Malta

(a) What is the NIS2 implementation status?

The NIS2 Directive has not yet been transposed into domestic law in Malta – the parliamentary legislative process for the NIS2 Directive to be approved and transposed into local law is yet to commence.

As a side note, it is worth noting that the directive preceding NIS2, i.e. Directive 2016/1148, is transposed into local legislation through the ‘High Common Level of Security Network and Information Systems Order’ of 6 July 2018 (Subsidiary Legislation 460.35).

(b) What is the envisaged NIS2 implementation timeline?

There is no official information to this effect at the time of writing. Hence, it is remains uncertain when a precise timeline of the NIS2’s transposition and implementation into Maltese law will emerge beyond the general requirement of Art. 41 of NIS2 that Member States shall adopt those measures necessary to comply with NIS2 from the 18 October 2024.

(c) What does the NIS2 mean for other national cybersecurity legislation?

There is no one specific law in Malta governing cybersecurity. Rather, there are several laws, including primary and secondary legislation, which regulate different aspects of cybersecurity on a national level.

The legislation which may potentially be impacted the most is the Criminal Code (Chapter 9 of the Laws of Malta), specifically Subtitle V of Chapter IX of Part II of the First Book of the Criminal Code, entitled “Of Computer Misuse” . This was incorporated into the Criminal Code in 2001 and was amended in 2010 and 2015.

This Subtitle V provides, inter alia, definitions for relevant terms such as “computer”, “computer data”, “computer software” and “information system” and also caters for specific offences relating to the misuse of a computer system, such as, unauthorised acts involving the use of a computer or any other device or equipment to access any data, software or supporting documentation held in that computer or on any other computer, or the unauthorised use, copying, or modification of any such data, software, or supporting documentation.

Subsection V of Chapter 9 of the Criminal Code may pose the most significant issue to the effective implementation of the NIS2 Directive in Malta in that the legislative framework currently in place is rudimentary, such that a major overhaul will be necessitated to allow for effective implementation of EU legislation in the field of cyber, most notably with regard to the NIS2 Directive.

(d) Who will be the supervisory authority and how are they preparing the market?

In Malta, the general relevant supervising authority is the ‘Critical Information Infrastructure Protection Unit’ (CIIP Unit).

It is also worth noting that there exist sector-specific authorities, notably in the gaming and financial services sectors, which possess certain powers relating to licensing and issuing fines in the cybersecurity context. For example, there is the “Maltese Gaming Authority” (MGA ) and the “Malta Financial Services Authority” (MFSA).

The CIIP Unit is currently working on a “schedule of competent authorities” to delegate certain control to authorities who may be more expertly equipped to deal with specific issues.

(e) What should you be doing/on the lookout for?

It is difficult to establish a set of recommendations that is specific to and focuses on the Maltese transposition of the NIS2, since the NIS2 is yet to be transposed into national law. However, certain general considerations for clients can be gleaned from the NIS2 itself.

It is foreseen that local legislation implementing the NIS2, shall apply to all entities which (i): provide their services or carry out their activities in the EU and (ii) match the description of either an ‘essential’ or an ‘important’ entity in a defined list of sectors.

Notable exceptions to this general rule include: (i) a size-cap (so small and micro business are excluded in many cases) ; and (ii) Member states can make exemptions for specific entities that carry out activities in the areas of national security, public security, defence or law enforcement.

NIS2’s scope has also been widened to entities falling under different additional sectors and subsectors compared with NIS 1, including: social media platforms; public administration and the manufacturing of medical devices.

Should entities fall into the scope of the NIS2, the following are some factors which said entities should be on the lookout for/be aware of:

i. Enhanced Cooperation (via the CSIRT platform)

The NIS2 requires that the European Agency for Cybersecurity (ENISA) to establishes a ‘European Vulnerability Disclosure Database’ to aid knowledge sharing among the Member States, in order to improve Member State cooperation against cyber threats and attacks.

ii. Cybersecurity Risk Management:

Whilst NIS 1 required the adoption of appropriate and proportional technical measures to manage cybersecurity risks, NIS2 requires a set of core policies for all in-scope (“essential” or “important) entities. These policies include but are not limited to: risk analysis and incident response; cybersecurity training and ICT supply chain security.

The entities falling under the Directive’s scope must adopt technical, operational and organisational measures, proportional to “the degree of the entity’s exposure to risks, its size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact” (Art. 21 of the ‘NIS2 Directive’).

In-scope entities will therefore need to review the NIS2 requirements relating to cybersecurity risk management (particularly the core set of imposed policies) and incident reporting and consider which changes have to be made to pre-existing policies and procedures.

iii. Management Responsibility and Accountability:

NIS2 also assigns accountability to the management of organisations falling within its scope. Examples of such accountability include but are not limited to: approving the adequacy and supervising the implementation of cybersecurity risk management measures.

iv. Incident Reporting

NIS2 provides that in-scope entities must be required to submit an initial report or “early warning” to the competent national authority “without undue delay and in any event within 24 hours” from when they “become aware of a significant incident” (Action 133 of the Preamble; Art 32(5) and 32(6) of the ‘NIS2’ Directive).

v. Budget for potential increase in costs

Entities falling within the scope of the NIS2 may have to factor in a rise in costs required to comply with the new NIS2 requirements. According to the EU impact assessment for NIS2, companies which were under the scope of NIS 1 should budget for an increase of up to 12% in their ICT spend for the years immediately following the implementation of NIS2. For companies which were not subject to NIS 1, the estimate is 22%.[1]

___________________________________

[1] European Commission, “Impact assessment Proposal for directive on measures for high common level of cybersecurity across the Union”, (European Commission, 16th December 2020), <https://digital-strategy.ec.europa.eu/en/library/impact-assessment-proposal-directive-measures-high-common-level-cybersecurity-across-union> , accessed 15/09/2023.