What is AI regulation in Malta?
AI regulation: countries and regions
AI regulation in Malta is mainly the EU AI Act, backed by Maltese implementing regulations rather than a fully separate national code. Malta has designated the Malta Digital Innovation Authority as the lead AI authority, single point of contact, notifying authority and sandbox authority, while the Information and Data Protection Commissioner oversees certain sensitive high-risk systems, especially in law enforcement, border, justice and democracy contexts. Malta also has an older policy layer through its 2019 AI strategy, ethical framework and voluntary AI assurance work.
What this means
If you build, buy or use AI in Malta, the starting point is usually the EU AI Act. That is where the main legal duties sit. Malta's national rules mostly tell you which authority you deal with locally, how complaints and appeals can work, and how local support and sandboxes are organised.
For most AI matters, the Malta Digital Innovation Authority, or MDIA, is the main public authority. But Malta has split oversight for some sensitive uses. If an AI system is used in certain Annex III fields such as law enforcement, migration, border control, justice or democratic processes, the Information and Data Protection Commissioner, or IDPC, has a separate market-surveillance role.
Malta was also an early AI policy mover. Before the EU AI Act, it published a national AI strategy, an ethical AI framework called "Malta - Towards Trustworthy AI", and a voluntary AI certification track under the AI-ITA label. Those materials still matter as governance background, but they do not replace binding AI Act duties.
Why it matters
This matters because AI in Malta is no longer just a procurement or innovation issue. Once a system is used in areas such as hiring, education, essential services, biometrics, public functions, safety-critical products or policing, the legal burden can increase quickly. The right regulator, paperwork, contract structure and escalation path depend on the intended use of the system and your role in the chain.
It also matters because Malta's framework is institutionally split. A general business deploying internal copilots, a bank introducing decision support, and a vendor bidding into law enforcement can all sit under the same EU AI Act, but they may face different local touchpoints and different practical questions. Any AI that processes personal data can also trigger a parallel data protection track.
For leaders, the practical consequence is simple: AI governance in Malta now needs to cover classification, provider and deployer roles, documentation access, human oversight, incident handling, procurement controls and data protection, not just ethics statements or vendor marketing.
How it works
The EU AI Act is the main rulebook
Malta's AI regulation is anchored in the EU AI Act. That means the main substantive duties, such as prohibited practices, high-risk classification, transparency rules, obligations for providers and deployers, and the governance structure for general-purpose AI, come from EU law rather than from a standalone Maltese AI code.
The dates are phased. The AI Act entered into force on 1 August 2024. Prohibited practices, AI literacy duties, governance provisions and general-purpose AI rules already apply. Most remaining system-specific rules are scheduled around 2 August 2026, while some rules for AI embedded in regulated products run later. There is, however, a live implementation caveat: the European Commission has said a Digital Omnibus proposal could adjust some high-risk timing because harmonised standards were delayed. So the architecture is settled, but some date details still need checking as the regime matures.
Malta's national layer is about authorities, procedures and local enforcement
Malta supplemented the EU framework in October 2025 with Legal Notice 226 of 2025, the Artificial Intelligence Regulations, 2025. These regulations do not recreate the entire AI Act. Instead, they allocate local responsibilities and procedures.
Under those regulations, the MDIA is Malta's default market surveillance authority unless another body is specifically designated. It is also the single point of contact for the AI Act and Malta's notifying authority. For conformity assessment bodies, the National Accreditation Board carries out the assessment and monitoring referred to by the AI Act, while MDIA remains the notifying authority.
The 2025 Maltese regulations also give MDIA local functions that matter in practice. It is the authority responsible for establishing and running Malta's national AI regulatory sandbox. The same regulations require coordination between MDIA and the Malta Financial Services Authority for high-risk AI used by financial institutions, and with relevant sectoral market-surveillance authorities for AI tied to Annex I product legislation. MDIA must also publish and maintain Malta's list of public authorities and bodies that protect fundamental rights under Article 77 of the AI Act.
Several procedural parts of Legal Notice 226 were written to start on 2 August 2026. That is why organisations should treat the Maltese 2025 regulations as an implementation framework with staggered activation, not as a single all-at-once switch.
The IDPC has a separate remit for certain sensitive high-risk systems
Malta did not leave every AI matter with MDIA. Legal Notice 227 of 2025 designates the IDPC as market surveillance authority for a defined set of high-risk Annex III systems. These include certain biometric systems used for law enforcement, border management and justice and democracy; emergency call evaluation and priority dispatch systems; certain law-enforcement systems; certain migration, asylum and border-control systems; and certain systems used in administration of justice and democratic processes.
This matters because the IDPC is not only Malta's data protection authority. Its official AI materials make clear that when AI systems process personal data, the AI Act and the GDPR can both apply, and the IDPC also acts as a fundamental rights authority for personal data protection under the AI Act.
The Maltese IDPC regulations go further in a few concrete areas. They set rules for "real-time" remote biometric identification in publicly accessible spaces for law-enforcement purposes, including prior authorisation by a Magistrate, subject to a narrow urgency route. They also create rules for post-remote biometric identification. In addition, where a high-risk AI system is intended to be put into service by law-enforcement, immigration or asylum authorities, the Commissioner acts as a notified body for the relevant Annex VII conformity assessment route. As with MDIA's regulations, several procedural parts of the IDPC notice are tied to 2 August 2026.
Malta's earlier AI policy still shapes its governance culture
Long before the EU AI Act started applying, Malta had already built an AI policy narrative. Its 2019 "Strategy and Vision for Artificial Intelligence in Malta 2030" aimed to make Malta a strong early mover in AI adoption, investment and public-sector use. Alongside it, Malta published "Malta - Towards Trustworthy AI", an ethical AI framework meant to give organisations guiding principles plus governance and control practices.
That older layer still matters because it explains why Malta talks about trustworthy AI, practical governance and assurance in a more operational way than some jurisdictions. It also explains why MDIA has kept publishing compliance tools, practical guidance and sandbox material for providers, deployers and users.
There is also an updated policy story. MDIA now hosts a 2025 strategy realignment page which says the realigned strategy moves away from a technology-first approach and places societal well-being and sustainability at the centre. It sets out two enablers and three growth pillars. But the same official pages still present that 2025 material as public consultation content. So the direction is clear, while the final adoption status of the realigned strategy is not confirmed as clearly as the legal notices are.
Malta's old AI certification path was voluntary, not the same as AI Act conformity assessment
One of the most unusual features of Malta's earlier AI approach was the AI-ITA framework. Public MDIA guidance described AI-ITAs as AI systems seeking voluntary certification under Malta's Innovative Technology Arrangements and Services structure. That framework relied on systems auditors, technical administrators, governance disclosures and alignment with the ethical AI framework.
The older AI-ITA material is important because it shows Malta tried to build a domestic assurance path for AI before the EU AI Act. But it was voluntary. It was not the same thing as the AI Act's mandatory compliance routes for in-scope high-risk systems, and it should not be read as a substitute for EU conformity assessment, CE marking, post-market monitoring or incident reporting where those duties apply.
A further boundary is worth stating plainly. The publicly available AI-ITA papers on MDIA's site are older, consultation-era documents describing a voluntary framework. They are useful for understanding Malta's assurance philosophy, but they do not by themselves tell you the full current legal position under the EU AI Act.
Support, sandbox access, complaints and penalties are part of the Maltese picture
Malta's framework is not only about policing. MDIA publicly presents compliance tools aimed at helping organisations classify systems, identify likely legal roles in the AI value chain and understand responsible deployment. That is useful for founders, buyers and governance teams who need an early triage step before external legal review.
The sandbox also matters. Malta's 2025 AI regulations require MDIA, as sandbox authority, to give priority access to SMEs and start-ups with a registered office or branch in the Union, run awareness and training activity, and create channels through which organisations can ask questions about implementation and participation.
There are also complaint routes. Under Legal Notice 226, any natural or legal person who believes the AI regulations or the EU AI Act have been breached can complain to the MDIA. Under the IDPC regulations, there is an equivalent complaint route for the systems within the Commissioner's remit. Malta's notices also create national penalty and appeal mechanics. Those national levers sit alongside, rather than replace, the AI Act's wider EU penalty framework.
Examples
A bank or other financial institution in Malta introducing a high-risk AI system does not deal with AI oversight in a vacuum. Malta's 2025 regulations make MDIA the lead market-surveillance authority by default, but they also require coordination with the Malta Financial Services Authority for high-risk AI used by financial institutions. In practice, that means the organisation should expect both AI Act compliance work and prudential-sector scrutiny.
A vendor bidding to supply real-time remote biometric identification for law-enforcement use in Malta faces a much tighter path than an ordinary enterprise software deployment. Under Malta's IDPC regulations, that category falls inside the Commissioner's remit and requires prior authorisation by a Magistrate, subject only to narrow urgency handling. A generic "we are AI Act ready" claim would not be enough.
A start-up building a novel AI product in Malta should not wait until launch to ask what its role is. Malta's framework makes MDIA the national AI sandbox authority and gives SMEs and start-ups priority access. The same authority also publishes role-finding and classification support, so an early stage company can work out whether it is acting as a provider, deployer, importer or distributor before it scales or signs customer contracts.
Common misunderstandings
"Malta has its own full AI code that replaces the EU AI Act." It does not. The EU AI Act contains the main substantive duties, while Malta's national measures mainly allocate authorities and procedures.
"MDIA's old AI certificate proves AI Act compliance." It does not. The older AI-ITA path was a voluntary assurance mechanism and is separate from mandatory AI Act conformity assessment where the EU rules require it.
"Only developers need to care about Malta's AI regime." Not true. Providers, deployers, importers, distributors, authorised representatives and some product manufacturers can all carry duties.
"If personal data is involved, only GDPR matters." Wrong. GDPR and the AI Act can apply at the same time, and Malta has given the IDPC roles under both frameworks.
"Everything became fully enforceable in Malta as soon as the 2025 notices were published." Not exactly. Malta designated authorities in 2025, but several local provisions and many AI Act duties follow phased application dates.
Risks and boundaries
Malta's national framework is not a universal local permission system for all AI. Most substantive obligations still come from the EU AI Act, not from a Maltese licensing code. The national layer is mainly about who supervises what, how conformity assessment bodies are notified, how complaints and appeals run locally, and how the sandbox is organised.
The older Maltese policy material should be handled carefully. The 2019 strategy and ethical framework are useful governance sources, but they are not binding substitutes for the AI Act. The AI-ITA papers describe a voluntary assurance structure and are publicly available as older guidance material, not as the main current legal rulebook for AI in Malta.
There is also some status uncertainty to keep in view. MDIA's website still presents the 2025 strategy realignment as public consultation material. That makes the strategic direction visible, but it leaves the final adoption status less clear than the legal status of the 2025 regulations.
Finally, timing is still a moving part. Current law and official implementation materials point to staged AI Act application, with an important 2 August 2026 milestone. But the European Commission has also said that a Digital Omnibus proposal could shift some high-risk timing because standards were delayed. Organisations should therefore verify live dates before treating any single implementation calendar as fixed.
What to do next
Start with an inventory. List every AI system your organisation builds, buys, deploys or materially modifies in Malta, then assign a likely role for each one, provider, deployer, importer, distributor or authorised representative. Without that first map, it is very easy to aim governance at the wrong obligations.
Next, triage each use case against the AI Act's risk structure and against Malta's split authority model. Anything touching biometrics, employment, education, essential services, migration, justice, democratic processes or law-enforcement support should be escalated early, because the regulator, paperwork and approval path can differ sharply from ordinary business AI.
Then build one joined-up control file that covers AI governance, procurement, data protection, cybersecurity, record keeping, incident escalation and vendor cooperation. If a system processes personal data, make sure your data protection review is running alongside your AI Act review, not after it.
For higher-risk or genuinely novel deployments, engage with MDIA early. Malta now has a sandbox authority, public compliance tools and practical guidance aimed at providers and deployers. Those support channels can help you reduce classification mistakes well before launch.
Do not rely on soft-law labels, internal ethics principles or legacy Maltese voluntary certification language as proof of compliance. They may help your governance posture, but they are not a substitute for the legal duties that now arise under the EU AI Act and Malta's implementing framework.
FAQs
Does Malta have its own AI Act?
Malta has national Artificial Intelligence Regulations from 2025, but the main substantive rulebook is still the EU AI Act. Malta's notices mainly designate authorities, procedures, complaints and sandbox arrangements.
Who is the main AI regulator in Malta?
In most cases it is the Malta Digital Innovation Authority. It is the lead market-surveillance authority, single point of contact, notifying authority and sandbox authority, unless a specific class of system is assigned elsewhere.
What does the IDPC do for AI in Malta?
The IDPC remains Malta's data protection authority and is also the market-surveillance authority for certain sensitive Annex III systems, including some uses in law enforcement, migration, border control, justice and democratic processes.
Does GDPR still apply to AI in Malta?
Yes. If an AI system processes personal data, GDPR still applies alongside the AI Act. Malta's IDPC says the GDPR takes legal precedence where personal data protection is concerned.
Is Malta's old AI certification programme mandatory?
No. The AI-ITA path was designed as a voluntary MDIA assurance framework. It is separate from the EU AI Act's mandatory conformity assessment routes.
Can start-ups get regulatory support in Malta?
Yes. Malta's national rules make MDIA responsible for the AI regulatory sandbox and require priority access, guidance and tailored support for SMEs and start-ups.
When does the Malta framework apply?
The AI Act entered into force on 1 August 2024 and applies in stages. Malta designated authorities in October 2025, while several Maltese procedural provisions switch on from 2 August 2026. Some high-risk timing could still change at EU level.
If I only buy AI from a vendor, am I out of scope?
Usually not. Buyers are often deployers under the AI Act, and deployers can have their own duties on use, oversight, monitoring and record keeping.