MITA-NCC’s CYBER Breakfast highlights NIS2 Directive and national CVD policy developments

A pivotal cybersecurity breakfast session was held to discuss the implications of the EU’s NIS2 Directive which aims to strengthen the cyber resilience of essential services. The session also introduced a landmark National Coordinated Vulnerability Disclosure (CVD) policy.

At the CYBER Breakfast organised by the MITA-NCC and funded through EU initiatives, the aim was to facilitate discussion on policy instruments that enhance Malta’s cybersecurity posture across both the public and private sectors.

Strengthening cybersecurity through NIS2 Directive implementation

Matthew Yeomans, Director at Malta CIPD, opened the session with an overview of the NIS2 Directive. The directive builds upon its predecessor, NIS1, with a focus on harmonising and strengthening the resilience of essential services within EU member states, including Malta. Key changes include the introduction of ‘Essential Entities’, mandatory compliance audits, and expanded reporting obligations. Mr Yeomans highlighted Malta’s public consultation on the transposed version of the directive, which ended early in October. “This is a step-change in the way critical infrastructure and services are managed,” he stated.

Bridging the gap between researchers and organisations: CVD policy launch

Annalise Seguna, Managing Legal Counsel at the Malta Digital Innovation Authority (MDIA), delivered a presentation about the proposed content of Malta’s National Coordinated Vulnerability Disclosure Policy. This policy is designed to foster collaboration between organisations and security researchers, reducing vulnerabilities while adhering to international norms set by entities like ENISA. The public consultation on the draft policy ran until 9th October 2024. “We are committed to creating a safe and structured framework for identifying and mitigating vulnerabilities,” Dr Seguna explained.

The policy encourages ethical security researchers to engage responsibly with organisations, ensuring that vulnerabilities are disclosed and managed without risk of legal reprisal. This focus on structured vulnerability disclosure is expected to significantly bolster national resilience against cyber threats.

Panel discussion: Translating policy into practice

A panel discussion featuring Gavril Flores – Chief Officer (Strategy, Policy, and Governance) – MDIA, Ian Gauci – Managing Partner – GTG Advocates, Mr Yeomans, and Hubert Micallef – Information Security Specialist – GO, delved deeper into the practical adoption of the CVD policy. Dr Gauci emphasised the value of consolidating past lessons while ensuring clear guidelines for all stakeholders involved. Mr Micallef highlighted how organisations must adapt internal processes to align with the CVD policy. “This collaboration benefits not just organisations, but the entire ecosystem by fostering trust and promoting safer digital spaces,” he said.

The panellists also addressed how CVD policies impact entities beyond those covered by NIS2, calling on organisations to conduct risk analyses and implement proactive measures. Mr Yeomans reiterated that CIPD will maintain active communication with entities to ensure compliance and support.

Looking forward

MITA-NCC’s CYBER Breakfast events, supported by EU funding, continue to provide valuable insights into the pressing issues of cybersecurity and highlight the importance of technology, people, and processes in maintaining robust digital defences.

As both the NIS2 Directive and CVD Policy continue to shape Malta’s cybersecurity framework, entities are encouraged to engage with these changes to strengthen their resilience and secure a safer digital future.

Visit ncc-mita.gov.mt for more information and join the community today.

This article is co-founded by the European Union.