The NIS2 Directive

On the 6th of September, the Ministry for Home Affairs, Security and Employment has issued a public consultation concerning the transposition in Malta of Directive 2022/2555, the NIS2 Directive, (“the NIS2 Directive”), a key legislative framework aimed at enhancing cybersecurity across the EU and posing a much broader scope than its predecessor, the NIS1.

This consultation seeks input from the general public on Malta’s transposition of the NIS2 Directive.

First look at the Draft Transposition

The first public proposed draft of the NIS2 Directive’s transposition was revealed for consultation titled “Measures for A High Common Level of Cybersecurity Across The European Union (Malta) Order, 2024” (“the Draft Transposition”). This can be accessed here.

The Draft Transposition, aligns closely with the NIS 2 Directive and provides for the creation of a national self-registration mechanism for essential and important entities providing services in Malta, and a national register for essential and important entities, which is expected to be operational by 2025. The Draft Transposition also introduces several important local adaptations.

In continuance of its duties imposed under the previous transposition of NIS1, the Draft Transposition refers to CSIRTMalta as the primary body for handling cybersecurity incidents and facilitating cooperation between public and private sectors.

The Draft Transposition places significant emphasis on supply chain security, requiring captured entities to ensure that their suppliers and service providers meet the imposed cybersecurity standards by NIS2. Sector-specific clarifications are also present, including the designation of the Malta Communications Authority as the competent authority for overseeing digital infrastructure, including public electronic communications and trust service providers.

Scope

A variety of entities which provide services or carry out activities in any country within the European Union, are notably captured.

Captured entities are classed into either ‘Essential’ and ‘Important’ entities, which include public administration entities, and private entities that qualify as medium-sized enterprises or higher and which operate in sectors comprising of:

  • Energy;
  • Transport;
  • Banking;
  • Financial market infrastructures;
  • Health;
  • Drinking water or waste water;
  • Digital infrastructure;
  • Business-to-business ICT service management;
  • Public administration;
  • Postal and courier services;
  • Waste management, manufacture;
  • Production, and distribution of chemicals;
  • Production, processing, and distribution of food,
  • Manufacturing,
  • Digital providers; and
  • Space.

Potential Fines for Non-Compliance

The fines that are proposed under the Draft Transposition are set out as up to €10 million or 2% of the total annual turnover for essential entities, while fines up to €7 million or 1.4% of the total annual turnover apply for important entities.

The public consultation on Draft Transposition is set to last until the 7th of October and can be accessed here.

The local transposition deadline of the NIS2 Director is set for the 17th October 2024 and compliance will be required. GTG is here to help!

For more information regarding the Draft Transposition and its potential effects on your enterprise, do not hesitate to contact Dr Ian Gauci or Dr Terence Cassar.

 

You might also be interested in reading:

Enhancing the Life Sciences Sector through AI and Cybersecurity

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content