Legal Notice 89 of 2026, titled the Measures for a High Common Level of Cybersecurity across the European Union (Malta) (Amendment) Order, 2026 (the “Notice”) brings forth an extensive update to the transposing legislation of the NIS2 Directive, S.L. 460.41 (the “Order”). While the underlying framework remains intact, the amending Notice introduces several changes including the key amendments underlined hereunder.
One of the main changes is the replacement of the original Advisory Board with a new Enforcement Committee. Under the Order, the Advisory Board issued recommendations to the CIP Department on the imposition of administrative penalties, while the actual process for fines was intrinsically tied to Civil Court proceedings. The Notice removes that model and replaces it with an Enforcement Committee empowered to issue decisions inherently in relation to administrative penalties.
The Notice also deletes articles 35 and 36, which previously underpinned the debt recovery and procedural rules for the imposition of an administrative penalty respectively. Accordingly, it recasts article 33 so that the Enforcement Committee itself imposes administrative fines, and further recasts article 41 so that appeals lie to the Administrative Review Tribunal, with a further appeal on a point of law to the Court of Appeal.
A second development concerns the framework regarding the Computer Security Incident Response Team (“CSIRT”). The original Order established the national CSIRT within the CIP Department. The amendment now repositions the national CSIRT under the Malta Information Technology Agency (“MITA”) and, simultaneously distinguishes more clearly between the national CSIRT and internal/autonomous CSIRTs. The amended article 10 spells out the tasks of each, while the broader drafting across the Order is adjusted so that incident notifications, cooperation duties and information flows are routed more expressly through the national CSIRT structure.
The Notice also clarifies the division of functions between the CIP Department and the Malta Communications Authority (“MCA”). The revised article 7 now states more expressly that the First and Second Schedules designate the competent authorities for each sector or sub-sector, and that those authorities are to cooperate under the supervision of the CIP Department as national supervisory authority.
Accordingly, the Notice substitutes both the First and Second Schedules so that they now expressly include a competent authority column. This is particularly notable for the digital infrastructure sector. Under the original regime, the schedules listed the relevant entity categories, but article 7 specifically identified the MCA as competent authority only for providers of public electronic communications networks, publicly available electronic communications services, and trust service providers, as well as for postal and courier services. Under the amended schedules, the MCA is expressly attached to the wider digital infrastructure category, which includes internet exchange points, DNS service providers, TLD registries, cloud computing providers, data centre services, content delivery networks, trust service providers, and electronic communications services.
The Notice refines the composition of the National Cyber Security Steering Committee. Whilst the Order already referred to the Committee in article 15, the definitions section contained a particular definition equating the “National Cyber Security Steering Committee” to MITA. The Notice amends that definition and introduces a new article 15A that sets out the Committee’s composition, chairing arrangements, meeting frequency, confidentiality obligations, and ability to establish sub-committees.
Under the original article 14, the approval criteria were lighter in structure, and the text expressly stated that essential entities required the auditor to satisfy all criteria. The amended provision now introduces an express independence requirement, including a Declaration of Independence, alongside background-check, certification/standard, and experience requirements.
--
For more information regarding the NIS2 Order and its potential effects on your enterprise, do not hesitate to contact us at info@gtg.com.mt
Author: Dr JJ Galea