Your Maltese buyer is asking for ESG compliance evidence because they are subject to CSRD and preparing for CSDDD.
Malta is an EU member state fully subject to CSRD and the CSDDD framework. Maltese buyers in financial services, gaming, tourism, and maritime services are issuing ESG questionnaires to their suppliers as part of their mandatory CSRD reporting and CSDDD preparation. The Information and Data Protection Commissioner (IDPC) enforces GDPR. MCA CSIRT (Malta Communications Authority) coordinates NIS2 implementation. The Malta Financial Services Authority (MFSA) is an active sustainability disclosure regulator.
Key regulations in Malta โ CSRD, CSDDD & ESG Supplier Guide
CSRD โ EU Corporate Sustainability Reporting Directive (Maltese transposition)
Malta has transposed CSRD into national law. Maltese companies in scope must report on their supply chain's environmental and social impacts using European Sustainability Reporting Standards (ESRS). The MFSA requires sustainability disclosures from financial institutions. Malta's gaming and financial services sectors are increasingly active in supply chain ESG due diligence.
Malta GDPR & NIS2 Cyber Obligations
Malta implements GDPR with 72-hour breach notification to IDPC (Information and Data Protection Commissioner). NIS2 implementation requires essential and important entities to notify MCA CSIRT within 24 hours of a significant incident and provide a full report within 72 hours.
What this means for you as a supplier
You are not directly regulated by Maltese law. But your Maltese buyer is preparing for CSRD reporting and CSDDD compliance โ and they need your data to complete their own mandatory reports. Maltese buyers in financial services and gaming are increasingly active in supply chain due diligence, reflecting Malta's role as an international financial and technology hub.
Key dates
FY 2024
CSRD Phase 1 begins for large Maltese public-interest entities
FY 2025
CSRD Phase 2 begins for large Maltese companies over 250 employees
July 26, 2028
CSDDD transposition deadline for EU member states
July 2029
CSDDD compliance required for Maltese companies over 1,000 employees and โฌ450m turnover
CSRD is already in force โ your data is needed now
CSRD Phase 1 reporting began for large public-interest entities in FY 2024. Phase 2 covers large companies over 250 employees from FY 2025. Your buyer needs your emissions data, social metrics, and governance information to complete their own mandatory CSRD report. This is not a voluntary request โ it is a legal obligation on your buyer that flows through to you as a supplier.
Last reviewed: April 2026. This guide is for general information only and does not constitute legal advice. Regulations change โ verify current requirements with a qualified adviser.
Received an ESG questionnaire from a Maltese buyer?
ESG Stress Free guides suppliers through CSRD and CSDDD compliance requirements for Maltese buyers.