Navigating Malta’s Cyber Security Regulatory Landscape: Insights for Businesses.

Monday, June 03, 2024 by Alexia Valenzia


The regulatory landscape of cyber security in Malta has become a critical arena which businesses need to grapple with in order to operate in the digital world that we live in today. The intricacies of navigating this complex environment can seem daunting at first, but understanding the key frameworks is essential for ensuring compliance and protection for businesses as well as their clients and data.

The Current Regulatory Environment

The applicability of the EU’s General Data Protection Regulation (“GDPR”) and the Network and Information Systems Directive (“NIS Directive”), both of which have been applicable since May 2018, required businesses operating in Malta to review and upgrade their cyber security measures significantly. The GDPR has set the standard for personal data protection across Europe, imposing stringent requirements for technical and organisational security measures. Businesses face hefty fines — up to €20 million or 4% of annual global turnover — for non-compliance.

In parallel, the NIS Directive aimed to elevate the security levels of network and information systems across the EU. Particularly impacting operators of essential services, it demands robust management of cybersecurity risks and incident reporting, with sanctions ranging from €500 to €50,000, and potential daily penalties.

Malta’s regulatory framework also involves specific local laws and regulations, such as the MGA Rules for gaming, ITAS standards for innovative technologies, and MFSA Rules for financial services, all harmonising with overarching EU guidelines such as the ENISA guidelines.

The Evolution of Cybersecurity Laws: The Road Ahead

The landscape is set to evolve with the introduction of several critical EU legislative measures aimed at further solidifying cybersecurity across different sectors. Notably, the shift from the NIS Directive to the NIS 2 directive, which shall be applicable as from 18 October 2024, marks a significant escalation in regulatory cyber security requirements. NIS 2 addresses previous limitations under the NIS Directive by expanding its scope to include vital sectors such as health, public administration, and even social media platforms.

NIS 2 will also abolish the distinction between operators of essential services and digital service providers, instead introducing a more nuanced classification that emphasises the importance and impact of the services provided.

The Digital Operational Resilience Act (“DORA”) is poised to introduce stringent cybersecurity standards across the financial sector and ICT third-party service providers from 17 January 2025.


DORA seeks to enhance the digital resilience of financial entities by establishing comprehensive requirements for incident management, governance, and risk management related to third parties, backed by administrative penalties for non-compliance.

Meanwhile, the Markets in Crypto-Assets Regulation (“MiCA”), which will start affecting the issuance of asset-referenced tokens (ARTs) and e-money tokens (EMTs) from 30 June 2024, and other crypto-assets and services from 30 December 2024, sets out rigorous regulations for the public offering and trading of crypto-assets, along with mandates for crypto-asset service providers. This regulation is designed to manage risks and enforce security notification protocols, imposing severe sanctions that could reach at least €5,000,000 or between 3% and 12.5% of annual turnover for breaches.

Strategies for Compliance and Resilience

Businesses need to understand these regulations and actively prepare to meet their requirements. Companies must adopt advanced cyber security frameworks, conduct regular risk assessments, and ensure continuous staff training to align with both current and future regulatory demands. Proactively engaging with these changes will not only facilitate compliance but also enhance operational resilience.

Concluding Thoughts

Businesses in Malta are at a critical juncture and need to navigate through these regulatory waters armed with an understanding of their legal and regulatory requirements, informed agility and strategic foresight. Promulgation of rules and regulations in the cybersecurity and digital resilience sphere are only going to increase as we move towards an increasingly innovative digital environment. It is therefore important that businesses tackle these requirements proactively to ensure that their digital operations do not fall behind the law or their competition.

For a range of cyber security solutions for businesses of all sizes visit

Alexia Valenzia

Alexia Valenzia

Camilleri Preziosi Advocates

Chat With Us

Connecting you to a live agent...

There was a problem connecting you to a live agent