Malta has formally brought into force its NIS2 cyber security regulatory framework through a Legal Notice, designating 23 January 2026 as the commencement date for all provisions under the relevant law (the ‘Order’). This marks a significant development, as entities operating in Malta are now fully subject to the enhanced obligations introduced through the transposition of the EU NIS2 Directive.
What this means for entities Scope, classification, and sector coverage
Entities must first determine whether they fall within scope as essential or important entities. This determination is driven by the sector in which they operate and the nature of the services they provide. These encompass a wide range of public and private sectors including digital infrastructure, ICT service management, health, banking, financial market infrastructure, and food production and distribution.
Beyond sector, size plays an important role in determining in scope status. Requirements apply to medium-sized enterprises and entities exceeding medium size thresholds, in line with the definitions set out under applicable European legislation.
Next steps for businesses
In light of these new obligations which are now in force, business leaders may consider the following steps to get started:
1
Carrying out a scoping assessment to determine whether the requirements are applicable to their business.
2
If in scope, implementing a clear, documented governance structure, with defined roles and responsibilities for the board and management as per NIS2 requirements.
3
Drafting and implementing the operational framework required in terms of NIS2 including risk management documentation; threat and vulnerability management processes and security testing plans; incident monitoring, handling, and reporting capabilities; as well as consolidating supply chain security by revisiting third-party relationships.
As a reminder, entities classified as essential or important must complete their registration through the national self-registration mechanism maintained by the National Supervisory Authority being the Critical Infrastructure Protection Department.
How we can help
At PwC, we are available to support your organisation at every stage of the NIS2 compliance journey. From scoping and readiness assessments to the development and implementation of tailored cybersecurity frameworks aligned with both regulatory and operational needs.
Please reach out to one of our sector leaders below for more information.
Contact us
