Securing Malta’s digital backbone: Ing. Antoine Sciberras on NIS2, CER and what businesses need to know

Malta is entering a new era of cybersecurity and resilience regulation. With the transposition of the NIS2 Directive and the forthcoming Critical Entities Resilience (CER) Directive implementation, organisations face a step-change in how they manage risk and ensure continuity. For Malta, the Malta Communications Authority (MCA) is taking on a central role in this transformation.

We sat down with Ing. Antoine Sciberras, Chief Officer for Spectrum Management and Technology at the MCA, to understand what these developments mean — especially for providers of electronic communications, trust services, and postal operations.

A new security landscape

The NIS2 Directive, adopted by the EU in 2022 and transposed into Maltese law in April 2025, expands the scope of the original 2016 NIS Directive to cover a broader set of ‘essential’ and ‘important’ entities across sectors such as energy, transport, finance, and digital infrastructure. Alongside this, the CER Directive aims to improve the physical resilience of critical infrastructure — addressing threats from natural disasters, sabotage, and systemic failures. “These directives are not about adding red tape,” explains Antoine. “They’re about establishing a common baseline across the EU for protecting the services that societies and economies cannot function without.”

For many organisations, this means new obligations in risk management, incident response, governance, and supply chain security. The challenge, according to Antoine, is turning compliance into capability.

The MCA’s role

The MCA is Malta’s national regulator for electronic communications, postal services, and trust services. As Antoine notes, its new role under NIS2 and CER is both a continuation and an expansion.

“This isn’t the MCA’s first encounter with security regulation,” he points out. “We’ve been overseeing sector-specific security obligations and contributing to security policy for over a decade under the EU Telecoms Framework, the European Electronic Communications Code, and the eIDAS Regulation.”

Now formally appointed as a competent authority under both NIS2 and CER, the MCA will be responsible for overseeing how regulated providers in its sectors manage digital and physical risks. This includes electronic communications providers, trust service providers (such as those issuing digital certificates and electronic signatures), and postal operators.

“This alignment makes sense,” says Antoine. “We already understand the operational and market realities of these sectors. Our goal is to build on that knowledge to support effective implementation.”

What changes for businesses?

According to Antoine, the shift in legislation requires businesses to adopt a much more proactive approach to resilience. The new obligations are no longer limited to IT departments — they now demand board-level attention.

“Every business leader needs to understand their exposure,” he says. “Cybersecurity and physical resilience aren’t technical checklists anymore — they’re enterprise-wide responsibilities with board-level liability.”

Key obligations under NIS2 and CER include conducting regular risk assessments, implementing appropriate technical and organisational measures, reporting major incidents within strict timelines, ensuring governance and oversight at senior management level and assessing the security of third-party service providers, amongst others.

Even businesses that are not directly regulated — especially SMEs — may feel the impact.

“If you’re in a supply chain supporting an essential entity, your security posture matters,” says Antoine. “We’re already seeing larger entities start to include NIS2-type clauses in their procurement contracts.”

Not starting from scratch

While NIS2 and CER introduce new expectations, Sciberras stresses that they don’t appear in a vacuum.

“The MCA has long been involved in security,” he explains. “Whether it’s enforcing the security provisions of the EECC or managing trust services under eIDAS, we already have the building blocks in place.”

He highlights past experience with submarine cable redundancy, 5G network security, and incident notification procedures as foundational to the work ahead.

“We’re not building a new house — we’re strengthening the one we’ve been living in,” he says.

Collaboration is essential

Effective regulation requires coordination across multiple entities. In Malta, the MCA works closely with the Critical Infrastructure Protection Directorate (CIPD) and the Information and Data Protection Commissioner (IDPC).

“Our aim is to reduce the regulatory burden, not add to it,” says Antoine. “That’s why we’re working to establish clear lines of communication and a coordinated national approach. Ideally, businesses should have a single point of contact for guidance.”

At the European level, MCA experts are deeply engaged in several cybersecurity bodies, including the NIS2 Cooperation Group, EU expert and ITU advisory groups on Submarine Cable Security and working groups within BEREC and ECASEC, structures which bring together the EU’s competent authorities to work on policy implementation.

“These forums are not just policy shops,” Antoine notes. “They shape the operational expectations for what good security and resilience look like in practice.”

What’s happening now?

Following the April 2025 transposition of NIS2, the MCA is already working to identify the entities that fall within its scope. For trust services, postal operators, and electronic communications providers, this will depend on both size and systemic importance.

“The NIS2 includes some SME exemptions,” Antoine clarifies, “but these are not automatic. Entities need to assess their position carefully.”

Meanwhile, a national consultation on CER has recently concluded, and the MCA has contributed to the process.

Supporting the market

Antoine is clear that enforcement is not the MCA’s starting point.

“Our first priority is capacity building,” he says. “We’ll be meeting with stakeholders with the aim of providing guidance. This is a journey, and we intend to walk it with industry.”

He emphasises that the MCA’s approach will focus on practicality, proportionality, and preparedness.

“We understand that businesses have resource constraints,” he adds. “But resilience is an investment. It protects your operations, your reputation, and your customers.”

A strategic imperative

As digital and physical infrastructures become more intertwined, the distinction between cybersecurity and resilience is dissolving. For CEOs, this means reframing security not as a cost centre, but as a source of strategic advantage.

“Compliance with NIS2 and CER isn’t just a regulatory necessity,” says Antoine. “It’s also a mark of trust and professionalism in a connected world.”

In a final word of advice to enterprise leaders, Antoine is direct: “Understand your risks. Engage your teams. Ask for help if needed. But act now.”