AI & Digital Innovation Regulatory Compliance in Malta: Why LexMT is the Only Tool That Can Do This

Introduction

Malta's AI and digital innovation regulatory framework is, in 2025, simultaneously one of the most ambitious in the EU and one of the least documented in accessible legal commentary. The jurisdiction that positioned itself as a global blockchain and DLT hub in 2018 has now layered on top of that foundation a dense stack of EU-derived regulation — the AI Act, the Data Governance Act, the Data Act — implemented through a cluster of new subsidiary legislation that most Maltese practitioners have not yet read, let alone analysed in depth.

This is precisely the kind of legal landscape where LexMT delivers its most distinctive value. The framework is new, the case law is nascent, the regulatory instruments are scattered across multiple chapters and subsidiary legislation instruments, and the penalty exposure is substantial. Practitioners need a tool that can pull it all together — fast, accurately, and in the context of Maltese law specifically.

The Regulatory Stack: Four Interlocking Layers

Malta's AI and digital innovation compliance framework currently comprises four distinct but interlocking layers, each requiring separate analysis and each generating its own compliance obligations.

Layer 1: The Enabling Framework — The MDIA Act

The foundation is the Malta Digital Innovation Authority Act (Cap. 591). The MDIA was originally conceived as the world's first dedicated regulatory authority for blockchain and DLT — a bold jurisdictional play that generated enormous international interest. Cap. 591 has since been substantially amended (most recently by Act XIX of 2024) and now covers the full range of "innovative technology" as defined in the First Schedule: artificial intelligence, distributed ledger technology, and the internet of things.

The MDIA issues technology recognitions — a form of regulatory certification confirming that a system or service is compliant with applicable regulatory instruments. The recognition framework is critical because it governs market access for innovative technology services in Malta. The grounds for refusal or revocation under Cap. 591 are broad: the Authority may refuse recognition where it believes the applicant lacks the technical know-how, the viable business model, the financial safeguards — or simply where it believes that granting recognition "may pose a risk to the reputation of Malta or is otherwise not in the public interest." That last ground is strikingly subjective, and the absence of a body of ART jurisprudence interpreting it means that practitioners advising applicants are working in a near-vacuum of guidance.

LexMT can map every ART judgment touching on MDIA recognition decisions and identify the interpretive principles that are beginning to emerge — something that would take hours of manual eCourts searching to replicate.

Layer 2: The EU AI Act — Implemented by S.L. 591.05

S.L. 591.05, the Artificial Intelligence Regulations, brought into Maltese law the requirements of Regulation (EU) 2024/1689 — the EU AI Act — with effect from 10 October 2025. Most operative provisions come into force on 2 August 2026. The MDIA is designated as the primary national competent authority, market surveillance authority, and the body responsible for Malta's national AI regulatory sandbox under Article 57 of the AI Act.

The penalty architecture under S.L. 591.05 is significant and merits close attention from any operator deploying AI systems in Malta:

• Operators face administrative penalties of up to €350,000 per infringement, or up to 1% of total worldwide annual turnover for the preceding financial year, whichever is higher — with a daily penalty of €12,000 for each day an infringement persists.
• Public authorities and bodies face a separate, lower cap of €50,000 per infringement, with a daily penalty of €50 for continuing breaches.
• The MDIA retains a residual discretion at any stage to require written undertakings to cease infringing conduct, and to issue reprimands, warnings, or other non-monetary disciplinary measures.

All administrative penalties and decisions of the MDIA under S.L. 591.05 are subject to appeal under Part IX of Cap. 591 — meaning the appellate route runs through the MDIA's internal review mechanism and ultimately to the Administrative Review Tribunal, not directly to the courts.

The proportionality factors for penalty imposition are set out in S.L. 591.05, Regulation 10(4) and include: the nature, gravity and duration of the infringement; the number of affected persons; the intentional or negligent character of the conduct; any action taken to mitigate harm; and any previous infringements. This mirrors the penalty calibration methodology familiar from GDPR enforcement but applies it to AI system deployment — a genuinely new frontier.

Layer 3: The Data Act — Implemented by S.L. 591.04 and S.L. 418.06

Regulation (EU) 2023/2854 — the Data Act — establishes harmonised rules on fair access to and use of data generated by connected products and related services. Its Maltese implementation sits across two instruments: S.L. 591.04 (the Fair Access to and Use of Data Regulations under the MDIA Act) and S.L. 418.06 (the equivalent regulations under the Malta Communications Authority Act).

The split of regulatory jurisdiction is deliberate and practically significant:

• The MDIA is the competent authority for the general provisions of the Data Act and is also designated as the data coordinator under S.L. 418.06, Regulation 5, responsible for facilitating cooperation between authorities.
• The Malta Communications Authority is the competent authority for the cloud switching and interoperability provisions (Articles 23–31 and 34–35 of the Data Act) — the provisions most relevant to cloud service providers and data portability obligations.

For any operator running connected IoT products or cloud services in Malta, this dual-authority structure creates a genuine compliance complexity that requires mapping carefully. LexMT can do this mapping in minutes.

Layer 4: The Data Governance Act — Implemented by S.L. 591.03

S.L. 591.03 implements Regulation (EU) 2022/868 — the Data Governance Act — designating the MDIA as the competent authority for data intermediation services and for the registration of data altruism organisations. The penalty factors under S.L. 591.03 mirror those in the AI Act implementation: nature, gravity, scale and duration of infringement; mitigating action; previous infringements; and financial benefits obtained from the breach.

Appeals from MDIA decisions under S.L. 591.03 lie to the Administrative Review Tribunal under the Administrative Justice Act (Cap. 490) — a further appellate route to map and understand.

The AI Act's Biometric Identification Provisions — A Special Case

One of the most practically significant and underanalysed aspects of the Maltese AI Act implementation is the framework for law enforcement use of biometric identification systems. S.L. 586.14 — the Artificial Intelligence (Designation of the Information and Data Protection Commissioner) Regulations — deals specifically with the deployment of post-remote biometric identification systems in criminal investigations.

Under S.L. 586.14, Regulation 7, a deployer of a high-risk AI system for post-remote biometric identification must obtain authorisation from a Magistrate — by means of an ex ante application, or without undue delay and not later than 48 hours after use has commenced — before deploying such a system in the context of an investigation for the targeted search of a person suspected or convicted of a criminal offence. If the Magistrate's authorisation is refused, use must be terminated immediately and all personal data linked to the system's use must be deleted.

The Information and Data Protection Commissioner is designated as the fundamental rights authority for AI Act purposes in this space — sitting alongside the MDIA as market surveillance authority — and has the power to receive complaints from natural or legal persons who consider there has been an infringement of the AI Regulations.

This creates a genuinely novel dual-authority structure in the law enforcement AI space. Criminal defence practitioners, civil liberties lawyers, and anyone advising law enforcement agencies on AI deployment need to understand precisely where the Commissioner's jurisdiction ends and the MDIA's begins. LexMT can map this — including any emerging case law on the interaction between Cap. 586 data protection enforcement and Cap. 591 AI Act supervision.

The Cybercrime Enforcement Dimension

LexMT's corpus also reveals that Maltese criminal courts are already sentencing individuals for computer crime offences under the Criminal Code (Cap. 9), Articles 337B and 337C — generating a nascent jurisprudence on proportionality and sentencing for digital offences. In Repubblika ta' Malta v Tyler Grima (Court of Magistrates (Criminal), 1015/2025, 2026), the Court of Magistrates found the accused guilty of unauthorised access and data modification under Article 337C(1) and 337F of Cap. 9, imposing a three-year probation order under Cap. 446 combined with a community service order of 100 hours — demonstrating that the courts are actively applying the suspended sentence framework to first-time digital offenders even where multiple charges are proved.

This kind of sentencing data — which only LexMT can surface quickly — is invaluable for practitioners advising clients facing computer crime charges, or for compliance officers assessing the realistic enforcement risk of a regulatory breach that might also attract criminal liability.

Where LexMT is Irreplaceable in This Space

The digital regulatory framework described above is entirely absent from global legal databases. Westlaw and LexisNexis do not index Maltese subsidiary legislation, do not hold MDIA recognition decisions, do not hold ART judgments on telecommunications regulatory appeals, and certainly do not map the interplay between S.L. 591.05, S.L. 586.14, Cap. 591, and Cap. 490.

LexMT holds all of it. Specifically, for practitioners in this space, LexMT can:

1. Compliance Gap Analysis — Map a client's AI system deployment against the high-risk classification criteria in Annex III of the AI Act as transposed, identify which MDIA registration obligations apply under S.L. 591.05, Regulation 8, and flag any documentation obligations surviving insolvency under Regulation 5.
2. Penalty Exposure Assessment — Quantify the realistic penalty exposure for a given infringement — distinguishing between operator and public authority penalty caps, calculating the daily penalty accumulation under the S.L. 591.05 framework, and mapping the mitigating factors most likely to be given weight by the MDIA based on analogous ART and regulatory tribunal decisions.
3. ART Appeal Strategy — Identify the procedural route and time limits for appealing MDIA decisions under Part IX of Cap. 591, and surface the ART's existing jurisprudence on regulatory authority decisions in analogous sectors to build an appellate strategy.
4. Regulatory Sandbox Applications — Under S.L. 591.05, Regulation 9, the MDIA is responsible for Malta's national AI regulatory sandbox, with a specific obligation to give priority access to SMEs and start-ups having a registered office or branch in the EU.
5. Multi-Regulator Coordination Analysis — The interaction between the MDIA, the MFSA, the MCA, and the Information and Data Protection Commissioner across the AI Act, Data Act, and Data Governance Act implementation creates a genuinely complex multi-regulator environment.
6. Draft Regulatory Documents — LexMT can produce immediately usable first drafts of: MDIA recognition applications; responses to MDIA enforcement notices; ART appeal submissions; AI system technical documentation under Article 11 of the AI Act; written undertakings under S.L. 591.05, Regulation 10(6); and Data Governance Act notification filings.

The Strategic Opportunity

The practitioners who develop deep fluency in this regulatory stack now — before the 2 August 2026 full entry into force of S.L. 591.05 — will own the market for AI compliance work in Malta for the next decade. The MDIA is actively building out its supervisory capacity. Enforcement actions will follow. ART jurisprudence will accumulate. And when it does, LexMT will be the only tool that holds it all.

Malta is a small jurisdiction with an outsized role in the global technology sector — igaming, fintech, blockchain, and now AI. The legal framework governing that sector is Maltese. The regulatory decisions are Maltese. The appeals are heard in Maltese tribunals. No global tool covers any of this. LexMT covers all of it.