Cybersecurity and IT Law. Transposition of NIS2
One of the most consequential legal developments in Malta during 2025 was the transposition of the NIS2 Directive through Subsidiary Legislation 460.41, enacted by Legal Notice 71 of 2025. The Measures for a High Common Level of Cybersecurity Across the European Union (Malta) Order significantly expands the scope of cybersecurity obligations for entities classified as essential or important, encompassing sectors such as energy, transport, health, financial services, digital infrastructure, public administration and ICT service management.
At institutional level, enforcement responsibilities are divided between the Critical Infrastructure Protection Department, which acts as the primary competent authority across most sectors, and the Malta Communications Authority, which oversees compliance for digital infrastructure and postal and courier services. This dual authority structure reflects Malta’s attempt to align sectoral expertise with the heightened supervisory and sanctioning powers introduced by NIS2. For affected organisations, the regime marks a clear shift towards stricter governance, enhanced incident reporting obligations, and materially higher exposure to administrative penalties for non compliance.
Artificial Intelligence Regulation. Implementing the EU AI Act
Malta formally implemented Regulation (EU) 2024/1689, the EU AI Act, through two complementary Legal Notices published in 2025. The Artificial Intelligence Regulations (S.L. 591.05) designate the Malta Digital Innovation Authority as the principal market surveillance authority and national single point of contact. In parallel, the Artificial Intelligence Regulations assigning responsibilities to the Information and Data Protection Commissioner (S.L. 586.14) confer supervisory powers in respect of high risk AI systems and certain prohibited AI practices.
This dual supervisory model reflects the hybrid nature of AI regulation, spanning both product safety and fundamental rights protection. The MDIA is entrusted with coordination across sectoral regulators, including the Malta Financial Services Authority, and acts as the notifying authority for conformity assessment bodies. It is also responsible for establishing and operating Malta’s national AI regulatory sandbox. The IDPC, for its part, is tasked with maintaining a registry of high risk AI systems and may impose administrative penalties, warnings and corrective measures.
Operators placing AI systems on the Maltese market must therefore undertake early classification exercises to determine whether their systems fall within Annex III of the AI Act, particularly where critical infrastructure is concerned. The enforcement framework signals a clear expectation that AI compliance will become an integral component of corporate risk management and governance.
Data Protection and the EU Data Act
The EU Data Act, although adopted in 2023, becomes practically relevant in Malta from September 2025, with certain design related obligations deferred until 2026. Malta has designated the MDIA as the primary competent authority and national Data Coordinator, while the Malta Communications Authority oversees interoperability provisions and the IDPC retains competence where personal data protection is implicated.
This institutional allocation underscores the increasing interdependence between data governance, competition, and privacy law. Organisations operating connected products or data driven services will be required to navigate overlapping regulatory regimes, particularly where personal and non personal data coexist within the same technical infrastructure.
Enforcement Practice and Practical Challenges
From a data protection perspective, 2024 and 2025 were characterised by a noticeable increase in enforcement activity by the IDPC. A recurring theme in decisions concerned failures to properly handle subject access requests, particularly deficiencies in transparency and completeness under Articles 5 and 15 GDPR. These cases highlight persistent operational challenges for controllers, especially in translating legal obligations into effective internal processes.
Another prominent area of enforcement involved CCTV surveillance. The Commissioner has repeatedly emphasised necessity and proportionality, issuing reprimands and corrective orders where cameras captured public spaces or third party property without sufficient justification. While the supervisory approach has generally favoured corrective measures, financial penalties have been imposed in more intrusive cases, signalling a willingness to escalate enforcement where warranted.
Outlook and Strategic Positioning
Looking ahead, Malta enters 2026 against a backdrop of high AI adoption rates, with Eurostat data indicating that nearly half of the population has already used generative AI tools. Government initiatives announced in the 2026 Budget, including nationwide AI training programmes, investment in high performance computing infrastructure, and the expansion of regulatory sandboxes, reinforce Malta’s ambition to position itself as an AI friendly jurisdiction.
Crucially, these policy initiatives are embedded within a dense regulatory framework grounded in EU law. The Maltese approach suggests a strategic effort to combine regulatory credibility with innovation enablement, seeking to attract digital and AI driven activity while maintaining alignment with European standards on cybersecurity, data protection and trustworthy AI.
Article provided by INPLP members: Dr. Gege Gatt and Dr. Marco Fagnano (Malta IT Law Association, Malta)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)l
