	AI Legislative Guide
	Malta
	(Europe) Firm Ganado Advocates Contributors Paul Micallef Grimaud Updated 12 May 2026
Has specific legislation, final regulations or other formal regulatory guidance addressing the use of AI in your jurisdiction been implemented (vs reliance on existing legislation around IP, cyber, data privacy, etc.)?	Yes. Regulation (EU) 2024/1689 ("AI Act") is directly applicable across all EU Member States, including Malta. In October 2025, Malta enacted its first AI-specific national regulations to implement the AI Act and formalise a domestic AI governance framework. Legal Notice 226 of 2025 under the Malta Digital Innovation Authority Act (Chapter 591 of the Laws of Malta), and Legal Notice 227 of 2025 under the Data Protection Act (Chapter 586 of the Laws of Malta) implement the AI Act in Malta, with the Malta Digital Innovation Authority (“MDIA”) and the Information and Data Protection Commissioner ("IDPC") assigned clear supervisory and enforcement roles. Other legislation has also been amended to address the use of AI. Notably, the AI Act has been included in the schedule to the Representative Actions (Consumers) Act (Act XVII of 2023), thereby enabling consumer associations to bring representative actions for breaches of AI-related consumer protection obligations. In addition, the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (Subsidiary Legislation 528.10) provide a legal basis for the secondary use of health data by public health providers for purposes such as research, innovation and system planning, which may include AI-driven applications.
Please provide a short summary of the legislation/regulations/guidance and explain how legislators aim to strike the balance between innovation and regulation.	Legal Notice 226 of 2025 positions the MDIA as the central pillar of AI governance in Malta, designated as the primary market surveillance authority ("MSA") and the point of contact for most matters related to the *AI Act. In addition, the MDIA* is tasked with establishing and operating Malta's AI Regulatory Sandbox. The MDIA is also granted significant enforcement powers, including the ability to impose administrative penalties. Legal Notice 227 of 2025 carves out a specialised supervisory role for the IDPC, leveraging its expertise in data protection. The IDPC is designated as the MSA for a specific list of high-risk AI systems that process sensitive data or have significant implications for fundamental rights. The IDPC's jurisdiction covers high-risk AI systems related to biometrics, law enforcement, migration and border control, and the administration of justice and democratic processes. Taken together, this dual‑authority model seeks to strike a balance between fostering innovation and ensuring robust safeguards. The framework promotes technological development, particularly through mechanisms such as the MDIA‑led regulatory sandbox, while maintaining strong oversight of high‑risk applications through the IDPC to safeguard fundamental rights and data protection principles.
Which agency regulates the use of AI in your jurisdiction?	Malta operates a dual-authority model, with the MDIA as lead regulator and the IDPC holding a specialised role. By virtue of Legal Notice 226 of 2025, the MDIA is designated as Malta's lead MSA and the national competent authority for the purposes of the AI Act. Legal Notice 227 of 2025 also empowers the IDPC as a MSA, in respect of specific categories of high-risk AI systems, particularly those involving law enforcement, biometrics, and other areas with heightened implications for fundamental rights. The IDPC additionally serves as Malta's Fundamental Rights Authority ("FRA") under the AI Act. When high-risk AI systems are involved in the financial sector, coordination is also ensured between the Malta Financial Services Authority ("MFSA") and MDIA.

AI Legislative Guide

Back XLS

Has specific legislation, final regulations or other formal regulatory guidance addressing the use of AI in your jurisdiction been implemented (vs reliance on existing legislation around IP, cyber, data privacy, etc.)?

Yes. Regulation (EU) 2024/1689 ("AI Act") is directly applicable across all EU Member States, including Malta. In October 2025, Malta enacted its first AI-specific national regulations to implement the AI Act and formalise a domestic AI governance framework.

Legal Notice 226 of 2025 under the Malta Digital Innovation Authority Act (Chapter 591 of the Laws of Malta), and Legal Notice 227 of 2025 under the Data Protection Act (Chapter 586 of the Laws of Malta) implement the AI Act in Malta, with the Malta Digital Innovation Authority (“MDIA”) and the Information and Data Protection Commissioner ("IDPC") assigned clear supervisory and enforcement roles.

Other legislation has also been amended to address the use of AI. Notably, the AI Act has been included in the schedule to the Representative Actions (Consumers) Act (Act XVII of 2023), thereby enabling consumer associations to bring representative actions for breaches of AI-related consumer protection obligations. In addition, the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (Subsidiary Legislation 528.10) provide a legal basis for the secondary use of health data by public health providers for purposes such as research, innovation and system planning, which may include AI-driven applications.

Please provide a short summary of the legislation/regulations/guidance and explain how legislators aim to strike the balance between innovation and regulation.

Legal Notice 226 of 2025 positions the MDIA as the central pillar of AI governance in Malta, designated as the primary market surveillance authority ("MSA") and the point of contact for most matters related to the AI Act. In addition, the MDIA is tasked with establishing and operating Malta's AI Regulatory Sandbox. The MDIA is also granted significant enforcement powers, including the ability to impose administrative penalties.

Legal Notice 227 of 2025 carves out a specialised supervisory role for the IDPC, leveraging its expertise in data protection. The IDPC is designated as the MSA for a specific list of high-risk AI systems that process sensitive data or have significant implications for fundamental rights. The IDPC's jurisdiction covers high-risk AI systems related to biometrics, law enforcement, migration and border control, and the administration of justice and democratic processes.

Taken together, this dual‑authority model seeks to strike a balance between fostering innovation and ensuring robust safeguards. The framework promotes technological development, particularly through mechanisms such as the MDIA‑led regulatory sandbox, while maintaining strong oversight of high‑risk applications through the IDPC to safeguard fundamental rights and data protection principles.

Which agency regulates the use of AI in your jurisdiction?

Malta operates a dual-authority model, with the MDIA as lead regulator and the IDPC holding a specialised role.

By virtue of Legal Notice 226 of 2025, the MDIA is designated as Malta's lead MSA and the national competent authority for the purposes of the AI Act. Legal Notice 227 of 2025 also empowers the IDPC as a MSA, in respect of specific categories of high-risk AI systems, particularly those involving law enforcement, biometrics, and other areas with heightened implications for fundamental rights. The IDPC additionally serves as Malta's Fundamental Rights Authority ("FRA") under the AI Act.

When high-risk AI systems are involved in the financial sector, coordination is also ensured between the Malta Financial Services Authority ("MFSA") and MDIA.