ARTICLE
28 January 2026

NIS 2 And Critical Entities Resilience Framework Enter Into Force In Malta

MT
Mamo TCV Advocates

Contributor

Mamo TCV Advocates logo
We are a leading Maltese law firm offering expert legal advice across diverse practice areas. Renowned for our commitment to excellence, we provide strategic, high-quality support to clients facing complex legal challenges and navigating evolving regulatory and market landscapes.
Explore Firm Details
Two long-awaited Legal Notices published on Friday, 23rd January 2026 have brought into force key elements of Malta's cybersecurity and resilience framework, implementing two recent EU legislative developments.
Malta Technology
Mamo TCV Advocates
Your Author LinkedIn Connections
Mamo TCV Advocates are most popular:
  • within Intellectual Property, Immigration and Real Estate and Construction topic(s)
  • in United States
  • with readers working within the Banking & Credit, Retail & Leisure and Securities & Investment industries

Two long-awaited Legal Notices published on Friday, 23rd January 2026 have brought into force key elements of Malta's cybersecurity and resilience framework, implementing two recent EU legislative developments.

Entry Into Force of the NIS 2 Directive

Legal Notice 22 of 2026 brought Subsidiary Legislation 460.41, the Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, into force on Friday, 23rd January 2026. This Subsidiary Legislation transposes the EU Network and Information Systems Directive II (more commonly known as 'NIS 2') into Maltese law and is brought into force as already previously published without substantial substantive amendments following a consultation process that previously took place.

The scope and implications of Malta's transposition of the NIS 2 Directive have been previously discussed in detail by Mamo TCV Advocates and can be accessed here: Malta's Transposition of the NIS 2 Directive: S.L. 460.41 – Mamo TCV.

Implementation of the Resilience of Critical Entities (RCE) Directive

Legal Notice 23 of 2026 was also published on Friday, 23rd January 2026, introducing Subsidiary Legislation 460.43, which implements the EU Critical Entities Resilience (RCE) Directive into local law. This framework complements the NIS 2 Directive by focusing on the physical and operational resilience of critical entities, rather than cybersecurity alone.

The RCE framework primarily imposes obligations on Member States, including Malta, requiring national authorities to identify critical entities, assess risks and put in place resilience measures across key sectors, including energy, transport, banking and financial market infrastructure, health, drinking water and wastewater, digital infrastructure, public administration, space and production, processing and distribution of food.

In Malta, this framework is overseen by the Critical Infrastructure Protection (CIP) Department as the national supervisory authority which also incorporates relevant national coordination structures, including the resilience committee.

Given its focus on public authorities and national coordination, this Subsidiary Legislation is unlikely to give rise to direct compliance obligations for private entities, except in limited circumstances where they may be engaged by government bodies.

Next Phase

We now await further guidance on the self-registration mechanism to be adopted under S.L. 460.01 which implements the NIS 2 in Malta. Mamo TCV Advocates will be publishing relevant updates and overviews on this topic in due course.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Person photo placeholder
Mamo TCV Advocates
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More