Malta's NIS2 framework — S.L. 460.41, the Measures for a High Common Level of Cybersecurity (Malta) Order 2025 — entered into force on 23 January 2026. Uniquely, it explicitly covers iGaming operators and digital services, the sectors at the heart of Malta's economy. First CIPD audits land in H2 2027, but your compliance documentation has to be in place now.
First audit H2 2027 — but documentation is required now. The CIPD and sector authorities scrutinise compliance traceability and board-approval records from the date the law entered into force. Board approvals, gap analysis and remediation evidence created in 2026 demonstrate intent — waiting until 2027 creates avoidable enforcement risk. We fast-track your gap analysis and remediation roadmap together.
NIS2 in Malta — at a glance
Malta transposed NIS2 through S.L. 460.41 — the Measures for a High Common Level of Cybersecurity (Malta) Order 2025, enacted by Legal Notice 71/2025. Here is what defines your obligations.
| Status | In force since 23 January 2026 — first audits H2 2027, documentation required now |
| National law | S.L. 460.41 — Measures for a High Common Level of Cybersecurity (Malta) Order 2025 (Legal Notice 71/2025) |
| Competent authority | CIPD — Critical Infrastructure Protection Department (cip.gov.mt), with the MGA and MFSA as sector authorities |
| First audits | H2 2027 — but compliance traceability is assessed from 23 January 2026 |
| Sectors in scope | iGaming (MGA-licensed), financial services (MFSA-licensed), digital services and ICT |
| Entity categories | Essential entities (proactive oversight) & important entities (ex-post supervision) |
| Maximum fines | Up to €10M or 2% of global turnover (essential); €7M or 1.4% (important) |
Maltese NIS2 implementation
Malta hosts a uniquely high concentration of iGaming operators and financial services firms — both sectors that S.L. 460.41 now directly covers. These are the distinguishing features the CIPD enforces.
Malta is the EU hub for online gambling, with the Malta Gaming Authority licensing hundreds of operators. S.L. 460.41 explicitly brings iGaming and digital services into scope — sectors not covered under the original NIS1 regime. If you hold an MGA licence, you are very likely an in-scope NIS2 entity.
The Malta Financial Services Authority has sector-specific cybersecurity powers that now operate alongside NIS2. MFSA-licensed entities that have implemented DORA already overlap heavily with NIS2 — but the directive adds further supply chain and incident reporting obligations to the CIPD.
The Critical Infrastructure Protection Department is Malta's designated NIS2 supervisory authority. It can conduct on-site inspections, security scans, information requests and audits. Essential entities face proactive oversight; important entities face ex-post supervision triggered by incidents or complaints.
The first CIPD audits are scheduled for H2 2027. But enforcement bodies scrutinise compliance traceability and board-approval documentation from the date the law entered into force. Starting your programme in 2026 demonstrates intent — waiting until 2027 creates risk.
Maltese operators routinely answer to more than one regulator at once: CIPD for NIS2, the MGA for gaming cybersecurity standards, and the MFSA (with DORA) for financial services. We map these frameworks together so a single programme satisfies all of them.
Under S.L. 460.41, senior management must formally approve cybersecurity measures and receive documented, auditable training. For licensed operators this accountability runs in parallel with existing MGA and MFSA governance expectations.
iGaming & financial services
Maltese operators often need to satisfy several regulatory frameworks at once. Here is how NIS2 interacts with the MGA and MFSA/DORA regimes — and how a dual-framework approach avoids duplicating work.
MGA-licensed operators already comply with the MGA's cybersecurity technical standards. NIS2 adds supply chain security obligations, 24-hour incident reporting to the CIPD (separate from MGA incident reporting), board-level management accountability and vulnerability disclosure policies. We map your existing MGA compliance to isolate the NIS2 delta.
MFSA-licensed entities that have completed DORA implementation overlap significantly with NIS2: DORA covers ICT risk management, incident reporting and third-party risk, all mirrored in NIS2. The key differences are NIS2's broader scope beyond ICT to all operational security, and the separate CIPD reporting obligation on a different timeline from MFSA.
We design programmes that satisfy NIS2, MGA cybersecurity standards and DORA/MFSA requirements simultaneously — navigating the fintech/iGaming dual-framework landscape and reducing the total compliance burden. One gap analysis maps all the relevant frameworks against your current controls.
Holding both an MGA and an MFSA licence? The fintech/iGaming overlap means your NIS2, DORA and sector obligations must be reconciled into one coherent control set — not run as separate projects. We help you navigate the dual framework so the CIPD, MGA and MFSA all see consistent evidence — talk to us about your licence mix.
Webristle is a full cybersecurity agency, not only a compliance advisor. Beyond the NIS2 gap analysis and reports, our engineers deliver the security work the Directive actually requires: system hardening, MFA and identity governance, encryption and PKI, network segmentation, EDR and 24/7 monitoring, backup and disaster recovery, penetration testing and incident response. One team takes you from assessment to a fully implemented, audit-ready and resilient infrastructure.
Article 21 NIS2 · S.L. 460.41
These controls apply to all in-scope Maltese entities. For iGaming operators, MGA cybersecurity requirements overlap significantly — we map both frameworks to avoid duplication ahead of the H2 2027 audits.
Formal threat assessment, Business Impact Analysis and a board-approved risk appetite, documented and reviewed periodically and whenever significant changes occur.
Detection and classification procedures plus mandatory reporting to the CIPD: 24h early warning, 72h full notification, 30-day final report — distinct from any MGA or MFSA incident channel.
Continuity plans, tested disaster recovery, backup management and crisis management with documented RTO and RPO targets approved at board level.
Security assessment of critical suppliers, NIS2-compliant contractual clauses and continuous third-party monitoring — especially relevant for iGaming platform and payment providers.
Structured vulnerability management, penetration testing, patch management and infrastructure hardening across your gaming, payment and core ICT systems.
Policies and procedures to test the effectiveness of risk-management measures, including audits, certification cycles and red-team exercises documented for the CIPD.
Zero-trust architecture, mandatory MFA on critical systems, IAM governance and Privileged Access Management, with least-privilege principles documented and enforced.
Awareness programmes, secure onboarding/offboarding and insider-risk management. Senior management must receive documented, periodic and auditable training.
Systematic patch management, asset inventory, endpoint security and documented BYOD policies across the organisation.
Encryption of data at rest and in transit as a minimum standard, key and certificate lifecycle management and digital signatures compliant with EU standards.
Existing certifications
ISO 27001 and DORA cover a large share of NIS2 Article 21 requirements. The remaining gaps are specific to NIS2, S.L. 460.41 and the CIPD — and must be addressed separately.
ISO 27001 and DORA give you a risk-management framework, security policies, access control, cryptography, supplier security, ICT incident management and business continuity — all overlapping with NIS2 and reducing your remediation effort.
The 24h/72h incident reporting to the CIPD (separate from MGA/MFSA channels), documented management training and board accountability, NIS2-specific supply chain clauses, and the broader operational-security scope that goes beyond DORA's ICT focus.
We map your existing ISMS, MGA controls and DORA evidence against the NIS2 delta to avoid duplicating completed work. Most certified or DORA-compliant companies need 4–8 weeks of targeted remediation, not a full programme from scratch.
How we work
A structured four-phase process with clear deliverables at each stage. We work alongside your team to minimise operational disruption.
We determine your NIS2 classification, identify overlap with MGA or MFSA/DORA requirements and map the compliance landscape for your licence type.
Assessment against all 10 Article 21 measures with cross-mapping to MGA/DORA frameworks. Delivered within 5 working days with CIPD-alignment scoring.
Prioritised remediation plan that satisfies NIS2 while leveraging existing MGA/DORA work. Board documentation included from day one.
Technical hardening, policy documentation, CIPD and MGA/MFSA incident procedures, and ongoing monitoring ahead of the H2 2027 audits.
Start today
The gap analysis is the mandatory starting point. In 5 working days you will have a precise picture of your position against S.L. 460.41 and the CIPD's requirements — cross-mapped to your MGA and MFSA/DORA obligations.
Our senior consultants will respond within 48 hours with a free preliminary assessment of your NIS2 exposure under S.L. 460.41.
No commitment · Response in 48h · Trusted by 80+ companies across Europe
Related insights
FAQ
The questions we hear most often from Maltese iGaming operators, financial firms, CISOs and legal counsel.
Free gap analysis in 48 hours. We assess your NIS2 exposure under S.L. 460.41, cross-map with MGA and DORA/MFSA requirements and give you a unified compliance roadmap ahead of the H2 2027 audits.
EN
