Critical Entity Resilience (CER)

On 16 January 2026, Malta has officially issued its intended transposition of the EU's Critical Entities Directive (Directive EU 2022/2557) (“CER”) into national legislation through the Resilience of Critical Entities and Infrastructures (Identification, Designation and Protection) Order 2026 (L.N. 5 of 2026) (the “Order”).

The Order is meant to replace the prior Critical Infrastructures and European Critical Infrastructures (Identification, Designation and Protection) Order, S.L. 460.24 of the Laws of Malta which derived from the  prior European Critical Infrastructures Directive (2008/114/EC).

The Order establishes a new comprehensive, all-hazards resilience framework applicable to 11 strategic sectors across the island, as needed to implement CER into national legislation.

Scope

The new Order applies to critical entities operating in the following sectors:

This represents a significant expansion beyond the previous focus.  

The Critical Infrastructure Protection (“CIP”) Department has been designated as the national supervisory authority, while the Malta Communications Authority has been assigned CER responsibility for digital infrastructure entities.

A newly established Critical Entities Resilience Committee under the Order, chaired by the Director General of the CIP Department, will oversee implementation and advise on administrative penalties.

Key Obligations for Critical Entities

The Order imposes three primary tiers of obligations on identified entities:

1. 1. Critical entities must conduct comprehensive risk assessments within nine months of notification and every four years thereafter, accounting for natural and man-made hazards, including terrorist threats, hybrid threats, climate impacts, and cross-sectoral dependencies;
   2. Second, critical entities must adopt proportionate technical, security, and organisational measures captured in approved resilience plans, covering prevention, physical protection, incident response, recovery, employee security management, and awareness training;
   3. Third, all critical entities must designate a Security Liaison Officer to coordinate compliance and serve as the interface with authorities.

Critical Considerations

Several provisions merit particular attention for captured entities. First, incident notification requirements are strict. Entities must notify competent authorities of incidents with significant disruption within 24 hours, with detailed reports within 72 hours. Cross-border incidents affecting six or more Member States trigger Commission notification. Second, the Order coordinates closely with the NIS2 directive. Third, SMEs captured as critical face identical obligations to larger entities, though supportive measures to mitigate administrative burden are contemplated.

Supervision, Enforcement, and Penalties

The framework establishes graduated enforcement.  Following audits and inspections, per Article 23(3) the CIP Department classifies findings as (i) "fully compliant", (ii) "compliant but improvement desired", (iii) "not compliant", or "not compliant with serious breaches”. Entities rated as non-compliant must submit action plans within two weeks, with persistent non-compliance triggering administrative penalties of €2,500 (non-compliance) or €5,000 (serious breaches), with additional daily penalties of €100 if not remedied.

Next Steps

While the Order has been published, the commencement date remains discretionary as the Minister responsible will establish it by Gazette notice. Per its Article 5, the CIP Department must adopt a National Resilience Strategy within the statutory period, conduct Member State Risk Assessments, and issue identity notifications to identified critical entities. Captured entities will have 10 months from notification to achieve compliance.

For more information regarding CER and its potential effects on your enterprise, do not hesitate to contact us at info@gtg.com.mt

Authors: Dr Terence Cassar & Dr J.J. Galea