Malta’s AI Act Framework: The New Roles of the MDIA and IDPC

Malta has formally established its national framework for the EU’s Artificial Intelligence Act (AI Act) through two recently published legal notices. These regulations appoint the key national authorities responsible for supervision and enforcement, clarifying the compliance landscape for businesses developing or deploying AI systems in Malta. The new rules designate the Malta Digital Innovation Authority (MDIA) as the primary regulator, while assigning specific oversight for data-sensitive and high-risk AI systems to the Information and Data Protection Commissioner (IDPC).

L.N. 226 of 2025 (Artificial Intelligence Regulations, 2025) positions the MDIA as the central pillar of AI governance in Malta. It is designated as the primary market surveillance authority and the single point of contact for most matters related to the AI Act. Key responsibilities and powers assigned to the MDIA include:

• Primary Supervision: The MDIA will serve as the default market surveillance authority for the AI Act in Malta.
• Notifying Authority: The MDIA will also act as the Notifying Authority, responsible for authorising conformity assessment bodies that certify high-risk AI systems.
• Coordination Role: It is tasked with ensuring coordination with other national bodies, such as the Malta Financial Services Authority (MFSA) for high-risk AI systems used by financial institutions.
• Regulatory Sandbox: The MDIA is responsible for establishing and running the national AI regulatory sandbox. This initiative is designed to foster innovation by allowing businesses, particularly SMEs and start-ups, to test AI systems in a controlled environment.
• Enforcement and Penalties: The MDIA is granted significant enforcement powers. It can impose administrative penalties of up to €350,000 or 1% of worldwide annual turnover (whichever is higher) for infringements of the AI Act, by operators. It may also issue daily penalties of up to €12,000 for ongoing infringements.

L.N. 227 of 2025 (Artificial Intelligence (Designation of the Information and Data Protection Commissioner for the purposes of Regulation (EU) 2024/1689) Regulations, 2025) carves out a specialised supervisory role for the IDPC, leveraging its expertise in data protection. The IDPC is designated as the market surveillance authority for a specific list of high-risk AI systems that process sensitive data or have significant implications for fundamental rights. The IDPC’s jurisdiction includes:

• Specific High-Risk Systems: The IDPC will oversee high-risk AI systems related to biometrics, emergency calls, law enforcement, migration and border control, and the administration of justice and democratic processes. This includes, for instance, AI systems intended to be used for emotion recognition, or to assess the risk of a person becoming the victim of criminal offences.
• Prohibited AI Practices: The IDPC is tasked with enforcing the rules in respect of prohibited AI practices, such as systems that create facial recognition databases by indiscriminately scraping facial images from the internet or CCTV footage.
• Judicial Oversight for Biometric Identification: The regulations establish strict safeguards for the use of real-time remote biometric identification systems in public spaces for the purposes of law enforcement. Such use requires prior authorisation from a Magistrate. In urgent situations, real-time remote biometric identification systems may be used, but authorisation must be sought within 24 hours.
• Fundamental Rights Authority: The IDPC is also designated as the fundamental rights authority concerning the protection of personal data within the context of the AI Act.

The publication of these legal notices provides much needed clarity on how the AI Act will be enforced in Malta. The dual-authority structure leverages the technical expertise of the MDIA and the data protection expertise of the IDPC. The bulk of these local law provisions will come into force simultaneously with the majority of the AI Act’s provisions. Therefore, on 2 August 2026, the time for theoretical preparation ends, and the era of compliance begins.