Gambling operators shall deal with the implementation of NIS 2 in Malta

The implementation in Malta of the NIS 2 Directive has substantial impact on gambling operators and suppliers.

On 8 April 2025, the Maltese Government published Legal Notice 71 of 2025, entitled “Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order, 2025” (the “Order”), which effectively transposes the operational provisions of Directive (EU) 2022/2555 (the “Directive” or “NIS 2”) into national law by means of a subsidiary legislative instrument (S.L. 460.41).

This Legal Notice has not yet been given the force of law. Its provisions will only become enforceable on such date/s as shall be specified by the Minister responsible for critical infrastructure protection. The Order may be implemented either in full or through a phased approach. However, the Government has not yet clarified which method it intends to adopt.

Below is an outline of the NIS 2 Order implementing the Directive in Maltese law and its impact on the gambling sector drafted by Andrew Zammit and Erika Criscione of the Maltese law firm GVZH Advocates.

Scope of the NIS 2 Directive implemented in Malta

The Maltese NIS 2 Order applies to all public or private entities that:

• are of the type listed in the First or Second Schedule of the Order,
• qualify as medium-sized enterprises under regulation 2 of the Annex to Commission Recommendation 2003/361/EC, or
• exceed those thresholds for medium-sized enterprises as defined in the same regulation.

Regardless of their size, the Order also applies to entities of a type listed in the First or Second Schedule when certain conditions are met, such as when they provide critical digital or communications services (which might include also digital services provided by gambling operators), act as the sole provider in Malta of essential services critical for societal or economic functions, are designated as critical entities under Directive (EU) 2022/2557 or they provide domain name registration services.

The Order carves out significant exclusions, such as public administration entities involved in national security, defence, law enforcement, or the prevention, detection and prosecution of crimes.

The following list provides a general overview of the sectors that are deemed to constitute “essential” and “important” services for the purposes of the Order:

Essential Entities

• Entities in sectors listed in the First Schedule that exceed medium-sized thresholds
• Qualified trust service providers, top-level domain registries, DNS service providers, regardless of size
• Providers of public electronic communications networks/services that are medium-sized enterprises
• Public administration entities of the central government
• Any other entity from the First or Second Schedule designated as essential due to national criticality (e.g., sole providers, systemic risk, cross-border impact)
• Entities designated as critical entities under the Critical Entities Resilience Order (transposing Directive 2022/2557)
• Entities previously identified as Operators of Essential Services (OES) under the original NIS Directive (EU) 2016/1148

Important entities

• Entities listed in the First or Second Schedule that do not qualify as Essential Entities
• Entities designated by the CIP Department as important based on national significance but not meeting the Essential criteria

NIS 2 Competent Authorities and Single Points of Contact in Malta

The Order provides the appointment of a Critical Infrastructure Protection Advisory Board (the “Advisory Board”) whose members shall be appointed by the Minister. The Advisory Board shall issue recommendations and give its advice to the Critical Infrastructure Protection Department (“CIP Department”) in relation to the imposition of administrative penalties on essential and important entities.

The NIS 2 Order designates the Critical Infrastructure Protection (CIP) Department as the single point of contact and the national supervisory authority responsible for overseeing its implementation at national level. The CIP Department is tasked with ensuring compliance, enforcing the relevant provisions of the Order and supervising the sectors, sub-sectors, and types of entities that fall within the scope of the Order. Additionally, the Prime Minister may designate additional competent authorities for specific sectors.

It is important to emphasize that the Malta Communications Authority is designated as the NIS 2 competent authority in relation to digital infrastructure and postal and courier services.

Computer Security Incident Response Team (CSIRT)

The Order establishes a national CSIRT within the CIP Department whose tasks include monitoring and analyzing cyber threats, vulnerabilities and incidents at national level, providing early warnings, alerts, announcements and dissemination of information to relevant entities on cyber threats, vulnerabilities and incidents, collecting and analyzing forensic data and providing dynamic risk and incident analysis.

The order also defines two specific types of CSIRTs: (i) “Internal” CSIRTs which operate within the structure of an entity, providing CSIRT monitoring services and (ii) “autonomous” CSIRTs, defined as outsourced CSIRTs which provide monitoring functions to essential or important entities.

National Cybersecurity Strategy

The Order delegates responsibility for the national cybersecurity strategy to the National Cyber Security Steering Committee. The strategy outlines objectives, governance, risk assessment, incident response, stakeholder roles and raising awareness.

The national cybersecurity strategy outlines several key policies aimed at enhancing cybersecurity resilience. These include securing the ICT supply chain, integrating cybersecurity requirements in public procurement, managing vulnerabilities through coordinated disclosure. It also promotes advanced technologies, education, research, information sharing, and support for SMEs to strengthen overall cyber resilience.

The Order also provides the establishment of a national cyber crisis management framework encompassing the management and coordination of large-scale cybersecurity incidents and crises in Malta.

The NIS Registration Mechanism is provided in Malta also for Gambling Operators

The CIP Department is required to establish a national self-registration mechanism for (i) essential and important entities providing services in Malta, (ii) the CSIRTs providing monitoring services within such entities, and (iii) entities providing domain name registration services in Malta. The Order provides that the register shall be established by the CIP Department not later than the 30 October 2025. However, the Government has yet to announce an implementation date.

Essential and important entities providing services in Malta as well as entities providing domain name registration services in Malta shall register on the national self-registration mechanism established by the CIP Department and shall provide specific information as indicated under the Order.

The Order provides that entities, such as DNS service providers, cloud computing service providers, data centre service providers, providers of online marketplaces, of online search engines and of social networking services platforms, must submit certain information – including a detailed list of computer, network, and operational technology resources used by the entity – to the CIP Department by a prescribed date.

Whilst the deadline for submission of this information has not yet been specified, we expect that this will be issued shortly.

It is also provided that by 17 April 2025 and every two (2) years thereafter, the CIP Department shall notify (i) the European Commission and the Cooperation Group, advising them about the number of essential and important entities listed pursuant to regulation 7(2)(i) and (ii) the European Commission, providing them with the relevant information about the number of essential and important entities identified pursuant to sub-regulations (1)(b) to (e).

The CIP Department shall effectively supervise and take the measures necessary to ensure compliance with the Order.

In respect of essential entities, the order specifies that the CIP Department shall ensure that the supervisory or enforcement measures imposed on essential entities are effective, proportionate and dissuasive, taking into account the circumstances of each individual case. The CIP Department supervisory power includes on-site inspections, audits, security scans, information requests, and access to data. Additional powers include requesting evidence of CSIRT monitoring services and compliance with CSIRT policies.

Malta’s CIP Department has similar ex-post supervisory powers over important entities, triggered by evidence of non-compliance.

Enforcement Mechanisms and Penalties

Malta’s CIP Department is also tasked with enforcement powers, which include warnings, binding instructions, orders to cease infringements, orders to comply with risk management and reporting, orders to inform affected parties, designate monitoring officers, publicize infringements, order entities to receive CSIRT monitoring services and request the imposition of administrative penalties by the Civil Court.

Malta sets the same maximum administrative penalties as the Directive: up to euro 10,000,000 or 2% of worldwide turnover, whichever is higher for essential entities and fines up to euro 7,000,000 or 1.4% of worldwide turnover, whichever is higher for important entities.

If you need legal support or advice on any issues related to the online gambling reform in Malta, I will be glad to introduce you to y Andrew Zammit and Erika Criscione of the Maltese law firm GVZH Advocates. Also, you can have an outline on the Maltese gambling law regime in DLA Piper’s Gambling Laws of the World Guide available HERE and access further gambling law news HERE.