analysis, the starting point is the table below.

Classification	Employees	Annual turnover	Schedule / Sector
Essential entity	250 or more	€50M or more	First Schedule (Annex I) sectors — energy, transport, banking, health, digital infrastructure, public administration, space, and others
Important entity	50–249	€10M–€50M	First or Second Schedule (Annex I or II) sectors
In scope regardless of size	Any	Any	Qualified trust service providers, TLD registries, DNS service providers, public electronic communications providers, public administration entities at central level
Generally exempt	Under 50	Under €10M	Micro and small enterprises — unless designated by CIPD, or providing trust/DNS/telecom services

For a full sector-by-sector breakdown of who falls under NIS2 across the EU, see Who Must Comply with NIS2: Scope, Sectors, and Size Thresholds.

Sector Spotlight: iGaming, Financial Services, and Maritime

iGaming and Online Gaming Platforms

Malta licenses over 300 iGaming operators and is responsible for roughly 12–13% of EU online gambling revenue. Most large operators — those exceeding 250 employees and €50 million in annual turnover — satisfy the essential entity thresholds without question. The complication is that gambling and online gaming do not appear by name in NIS2 Annex I or Annex II.

Operators fall into NIS2 scope through two distinct legal pathways:

1. Digital service providers (Second Schedule, Sector 6 — Annex II): NIS2 Annex II covers operators of online marketplaces, online search engines, and social networking services platforms. An online gambling platform that incorporates marketplace features — affiliate integrations, in-platform product sales, community or social network functions — may be classified under this category. The analysis is fact-specific and operators should not assume exemption without a formal scope assessment.
2. Managed service providers (First Schedule, Sector 8 — Annex I): iGaming suppliers providing cloud infrastructure, data centre operations, or managed cybersecurity services to other operators fall squarely within the B2B ICT service management sub-sector. This creates cascading obligations through the supply chain: if your hosting provider is NIS2-obligated, their contractual requirements will flow down to your service agreements.

Beyond these two pathways, the CIPD’s discretionary designation power means a major operator could be classified as an essential entity based on national economic significance alone. The MGA’s parallel cybersecurity enforcement authority adds a second layer: NIS2 compliance with the CIPD and MGA licensing-related cybersecurity obligations are not the same thing, and meeting one does not guarantee compliance with the other. Operators should map their obligations against both frameworks simultaneously.

Financial Services and the DORA Overlap

Banking institutions (First Schedule, Sector 3) and financial market infrastructure operators (First Schedule, Sector 4) are unambiguous NIS2 essential entities. For Malta-registered banks, investment firms, and insurance undertakings, NIS2 does not operate in isolation. DORA — which entered application in January 2025 — applies in parallel, with the MFSA designated as Malta’s DORA competent authority.

The practical consequence is a dual reporting structure: significant cyber incidents must be reported to both CSIRTMalta (NIS2, Articles 23) and the MFSA (DORA). Both reporting timelines run from the same moment of awareness. Financial entities should design a single incident response procedure that satisfies both frameworks’ requirements simultaneously, rather than maintaining parallel processes that risk divergence under pressure. The upside: DORA’s detailed ICT risk management requirements are more prescriptive than NIS2’s Article 21 framework; satisfying DORA largely satisfies NIS2 in the financial sector.

Maritime Transport and Malta’s Ship Registry

Malta operates the world’s third-largest ship registry and one of the EU’s most significant port complexes. Under NIS2 Annex I, Sector 3 (Transport — maritime sub-sector), the following entity types fall within scope as essential entities:

• Inland, sea, and coastal passenger and freight ferry operators
• Port managing bodies, including operators of individual port facilities
• Vessel traffic service operators

For Malta, this scope captures the Malta Freeport (Marsaxlokk), the Grand Harbour and Valletta Waterfront port administrations, the Malta–Gozo ferry operators, and any vessel traffic management system operators. Importantly, flag state registration alone does not create NIS2 scope: a vessel registered under the Maltese flag but operating entirely outside Malta-based services is not in scope by virtue of registration. Scope arises from providing qualifying port or vessel traffic services. Ship managers and shipowners whose Maltese-flagged vessels include qualifying operational services should conduct a formal applicability assessment.

Core Compliance Requirements: Article 21 Risk Management Domains

S.L. 460.41 mirrors NIS2 Article 21, requiring proportionate technical and organisational cybersecurity measures across ten domains. The word “proportionate” is operative — essential entities bear a higher baseline than important entities, and the CIPD’s auditors will benchmark controls against the entity’s risk exposure, not a universal standard.

#	Risk management domain	Practical focus area
1	Risk analysis and information security policies	Documented risk register, classification of assets and threats
2	Incident handling	Detection procedures, escalation paths, 24h/72h reporting capability
3	Business continuity, backup, and disaster recovery	Tested recovery procedures, defined RTO/RPO targets
4	Supply chain security	Vendor assessment programme, NIS2 clauses in ICT contracts
5	ICT acquisition, development, and maintenance security	Secure SDLC, vulnerability management, patching SLAs
6	Assessment of cybersecurity measure effectiveness	Internal audits, penetration tests, metrics reporting to management
7	Cyber hygiene and training	Staff awareness programme, management-level training
8	Cryptography and encryption policies	Encryption standards for data at rest and in transit
9	Human resources security and access control	Joiners/leavers process, privileged access management, asset inventory
10	Multi-factor authentication and secured communications	MFA across remote access, email, and administrative interfaces

All in-scope entities must also designate an internal point of contact, align vulnerability handling with CSIRTMalta’s coordinated disclosure framework, and ensure management bodies formally approve security measures — with documented, timestamped board or senior leadership sign-off.

Incident Reporting to CSIRTMalta

Significant incidents trigger a three-phase reporting obligation:

• Within 24 hours of awareness: Early warning to CSIRTMalta — confirm the incident is significant and provide initial scoping
• Within 72 hours of awareness: Full incident notification — affected systems, estimated impact, measures taken
• Within 1 month of notification: Final report — root cause analysis, remediation steps, lessons learned

“Significant incident” means an incident that causes or could cause severe operational disruption or financial loss, or that affects other organisations or individuals. When in doubt, err toward notification — the CIPD has no mechanism to penalise a precautionary early warning.

Penalties and Management Accountability

Malta’s penalty regime under S.L. 460.41 tracks the NIS2 Directive’s maximum figures. The LN 89/2026 Enforcement Committee mechanism means these figures can be applied without a court referral, accelerating the enforcement timeline.

Entity type	Maximum administrative fine	Persistent breach
Essential entity	€10,000,000 or 2% of total worldwide annual turnover — whichever is higher	€100 per day for ongoing non-compliance
Important entity	€7,000,000 or 1.4% of total worldwide annual turnover — whichever is higher	€100 per day for ongoing non-compliance

The percentage-of-turnover mechanism makes the effective fine proportionate to entity size. For a large iGaming operator with €1 billion in annual turnover, 2% means €20 million — double the nominal cap. For a mid-market firm, the €10 million cap will typically bind first.

Management personal liability is a distinct and underweighted risk. The management body — board members and senior executives — must approve and oversee cybersecurity risk measures under S.L. 460.41. Where negligence is proven, individual members of management can be held personally liable and face disqualification from management positions for up to three years. This is not a theoretical risk: NIS2 was deliberately designed to put cybersecurity on the board agenda by attaching personal consequences to governance failures.

To understand the EU-wide compliance framework that underlies Malta’s penalties, see our complete guide to the NIS2 Directive.

Your NIS2 Compliance Roadmap for Malta

Malta’s first CIPD audit cycle is scheduled for H2 2027. That gives organisations operating in Malta approximately 18 months from the January 2026 commencement date to reach audit-ready status. The six steps below are sequenced by dependency — each builds on the previous.

1. Confirm your scope classification. Apply the size thresholds and sector mapping from Section 3 above. If your sector is ambiguous — particularly in iGaming or maritime services — conduct a formal written scope assessment with legal counsel. Self-classification errors carry the same penalty exposure as non-compliance, and the CIPD may reach a different conclusion than your internal analysis.
2. Register with the CIPD. The national self-registration mechanism opened in June 2025; the initial registration deadline was October 2025. If your organisation has not yet registered, do so immediately. Unregistered entities remain in scope — non-registration is not a compliance exemption, it is a separate enforcement risk.
3. Designate a CSIRT capability. Appoint either an internal CSIRT team or an autonomous external CSIRT provider. The CSIRT must be notified to the CIPD. For iGaming and financial services operators, this capability must be available around the clock — significant incidents do not wait for business hours.
4. Map and close Article 21 gaps. Conduct a structured gap analysis against the ten risk management domains listed above. Prioritise incident handling (Domain 2) and supply chain security (Domain 4) — these are the areas CIPD auditors have most consistently examined in comparable EU jurisdictions. Document every control, its owner, and its current maturity level.
5. Build and test incident reporting workflows. Your 24-hour reporting path to CSIRTMalta must be tested before an incident occurs. Run a tabletop exercise. Financial sector entities must test the dual NIS2/DORA workflow simultaneously. Ensure your designated contact at csirtmalta@gov.mt is current.
6. Prepare board-level governance evidence. CIPD auditors expect to see digital, version-controlled policy approvals with timestamped board or senior management signatures. Compile a governance pack: board minutes referencing NIS2 risk review, named owner for each Article 21 domain, and a dated sign-off on the entity’s cybersecurity risk management framework. This documentation is the difference between a clean audit and an enforcement notice.

Frequently Asked Questions

Is MDIA the NIS2 competent authority for Malta?
No. The Malta Digital Innovation Authority oversees AI and distributed ledger technology certification under separate legislation. NIS2 enforcement in Malta sits with the Critical Infrastructure Protection Department (CIPD) for most sectors, the Malta Communications Authority (MCA) for cloud, DNS, data centre, and CDN services, and sector-specific authorities (MGA for gaming, MFSA for DORA-covered financial entities).

Does NIS2 apply to an iGaming operator not listed in the NIS2 Annexes?
Potentially yes. Large operators can qualify as digital service providers under Annex II (online marketplace classification) or be designated as essential entities by the CIPD based on Malta’s national economic reliance on the iGaming sector. No operator should assume exemption without a documented scope assessment.

When are the first NIS2 audits in Malta?
The CIPD’s first audit cycle is scheduled for H2 2027. The period between January 2026 commencement and mid-2027 is an implementation window, not a grace period — non-compliance from 23 January 2026 onward is actionable.

Does flag state registration in Malta create NIS2 scope?
No. A vessel registered on the Maltese flag but operating entirely outside Malta-based services does not acquire NIS2 scope solely through registration. Scope arises from providing qualifying port management, ferry, or vessel traffic services from Malta.

Key Takeaways

• Malta’s NIS2 supervisor is the Critical Infrastructure Protection Department (CIPD) — not MDIA, which is a separate innovation body
• S.L. 460.41 came fully into force on 23 January 2026; LN 89/2026 has already updated enforcement structures, relocating CSIRTMalta to MITA and creating a direct Enforcement Committee
• iGaming operators are not in NIS2 Annexes by name, but face meaningful scope exposure via the digital provider and managed service provider pathways — and via CIPD discretionary designation
• Financial entities face a parallel NIS2/DORA framework: both CSIRTMalta (NIS2) and the MFSA (DORA) require incident notification
• Malta’s maritime sector falls under Annex I for ferry operators, port managing bodies, and vessel traffic service operators — flag state registration alone does not trigger scope
• Maximum fines reach €10M or 2% of worldwide turnover; management members face personal liability and potential disqualification
• CIPD first audits are scheduled for H2 2027 — the implementation window is open now

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

For a complete breakdown of which authority governs your sector, how the CSIRT moved from CIPD to MITA under L.N. 89/2026, and what iGaming operators must do for NIS2 registration, see the dedicated guide: Malta’s NIS2 Competent Authority: CIPD, MCA, and What Malta’s iGaming Sector Must Know.

Sources

1. “NIS2 Directive Malta: Legal Notice 71 of 2025 Explained” — GVZH Advocates
2. “Malta Issues its Transposition of the NIS2 Directive” — GTG Legal
3. “Malta NIS2 Legal Framework Update – L.N 89 of 2026” — GTG Legal
4. “Malta’s Transposition of the NIS 2 Directive: S.L. 460.41” — Mamo TCV Advocates
5. “Adoption of NIS 2 in Malta” — Deloitte Malta
6. “NIS 2 in Malta: Who Regulates, How Audits Work, and Critical Compliance Steps” — ISMS.online
7. “Gambling Operators Shall Deal with the Implementation of NIS 2 in Malta” — Gaming Tech Law
8. “NIS 2 and Gambling: A Strategic Imperative for Gaming Operators and their Suppliers” — DLA Piper (May 2025)
9. “NIS2 Transposition Officially in Full Force” — Fenech & Fenech Advocates
10. “NIS2 Directive Regulations and Implementation in Malta” — Copla
11. “Malta — EU NIS2 Directive” — Eversheds Sutherland
12. Directive (EU) 2022/2555 (NIS2 Directive), Annex I, Annex II, Articles 21, 23, 32–33 — EUR-Lex