Licentium

AI Regulation Hub

Malta

Malta is regulated by the EU AI Act. The Malta Digital Innovation Authority (MDIA) is the lead market-surveillance authority, single point of contact, sole national competent authority for the AI regulatory sandbox and notifying authority. Legal Notice 227 of 2025 also empowers the IDPC for AI in law enforcement.

Key provisions

EU AI Act — direct application

In force

Four risk levels apply in Malta: prohibited AI, high-risk AI, AI systems with specific transparency obligations, and AI systems permitted with no restrictions but eligible for voluntary codes of conduct.

MDIA — lead market-surveillance authority

In force

Malta has designated MDIA as the lead market-surveillance authority, single point of contact and sole national competent authority for the national AI regulatory sandbox. Also designated as the notifying authority, with assessment by Malta's National Accreditation Board.

Legal Notice 227 of 2025 — IDPC for law-enforcement AI

In force

Empowers the Information and Data Protection Commissioner as a market-surveillance authority for AI systems in the law-enforcement domain.

Fundamental-rights authorities (Art. 77)

In force

Includes the IDPC, Malta Competition and Consumer Affairs Authority, National Commission for the Promotion of Equality, Commission for the Rights of Persons with Disability, Ombudsman and labour authorities.

High-risk AI duties

In force

Quality-management system, risk-management system, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, post-market monitoring and CE marking before market placement.

Detailed overview

Malta is regulated by the EU AI Act and has designated national AI authorities for implementation. The Malta Digital Innovation Authority, or MDIA, leads Malta's implementation of the EU AI Act and explains the AI Act framework through four risk levels: prohibited AI, high-risk AI, AI systems with specific transparency obligations, and AI systems permitted with no restrictions but eligible for voluntary codes of conduct.

For high-risk AI systems, Malta follows the EU AI Act requirements. High-risk systems must satisfy strict obligations before being placed on the market or put into service. These obligations include a quality-management system, risk-management system, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, post-market monitoring and CE marking.

Malta has designated the MDIA as Malta's lead market-surveillance authority, single point of contact and the sole national competent authority responsible for establishing and operating a national AI regulatory sandbox under the EU AI Act. Legal Notice 227 of 2025 also empowers the Information and Data Protection Commissioner as a market-surveillance authority for AI systems in the law-enforcement domain. The MDIA is also to be designated as the notifying authority, with assessment and monitoring by Malta's National Accreditation Board.

Malta's AI framework also identifies fundamental-rights authorities under Article 77 of the EU AI Act. These bodies include the Information and Data Protection Commissioner, the Malta Competition and Consumer Affairs Authority, the National Commission for the Promotion of Equality, the Commission for the Rights of Persons with Disability, the Ombudsman, labour authorities and other bodies.

Penalties follow the EU AI Act. Breaches of prohibited AI rules may lead to fines up to EUR 35 million or 7% of worldwide annual turnover. Breaches of many other AI Act obligations may lead to fines up to EUR 15 million or 3% of worldwide annual turnover. Supplying incorrect, incomplete or misleading information to authorities may lead to fines up to EUR 7.5 million or 1% of worldwide annual turnover.

Practical requirements & details

Sourced from Regulation (EU) 2024/1689 (the AI Act) as implemented in Malta and Legal Notice 227 of 2025 on national authority designations.

EU AI Act core duties (in Malta)

  • Prohibited AI — banned.
  • High-risk AI — quality management, risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, post-market monitoring and CE marking.
  • Specific-transparency AI — disclosure for chatbots, deepfakes etc.
  • Lower-risk AI — permitted; eligible for voluntary codes of conduct.

National authorities

  • MDIA — lead market-surveillance authority, single point of contact, sole sandbox authority and notifying authority.
  • National Accreditation Board — assessment and monitoring of notified bodies.
  • IDPC — market-surveillance authority for AI in law enforcement (LN 227/2025).

Fundamental-rights authorities (Art. 77)

  • IDPC, Malta Competition and Consumer Affairs Authority, National Commission for the Promotion of Equality, Commission for the Rights of Persons with Disability, Ombudsman, labour authorities and other bodies.

Penalties

  • EUR 35m / 7% of worldwide annual turnover — prohibited AI.
  • EUR 15m / 3% — many other AI Act operator obligations.
  • EUR 7.5m / 1% — incorrect, incomplete or misleading information to authorities.

See also the European Union entry, which covers the EU AI Act (Regulation (EU) 2024/1689) — the substantive framework that this jurisdiction implements and supervises domestically.

European Union — EU AI Act

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started