On 23 November 2022, Malta published its national strategy for 2022–2027 (dubbed “Digital Malta”) with the aim of positioning Malta as leader in digital transformation built around a vision of establishing digital as the key driving force for transformation. The national strategy underpinned various sectorial digital policies currently in place in Malta including Digital Innovation; eCommerce; and Cyber Security. In accordance with the European Commission’s Digital Economy and Society Index (DESI) report 2022, Malta ranks sixth out of 27 EU member states. The DESI report also states that since 2019, all Maltese households are reached by Very High Capacity Networks offering speeds of up to 1Gbps. Malta also records good scores on human capital, especially because of the high numbers of ICT graduates (6.6% of graduates in Malta, versus 4.2% in the EU) and performs slightly higher than the EU average in terms of ICT specialists (4.8% versus 4.6% in the EU). The large majority (77.9% versus 69.1% in the EU) of Maltese SMEs in Malta have at least a basic level of digital intensity and perform particularly well in the use of technologies such as big data and cloud solutions, which are used by 30% and 47.5% of enterprises in the country respectively. Malta has also focused on technologies such as blockchain and artificial intelligence. An improvement in the uptake of e-government services was also reported, with the share of e-government users reaching 82.97% versus 74.2% in the EU in 2022.

In Malta, the taxation of digital services and goods aligns with the European Union’s Value Added Tax (VAT) framework. The standard VAT rate is 18%, applicable to most digital products and services, including Software as a Service (SaaS). A reduced rate of 5% applies to specific categories, such as certain medical accessories and publications.

Challenges Companies Face in Managing Tax Compliance in Malta

Malta follows EU VAT rules, requiring digital service providers to charge VAT based on the customer’s location rather than the seller’s. This means companies must determine whether they need to register for VAT in multiple EU states or use the One-Stop Shop (OSS) system for simplified reporting.

VAT returns must be filed quarterly, while large taxpayers may be required to file monthly. Companies must also submit Intrastat declarations for EU trade and EC Sales Lists for cross-border digital services.

Foreign companies operating in Malta via remote services, cloud computing, or AI-driven platforms may trigger Permanent Establishment (PE) status, requiring them to register for corporate tax even if they don’t have a physical office.

In Malta, digital advertising revenues are subject to the country’s standard corporate tax rate of 35%. This applies to profits generated from digital advertising activities, including those conducted through online platforms and social media. Additionally, if digital advertising services are provided to consumers within Malta, they may be subject to the standard VAT rate of 18%. For business-to-business (B2B) transactions, the reverse charge mechanism often applies, where the VAT responsibility shifts to the recipient. To ensure compliance with Malta’s tax laws related to digital advertising, companies should implement best industry practices such as accurate record keeping, VAT registration and employ professional consultation.

In Malta, consumer protection for digital goods and services within the TMT sector is primarily governed by the Consumer Affairs Act (Chapter 378 of the Laws of Malta). This legislation addresses unfair commercial practices, misleading advertising, and ensures consumers’ rights are upheld in digital transactions. Additionally, the Data Protection Act (Chapter 586), which implements the EU’s General Data Protection Regulation (GDPR), safeguards consumers’ personal data during digital interactions. The Electronic Commerce (General) Regulations also play a role by outlining requirements for information provision and transparency in online services.

To uphold consumer rights in the digital economy, companies should ensure transparency, protect personal data and provide easy access to a customer support line.

The resolution of consumer complaints in Malta’s digital economy is guided by frameworks established under the Consumer Affairs Act. The Malta Competition and Consumer Affairs Authority (MCCAA) oversees consumer protection and provides mechanisms for dispute resolution. Consumers can file complaints with the MCCAA, which may mediate between the parties or refer cases to the Consumer Claims Tribunal for claims up to EUR10,000.

Best practices for TMT companies to handle consumer disputes effectively are standard best industry practices which include establishing a clear complaint procedure, maintaining comprehensive records and implementing constant staff training.

Legal Challenges and Opportunities

The introduction of the Markets in Crypto-Assets Act (MiCA) in Malta has significantly impacted the regulatory landscape for crypto businesses, bringing both challenges and opportunities. One major challenge is regulatory compliance, as businesses must now obtain Malta Financial Services Authority (MFSA) licensing under MiCA. This means that crypto exchanges, wallet providers, and issuers must meet strict operational, transparency and governance requirements. Additionally, anti-money laundering (AML) obligations have intensified, requiring enhanced due diligence, transaction monitoring and suspicious activity reporting under the Financial Intelligence Analysis Unit (FIAU) regulations.

Despite these challenges, Malta remains an attractive destination for crypto and blockchain businesses. The clear regulatory framework offers legal certainty for companies seeking a stable environment to develop crypto trading, tokenisation and decentralised applications. Moreover, Malta’s proactive approach to crypto regulation and AI integration positions it as a global leader in digital innovation, fostering economic growth and attracting foreign investment in blockchain-based solutions.

Regulation of Blockchain and Cryptocurrency in Malta

Malta has established a comprehensive legal framework to regulate blockchain and cryptocurrency, ensuring market integrity, investor protection and compliance with EU standards. MiCA fully transposes the EU’s MiCA Regulation, requiring crypto-asset service providers (CASPs), including exchanges, wallet providers and token issuers, to obtain MFSA licensing. Additionally, the Malta Digital Innovation Authority (MDIA) oversees blockchain technology providers, ensuring security, ethical AI integration and certification of technology arrangements. The FIAU enforces AML and counter-financing of terrorism regulations, requiring crypto businesses to implement due diligence, transaction monitoring and fraud detection mechanisms.

Highly Regulated Industries and Data Protection

Cloud computing is not yet expressly or specifically regulated in Malta; however, rules governing a standard level of network security and many industries, especially the banking and gaming sectors, address cloud computing.

These sectors are discussed below.

Financial Services

The financial services sector is a wide sector, with different sub-sectors such as banking, insurance and investment services, all of which are subject to broadly similar rules in relation to the outsourcing of a material service or activity. Such rules are issued by the MFSA, the competent authority to regulate all matters relating to banking and finance in Malta. Generally, the use of a cloud service would be considered as material, and notification is required to be given to the MFSA prior to engaging in the use of that service. A risk assessment of the arrangement, as well as the necessary due diligence, would normally also be required to ensure that the service provider is suitable. The MFSA has also released the “Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements”, which would more generally apply to the financial services sector as a whole. These guidelines take cloud computing into account and provide a practical framework for licence holders and requirements for different cloud computing service models – such as software as a service (SaaS) or platform as a service (PaaS) – requiring communication and information systems to protect the data they handle in transit and at rest; this data must only be accessible to authorised parties as and when needed. It is also worth noting that the MFSA places significant importance on ensuring that data stored in cloud environments is adequately secured against cyber threats, and that third-party providers undergo continuous monitoring and periodic audits to verify compliance with these standards.

They further provide that confidentiality, integrity, availability, authentication and non-repudiation should form the five pillars in the design of any technology arrangement implemented by a licensed institution. Additionally, institutions are expected to maintain a robust incident response plan that includes notification to the MFSA within specified timeframes if a breach or data loss occurs in the cloud environment. Cloud computing systems must also take into consideration the ISACA’s Guiding Principles for Cloud Computing Adoption and Use.

Gaming Law

The use by a Malta-licensed gaming provider of managed information technology services is regulated in accordance with the Gaming Authorisations Regulations (Chapter 583.05, Laws of Malta) as well as the “Policy on Outsourcing by Authorised Persons”, issued by the Malta Gaming Authority (MGA), the authority which regulates the gaming sector in Malta. These legal instruments state that cloud computing services would be considered a material gaming supply, which carry a number of risks to the operation of a Malta-based gaming licensee. Thus, the MGA recommends that such service providers be assessed and approved by it as part of the pre-licensing assessment or at the post-licensing stage. Where the licensee receives material gaming supplies from a third party not approved by the MGA, the licensee must assume full regulatory responsibility for such supplies. A licensee must also have a regularly updated outsourcing policy and a written agreement with the service provider containing a number of required provisions. The agreement must specifically include clauses addressing data confidentiality, subcontracting limitation, and the right of the MGA to audit or access data stored within the cloud infrastructure. Non-compliance with these requirements can result in penalties, including the suspension or revocation of the gaming licence.

Security of Network and Information Systems

The Measures for High Common Level of Security of Network and Information Systems Order (Chapter 460.35, Laws of Malta) transposes Directive (EU) 2016/1148 (the “NIS Directive”) into Maltese law and addresses cloud computing. (The NIS2 Directive however is yet to be transposed). The NIS Directive aims to implement measures for the achievement of a high common level of network and information system security across the EU’s critical infrastructure. The Order establishes a Critical Information Infrastructure Protection Unit (the “CIIP Unit”), which is responsible for matters relating to the identification and designation of operators of essential services and digital service providers, as well as the adoption of a national strategy on the security of network and information systems. The CIIP Unit works in collaboration with sector-specific regulators to establish clear reporting obligations for significant incidents affecting cloud services.

Malta has also implemented a cybersecurity strategy which had six main goals, including the establishment of a governance framework, the strengthening of the fight against cybercrime and national cyber defence, improving cybersecurity awareness and education, encouraging initiatives by the private sector, awareness and education, and building upon national and international co-operation. This strategy includes periodic reviews and updates to ensure alignment with emerging cybersecurity challenges, particularly those posed by reliance on cloud infrastructures and remote working models.

Data Protection

Malta is subject to the GDPR; the general rules in this respect apply also to the issues brought about by cloud computing. The most common issues here relate to the fact that most service providers in this field provide standard terms which are not easily negotiable and thus any data protection-related provisions may not always reflect the required GDPR standards if the cloud service provider is based outside the EEA. Additionally, transfers of personal data need to comply with specific safeguards, the most common being the use of the Commission’s Standard Contractual Clauses (SCCs). The SCCs were amended in June 2021 following the Schrems II judgment which invalidated the EU-US Privacy Shield. As a result, international transfers have become significantly more complex. A provider of cloud computing services established outside the EU would need to show compliance with the new standards in order to be considered GDPR compliant. Furthermore, organisations must conduct a Data Protection Impact Assessment (DPIA) when processing personal data in cloud environments that involve high risks to the rights and freedoms of individuals, particularly for sensitive or large-scale datasets. This ensures that risks are identified and mitigated before engaging a cloud provider.

Liability, Data Protection, IP and Fundamental Rights

Projects involving big data, machine learning (ML) and AI have one common factor in that they need to make use of vast amounts of data, which may be of a personal nature. This brings about challenges in relation to the management of such personal data in compliance with the GDPR and Maltese data protection law. ML and AI also raise various other legal issues, as outlined below, together with potential solutions.

Data Protection

An AI system needs extensive data to train and develop the algorithmic models on which it operates in order to provide an accurate output. Much of this data may be personal in nature, thus compliance with the GDPR and Maltese data protection law is necessary; however, the volume of personal data processed makes compliance more complex to achieve.

These obligations become particularly problematic in the case of ML and AI since access to and collection of personal data is generally restricted by law. Furthermore, personal data can only be processed for its original intended purpose and although the scope to reuse data for additional purposes has been widened by the Data Act, it is still limited. This legal requirement could limit the possibility of extracting new value from the combination of datasets. It should also be noted that, under the GDPR, decisions that were taken solely in an automated manner must allow for human review of that decision if it significantly affects the data subject. Additionally, the data subject has a right to an explanation as to how a decision was reached. Whilst these principles can stifle the development of ML and AI technology to some extent, they also ensure that such technology is developed in an ethical manner that respects human rights and the right to privacy of each individual. ML and AI companies and applications that involve the use of personal data can achieve trust by ensuring that they are compliant with the requirements of the GDPR, by implementing the necessary safeguards and ensuring that data protection is present at the design stage and by default.

Ethics

Closely related to the discussion of data protection is the matter of ethical development of ML and AI technologies. In October 2018, the Malta.AI Taskforce was set up by the Maltese government to advise on strategies, ethics and legal issues relating to the development of such technologies. One of the documents published by the Taskforce is the Ethical AI Framework which, though it does not have the binding force of law, lays down a set of guiding principles for trustworthy AI governance. The Framework builds upon the Ethics Guidelines for Trustworthy AI, published in April 2019 by the European Commission’s High-Level Expert Group on Artificial Intelligence (AI HLEG), and adds a number of control practices which aim to guide developers and users of ML and AI technologies in terms of how the principles set out therein should be translated in practice. The Framework sets out four ethical principles for trustworthy AI, namely:

• human autonomy – humans interacting with AI systems must be able to keep full and effective self-determination over themselves;
• preventing harm – AI systems must not cause harm at any stage of their life cycle to humans, the natural environment, or other living beings;
• fairness – the development, deployment, use and operation of AI systems must be fair; and
• explicability – end users and other members of the public should be able to understand and challenge the operation of AI systems as required for the particular use case.

Malta has set up a national AI Certification Programme, based on the Framework. Certification would provide applicants with acknowledgement that their AI system has been developed in an ethically aligned, transparent and socially responsible manner, in line with the principles and control practices established by the Framework.

Liability

Liability is often an issue when it comes to ML and AI technologies. It is not easy to establish who or what is legally responsible for the non-human decision-making of a machine. The matter becomes more complicated if the hardware and software performed precisely as they were intended and without a perceptible defect or malfunction of any kind. Malta does not have a dedicated legal framework to govern liability issues relating to ML and AI per se; however, a patchwork of legal provisions addresses the matter to a significant extent. Under the Maltese law of obligations, specifically the Maltese Civil Code (Chapter 16, Laws of Malta), one finds the general concept that a person should always show reasonable care in all their actions, and the standard of reasonable care which is required is that of a reasonable man (bonus paterfamilias). The corollary is that a person who causes harm by acting in a manner which falls below this standard would be liable to compensate for such harm.

Another relevant provision under the Civil Code provides that the owner of an animal, or any person using an animal during the time that such person is using it, is liable for any damage caused by it, whether the animal was under their charge or had strayed or escaped. With regard to this latter provision, academic writers have drawn a parallel with this situation and one where an AI system behaves disruptively or uncontrollably, stating that such provisions should be used in such a case.

Furthermore, in September 2022 the European Commission released the proposal for an AI Liability Directive. The directive seeks to provide legal certainty and address concerns surrounding liability, compensation and accountability. It focuses on clarifying liability issues related to AI systems such as determining who is responsible in cases where AI systems cause harm or damage. This directive could potentially play a pivotal role in Malta when determining liability when there has been the use of AI and ML.

On a final note, the Product Liability Directive (Directive 85/374/EEC) was transposed into Maltese law through part of the Consumer Affairs Act (Chapter 378 of the Laws of Malta), which brings into effect the concept of strict (no fault) liability into the product liability regime, subject to the limitations of the Product Liability Directive itself. Under the Product Safety Act, a product is safe if it meets all statutory safety requirements under European or national law (or in default thereof, Commission recommendations and codes of practice), and any distributor who supplies products which they should know to be unsafe (even having actual knowledge of this) would be liable.

The key legal frameworks applicable in Malta include the following.

• Data Protection Act (Chapter 586 Laws of Malta) – IoT manufacturers and service providers must ensure compliance with GDPR, particularly regarding consent, purpose limitation, data minimisation and user rights. Since it is not always feasible to obtain direct consent from users, alternative legal bases for processing data must be explored.
• The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 586.01)) – these Regulations govern the confidentiality of communications, addressing issues such as electronic tracking, consent for data collection and the security of communications.
• Data Protection Impact Assessments (DPIA) – companies deploying IoT projects must conduct DPIAs before launching a new device or service to identify and mitigate risks associated with data processing.
• EU Cybersecurity Act (Regulation (EU) 2019/881) – this regulation enhances cybersecurity across the EU by establishing a cybersecurity certification framework for ICT products, services and processes, including IoT devices.

Companies deploying IoT solutions in Malta face several compliance challenges that require careful regulatory adherence.

• Cybersecurity vulnerabilities – with no specific IoT security certification framework in place, organisations must rely on broader EU cybersecurity regulations. The Malta Cybersecurity Strategy provides guidance but lacks sector-specific standards for IoT devices, making it imperative for companies to implement their own robust security protocols.
• Spectrum allocation and numbering resources – the Malta Communications Authority (MCA) regulates spectrum allocation and numbering plans for IoT/M2M connectivity. Businesses must obtain the necessary authorisations and comply with MCA’s numbering framework to avoid service disruptions.

To effectively manage IoT deployments in Malta, companies should adopt the following governance frameworks.

• Regulatory compliance monitoring – organisations must stay updated on developments from the MCA, the Information and Data Protection Commissioner (IDPC), and other Maltese regulatory bodies to ensure continued compliance with evolving legal requirements.
• IoT device certification and standards compliance – although Malta does not have specific certification requirements, companies should voluntarily align with international security and interoperability standards such as ISO/IEC 27001 to enhance trust and market competitiveness.

Key Legal Requirements

The key legal requirements for IoT companies with respect to data sharing are as follows.

• Lawful basis for processing – IoT companies must ensure that any personal data collected and shared has a lawful basis under the Data Protection Act. This includes obtaining explicit consent from data subjects, performing tasks in the public interest, pursuing legitimate interests, etc.
• Transparency and purpose limitation – companies are required to inform data subjects about the purposes of data collection and ensure that personal data is not processed in ways incompatible with those purposes.
• Data minimisation and storage limitation – only data necessary for the specified purposes should be collected and shared, and personal data should not be retained longer than necessary.
• Data protection impact assessments (DPIA) – for high-risk data processing, such as large-scale IoT deployments, businesses must conduct a DPIA to evaluate and mitigate risks before launching new IoT services.
• Consultation with the Information and Data Protection Commissioner (IDPC) – processing biometric, genetic, or health data for public interest or research purposes requires prior consultation with the IDPC.

Thresholds

Whilst the Data Protection Act applies to all entities that process personal data in Malta or that target Maltese residents (regardless of whether it is based in Malta), specific thresholds do exist within Malta such as the following.

• Record-keeping requirements – IoT companies with fewer than 250 employees are exempt from maintaining records of processing activities unless they engage in high-risk processing, such as handling special categories of data or monitoring large-scale data processing.
• Appointment of a data protection officer (DPO) – a DPO is required if an IoT company engages in systematic monitoring of individuals on a large scale or processes special categories of data as a core activity.

Heightened Requirements

Malta imposes stricter regulations on the processing of certain categories of personal data, particularly:

• special categories of personal data as defined in Article 9 of the GDPR;
• health, biometric, and genetic data – processing these data types for statistical, scientific or research purposes requires prior authorisation from the IDPC; and
• identity documents and national identifiers – the processing of identity cards, passports or other national identifiers must be clearly justified and is permitted only under strict legal safeguards.

Audiovisual Service Requirements and Applicability – Broadcasting Licences

According to the Broadcasting Act (Chapter 350, Laws of Malta), no one may broadcast audio or video content in Malta for the entire country or any part of it without a written permit from the Malta Broadcasting Authority (MBA), nor may anyone broadcast audio or video content from Malta to any foreign country without a written permit from the MBA. The MBA may grant a broadcasting licence subject to the terms and restrictions it sees fit. These licences are likewise governed by the First Schedule of the Broadcasting Act. There are various classifications and types of licences, including:

• licences for nationwide television services;
• nationwide radio services;
• community radio services;
• satellite radio services;
• satellite television services; and
• other services which may be broadcast or provided on or by an electronic communications network.

The MBA may grant a general interest broadcast content licence or a commercial broadcast content licence in relation to national television services. A general interest goal service is a television broadcasting service that commits to airing a predetermined number of general interest programmes that are under the purview of a public service broadcasting service as defined by the National Broadcasting Policy.

A general interest objective service may be either a generalist service or a niche service. The latter refers to a television broadcasting service which predominantly transmits programmes of a limited number of genres of a specialist subject matter, whilst a “generalist service” means a television broadcasting service which transmits a wide range of programme genres. On the other hand, a “commercial television broadcasting service” means a television broadcasting service that is either a generalist service or a niche service that is not subject to the obligations of a general interest objective service.

An application for a broadcasting licence must be made to the MBA through the relevant licence application, some of the details of which are discussed below:

• in the case of a new nationwide TV station, arrangements have to be made in the first place with the service providers Melita Limited and GO plc, the two TV distribution networks on the island, prior to applying for a licence from the MBA;
• in the case of digital radio broadcasting (which is further regulated by Digital Radio Broadcasting Regulations (Chapter 350.29, Laws of Malta), arrangements have to be made in the first place with the licensed digital radio broadcasting service provider DigiB Network, prior to applying for a licence from the MBA; and
• satellite uplink services are licensed by the MCA, and the initial step in this case is to complete and return an application for a satellite earth station licence.

Audiovisual Media Services

A television broadcast or an on-demand audiovisual media service both qualify as audiovisual media services. A provider of an on-demand media service generally does not need a broadcasting licence as stated under the previous heading but they must notify the MBA in writing by sending a letter to the Chairman of the MCA before offering the service. This written notification must include the following information:

• in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MCA; and
• in the case of a legal person, the name and address of the company and of the registered office.

An audiovisual media service transmitted by a media service provider falling under the jurisdiction of Malta must comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions which may be relevant under consumer and press laws.

Requirements for Video-Sharing Platform Providers

A supplier of a video-sharing website based in Malta is subject to Maltese law. A provider of a video-sharing platform does not need a broadcasting licence as defined under the first heading in this section but they must nevertheless notify the MBA in writing by sending a letter to the Chairperson of the MCA that includes the following information:

• in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MCA; and
• in the case of a legal person, the name and address of the company and of the registered office.

Video-sharing platform providers falling under the jurisdiction of Malta must also comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions that may be relevant under consumer and press laws.

Technologies and Services That Fall Within the Scope of the Telecommunications Rules

The Maltese regulatory framework is modelled on its European counterpart. It is technology neutral. The primary pieces of legislation that govern telecommunications are the Malta Communications Authority Act (ECRA) (Cap 418 of the Laws of Malta) and the Electronic Communications (Regulation) Act (Cap. 399 of the Laws of Malta). Subsidiary Legislation includes the Electronic Communications Networks and Services (General) Regulations (ECNSR).

In terms of the ECRA, undertakings wishing to provide telecommunications services must notify the MCA to obtain a general authorisation. An authorisation is required to operate a telecommunications network and the provision of telecommunications services. A frequency licence is required for the allocation and use of spectrum. An individual licence or general authorisation is also required for the sale and use of radio equipment.

The following categories of services need to be notified to the MCA and as such fall within the MCA’s remit:

• voice communications services;
• internet access services;
• television and radio distribution services;
• interpersonal communications services; and
• services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

Importation into Malta

The importation of telecommunications equipment in Malta requires an import permit that has been raised against a Certificate of Conformity in line with the regulations laid down by the European Telecommunications Standards Institute (ETSI).

Security Requirements

Regulation 28 of the ECNSR imparts obligations on publicly available electronic communications networks and services. The main obligations include:

• take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services;
• adequately manage their risks while considering the state-of-the-art technology;
• report security incidents which significantly disrupt electronic communications networks and services to the MCA;
• the MCA may request from the providers any documentation necessary to assess the security of their networks and services; and
• the MCA may require providers to submit to a security audit.

Net Neutrality or “open internet” is applicable in the EU through Regulation (EU) 2015/2120. As Malta is an EU member state, the Regulation is directly applicable.

On the basis of the net neutrality principle, consumers control what to access and publish on the internet, without any restrictions. This means that an ISP must treat all traffic flowing over its network equally, irrespective of the content, the owner of the data, its origin or destination.

However, ISPs may need to implement traffic management policies in order to ensure the smooth running of the network. This notwithstanding, ISPs are restricted in the type of traffic management that they can apply. In fact, while doing so, ISPs need to ensure that any measures are reasonable and must satisfy the criteria of proportionality and non-discrimination.

In addition, ISPs may also implement internet access restrictions in the following exceptional circumstances:

• comply with Union and/or National law and Court Orders (eg, to block unlawful content as required by a Court Order);
• protect the integrity or security of their network (eg, to prevent cyber-attacks that occur through the spread of malicious software); or
• prevent impending network congestion that occurs temporarily and under exceptional circumstances (eg, congestion caused by a sudden and abnormal increase in the demand for specific content applications or services when compared to the average demand).

Emerging technologies such as 5G, the IoT and AI are significantly influencing Malta’s telecommunications legal framework. The MCA is actively involved in facilitating the deployment of 5G networks, recognising Malta as an ideal location for pilot studies and publishing a lightweight test and trial licensing regime to encourage innovation in this area. Furthermore, the MDIA, established in 2018, leads and advises the government on developments in innovative technologies, including AI. The MDIA has developed a national AI Strategy and is spearheading legislative changes to regulate AI in accordance with the EU’s AI Act.

Legal Considerations for Emerging Technologies in Malta’s TMT Sector

The MCA regulates spectrum allocation and 5G deployment, ensuring compliance with Malta’s National Roadmap for 5G. Companies must obtain spectrum licences and adhere to electromagnetic exposure regulations. IoT providers using machine-to-machine (M2M) communications must comply with Malta’s connectivity framework to ensure efficient numbering allocation and network security.

For AI-driven telecoms services, compliance with the Malta Digital Innovation Authority Act is essential. The MDIA certifies AI systems to ensure security and fairness, particularly for automated customer support, fraud detection and network optimisation. AI systems must align with the EU’s AI Act, preventing bias and unauthorised automated processing.

Malta enforces GDPR through the Data Protection Act (Cap. 586), requiring telecoms operators, IoT providers and AI platforms to protect personal data. The Office of the IDPC can investigate and fine companies for unlawful data use. Businesses using smart surveillance, biometric authentication, or AI-driven profiling must conduct DPIAs and ensure secure data processing in IoT networks.

Legal Framework Features

An entity that intends to enter into IT service agreements with another entity in Malta will be bound by the general concepts of Maltese contract law, unless the agreement stipulates that a different law should apply. As a general rule, the Civil Code (Chapter 16, Laws of Malta) provides that contracts legally entered into have the force of law for the contracting parties. Parties may go against what is stated in the general law by virtue of their agreement, unless there is a prohibition by the law itself by way of mandatory rules or because of a prohibition of public policy. IT service agreements would generally cover:

• a detailed description of the service;
• whether only services are being provided, or whether materials are also being supplied;
• the payable fees;
• term of contract and termination methods;
• ownership over any intellectual or other property produced during the term of the agreement;
• liability for the service provided and limitations thereon (usually governed by a Service Level Agreement);
• insurance;
• how changes to the agreement/services can be made;
• notifications to the other party;
• confidentiality, non-compete and non-solicitation;
• dispute resolution;
• data processing (where personal data is accessible by the IT service provider);
• independent relationship of the parties; and
• whether the contract can be transferred.

The above-mentioned provisions are relatively standard and provided that they have been agreed to by both parties, and that valid consent can be proved, a court would follow the terms of agreement between the parties when interpreting the contract, especially where the wording is unambiguous. However, lack of clarity and proper description of the expectations of the parties are the most common legal problems that have been encountered in relation to IT service agreements.

An IT service agreement will be valid even if not done in writing, but verbal contracts of this nature are most certainly not recommended.

Limitation of Liability

It is quite common for limitation of liability clauses to be included in service contracts. In this respect, it should be noted that in certain circumstances liability cannot be limited. One example is that where fraud is involved. This would invalidate the entire contract, including any limitation of liability clauses. Furthermore, Maltese jurisprudence has also held in various situations that liability cannot be limited in cases of gross negligence.

Maltese courts have on occasion also used reasoning similar to the “doctrine of fundamental breach” to invalidate limitation of liability clauses where the party commits a breach of the contract that is so fundamental that it deprives the other party of essentially the whole of the contract’s benefits. The Maltese courts have also invalidated limitation clauses on occasion simply because they were not brought to the attention of the weaker party, even though the clause itself was technically valid, although this would probably apply more readily in the case where the recipient of the IT service is a consumer. Where the IT service contract includes the provision of materials, one needs to consider that warranties against latent defects cannot always be excluded. Product liability issues may also need to be considered.

Penalty Clauses

IT services agreements frequently involve fines for non-performance or contract violations (for example, a breach of confidentiality or breach of the non-solicitation clause). Frequently, penalty clauses are pre-liquidated, so the sum due in the event of a certain violation would be specified in the contract itself. The Maltese courts would generally tend to uphold the penalty clause stipulated between the parties, unless the amount is grossly unfair to one of them. In this respect, it should be noted that the Civil Code provides that a court cannot abate or mitigate a penalty agreed between the parties except:

• if the service provider has performed the obligation in part, and the recipient of the service has expressly accepted the part so performed; or
• if the service provider has performed the obligation in part, and the part so performed is clearly useful to the recipient of the service.

In any such case, an abatement cannot be made if the recipient of the service, in undertaking to pay the penalty, has expressly waived their right to any abatement or if the penalty has been stipulated in consideration of mere delay. Therefore, it is important to consider the inclusion or otherwise of such wording in the contract.

Regulatory Matters

Under the GDPR and local data protection law, specific measures need to be put into place if personal data is to be transferred outside of the European Economic Area (EEA). Thus, should the IT service provider be based outside the EEA, and wish to access personal data held by the recipient of the service, a data processing agreement will need to be concluded in accordance with the European Commission’s Standard Contractual Clauses, unless other safeguards are in place.

Additionally, several companies that are subject to regulation demand that particular regulatory data be stored on EEA-based servers so that the appropriate regulatory authority can easily access it. The Malta Gaming Authority (MGA), which mandates that regulatory data be accessible, available and traceable, is one example. For this purpose, the MGA demands access to real-time information, which could present problems if such data is in a different jurisdiction or on the cloud. The matter can be solved by real-time replication of the data, on a live replication server in Malta, although this is not the only solution. Discussions with the MGA can serve to address these issues.

Challenges With Technology Agreements in Regulated Industries

Certain regulated industries, such as banking, insurance and gaming, are subject to greater restrictions than others due to their reliance on sensitive data, stringent compliance requirements, and potential risks to consumers and the economy. These industries are typically governed by sector-specific regulations that impose additional obligations when entering into technology agreements, including those for cloud computing, IT services and outsourcing.

Banking and insurance

The MFSA regulates the financial services sector and requires licence holders to comply with strict rules when outsourcing technology services. Key restrictions include the following.

• Materiality assessment – agreements involving critical services, such as data hosting or transaction processing, are deemed material and require prior notification or approval by the MFSA.
• Due diligence and risk management – institutions must assess the technical and financial capability of the service provider, evaluate data security measures, and ensure ongoing compliance with the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.
• Audit and access rights – agreements must include provisions granting regulators and the institution the right to audit the service provider and access necessary data for compliance and enforcement purposes.
• Cross-border data transfers – if the technology provider operates outside the EU/EEA, agreements must ensure compliance with the GDPR, particularly regarding international data transfers.

Gaming

The MGA imposes specific restrictions on technology agreements through the Gaming Authorisations Regulations and the Policy on Outsourcing by Authorised Persons.

• Approval of service providers – cloud computing or other IT service providers offering material gaming supplies must be approved by the MGA as part of the licensing process.
• Regulatory responsibility – gaming operators remain fully responsible for outsourced services, including ensuring compliance with AML and data protection laws.
• Mandatory contractual provisions – technology agreements must include clauses addressing data confidentiality, security and service continuity in case of operational disruptions.

Healthcare

Agreements involving patient data are subject to GDPR and local health data regulations, emphasising data security, confidentiality and accountability for processing sensitive personal data.

Telecommunications

Technology agreements must comply with network and information security obligations under the NIIS Directive, with an emphasis on ensuring system availability and resilience.

Telecommunications service providers in Malta operate in a highly competitive market. Companies seeking to purchase retail telecommunications services therefore stand to be in a relatively strong bargaining position which allows them to shop around and/or be able to negotiate pricing and services. 

In the retail space, the main elements to be included within service agreements are the following.

• Term of the agreement – retail customers should seek to negotiate short term agreements that would enable them to renegotiate on price, service levels and technology refresh.
• Pricing – prices should be fixed. If that is unsuccessful, methodology for price modifications should be specified.
• SLAs – negotiating appropriate SLAs that are fit for purpose and will enable the individual customer’s needs is paramount. In particular, resolution time and service credits or pre-liquidated damages should accurately reflect the severity of the breach.
• Scalability and volume discounts – if a customer increases the scope and scale of the services being purchased, the customer should be able to benefit from better tariffs.
• Termination clauses – ensure that your contract clearly sets out one’s right to terminate the agreement where the service that is provided (or not as the case may be) does not meet the promised service or performance levels.
• Auto-renewal clauses – customers should seek to avoid such clauses as they serve to lock them in.
• Force majeure – customers should ensure that this clause does not include any unreasonable excuse for the service provider to not provide the contracted services. 

When negotiating interconnection or access agreements, the party seeking interconnection or access should in the first instance verify whether the other interconnection/access provider is regulated, in which case it is likely that the MCA has imposed access and transparency obligations on that undertaking. In the event that such obligations exist, then the likelihood is that the interconnection/access provider is under an obligation to publish a reference interconnection/access offer which, amongst other things, would typically include non-discriminatory and cost-based tariffs.

The eIDAS Regulation (Regulation (EC) 910/2014) (the “eIDAS Regulation”) permits citizens, enterprises and public authorities to use electronic identification and trust services to access online services or handle electronic transactions. Through openness, security, technical neutrality, co-operation and interoperability, the eIDAS Regulation seeks to promote the efficient flow of trade throughout the EU. To uphold these ideals, the eIDAS Regulation ensures that individuals and organisations can access public services offered online in other EU nations using their own national electronic identification schemes (eIDs) and establishes a European internal market for trust services by guaranteeing that these services will function internationally and have the same legal standing as their conventional paper-based counterparts.

The eIDAS Regulation was transposed into the Maltese eCommerce Act and the Electronic Trust Services Notification and Fees Regulations SL 426.03 by virtue of Act XXXV of 2016, which also repealed or amended all local provisions that were previously in force but were inconsistent with the eIDAS Regulation. The Regulation deals with three types of electronic signatures: standard, advanced or qualified, as detailed below.

• An advanced electronic signature (AdES) is one that meets the following requirements:
1. it is uniquely linked to the signatory;
2. it is capable of identifying the signatory;
3. it is created using electronic signature creation data that the signatory can, with a high level of confidence, use it under their sole control; and
4. it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
• A qualified electronic signature (QES) is an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. In other words, a QES is an advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device through a qualified trust service provider (requirements for these are also in the law).

The eIDAS Regulation provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures (for example, with a scanned signature, one would need to prove its validity with additional evidence). On the other hand, a qualified electronic signature has the equivalent legal effect of a handwritten signature. If a qualified electronic signature is based on a qualified certificate issued in one member state, it must be recognised as a qualified electronic signature in all other member states.

Schedule 5 of the Maltese eCommerce Act lists certain activities/areas in respect of which an electronic signature is not valid:

• the field of taxation;
• matters in relation to information society services covered by any laws relating to data protection;
• questions in relation to agreements or practices governed by competition law;
• the following activities of information society services:
1. the activities of notaries or equivalent professions to the extent that they involve a direct and specific connection with the exercise of public authority;
2. the representation of a client and defense of their interests before the courts; and
3. gambling activities which involve wagering a stake with monetary value in games of chance, including lotteries and betting transactions;
• contracts that create or transfer rights over immovable property other than leasing rights;
• contracts of suretyship granted and on collateral security furnished by persons acting for purposes outside their trade, business or profession;
• the law governing the creation, execution, amendment, variation or revocation of:
1. a will or any other testamentary instrument;
2. a trust; or
3. a power of attorney;
• any law governing the making of an affidavit or a solemn declaration, or requiring or permitting the use of one for any purpose;
• the rules, practices or procedures of a court or tribunal however so described;
• any law relating to the giving of evidence in criminal proceedings; and
• any contracts governed by family law.

In relation to trust services, the European Union Trusted Lists (EUTL) is a public list of trust service providers (TSPs) that are specifically accredited to offer certificate-based digital IDs for individuals, digital seals for businesses, and time stamping services for Qualified Electronic Signatures in compliance with the eIDAS. Each EU member state generally supervises trust service providers established in that state; however, once approved in one member state, the service provider can be provided in other EU countries and accepted as having the same level of compliance. In Malta, trust service providers are supervised by the Malta Communications Authority.

Malta has also put into place the “eIDAS Node”, which complies with the EU Interoperability Framework and allows Maltese citizens to use the digital public services of other EU member states and conversely allows European citizens access to the digital services of the Maltese government.

The gaming industry in Malta is primarily regulated by the Gaming Act (Chapter 583 of the Laws of Malta), which provides the legal framework for all gaming activities within the jurisdiction. The MGA, established under this Act, is the primary regulatory body overseeing the licensing, compliance and enforcement of gaming operations. The Gaming Act is supplemented by subsidiary legislation, which provides detailed requirements on licensing procedures, operational standards and enforcement mechanisms. The MGA has also issued industry-specific Directives and Guidelines, ensuring operators adhere to principles of fairness, transparency and player safety.

The gaming industry in Malta faces several legal challenges, including:

• balancing local regulations with European Union laws, particularly regarding cross-border operations and licensing equivalence;
• increased scrutiny under the Financial Action Task Force (FATF) recommendations has amplified obligations related to anti-money laundering and combating the financing of terrorism.
• the rise of blockchain, cryptocurrency and artificial intelligence in gaming poses novel regulatory and enforcement challenges; and
• addressing problem gambling through effective player protection measures while maintaining operator competitiveness.

In Malta, the regulation of in-game purchases, loot boxes, and similar gambling elements falls under the scope of the Gaming Act, where such features are deemed to constitute a game of chance or a game of chance and skill combined (controlled skill game). The MGA assesses whether such mechanics qualify as gambling under Maltese law, focusing on elements such as monetary value, chance and player outcomes. Operators offering such features may require a licence and must comply with relevant provisions, including those on transparency and player protection. Specific requirements address ensuring fairness, disclosure of odds and the prohibition of deceptive practices.

Under the Gaming Act, a “minor” is defined as a person under the age of 18, except in specific instances prescribed under the Act or other regulatory instruments. The Act imposes strict restrictions to protect minors from exposure to gaming activities. It is unlawful to offer, permit, entice, or otherwise enable a minor to participate in gaming activities that are restricted to adults. This prohibition extends to granting access to gaming premises, selling gaming tickets, engaging minors in the provision of gaming services, or advertising and promoting such services to minors.

Game developers and operators must ensure that their products and services comply with these provisions by implementing robust age verification mechanisms and avoiding themes, content or marketing strategies that appeal primarily to minors. Advertising and promotional activities must align with regulatory guidelines, ensuring they do not directly or indirectly target individuals under the legal gaming age.

Furthermore, the Act includes a specific provision for land-based casinos, requiring that Maltese nationals under the age of 25 be excluded from using casino gaming services, highlighting an additional layer of local age-based restrictions.

For game developers offering interactive gaming products, compliance with these legal standards necessitates designing content and advertising strategies that respect the protection of minors while ensuring alignment with the Pan European Game Information (PEGI) age-rating system and applicable GDPR provisions.

The primary regulatory body overseeing the gaming industry in Malta is the MGA, established under the Gaming Act. The MGA is responsible for the regulation, supervision and enforcement of gaming activities, ensuring that all operations within its jurisdiction comply with legal and regulatory frameworks. Its mandate covers licensing, compliance monitoring, player protection and enforcement of gaming standards, including AML and combating the financing of terrorism (CFT) measures.

Additionally, certain aspects of gaming operations may fall under the oversight of other authorities, such as the Financial Intelligence Analysis Unit (FIAU) for AML compliance and the Office of the IDPC for data protection and privacy matters.

The MGA is vested with extensive enforcement powers under the Gaming Act to ensure compliance with regulatory standards. These powers include the following.

• Issuing administrative penalties and sanctions – the MGA can impose fines, suspend or revoke licences, and issue warnings for non-compliance with licensing conditions or legal requirements.
• Conducting investigations – it has the authority to investigate licensees and gaming activities, including requesting information, conducting audits and interviewing stakeholders.
• Ceasing operations – the MGA can order operators to cease operations or suspend gaming activities in cases of serious breaches.
• Freezing assets – it can freeze funds or assets where necessary to safeguard player interests or prevent illicit activities.
• Collaborating with other authorities – the MGA works in tandem with local and international law enforcement agencies and regulatory bodies to address complex cases, including cross-border operations.

The MGA actively enforces compliance through targeted actions. Notable examples include the following.

• Licence suspensions and revocations – in recent years, the MGA has revoked several licences for serious breaches of regulatory obligations, such as failing to meet AML standards, mismanagement of player funds, or operational irregularities.
• Fines for AML/CFT non-compliance – the Authority has imposed substantial fines on licensees found in breach of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). For instance, enforcement actions have been taken against operators who failed to conduct adequate customer due diligence or report suspicious transactions.
• Prosecution for unlicensed operations – the MGA has taken legal action against entities offering gaming services without the required licence, demonstrating its commitment to maintaining the integrity of the regulated market.

Game developers in Malta encounter several IP challenges, including:

• copyright infringement – unauthorised copying or distribution of game assets, software or creative elements such as music, graphics or storylines;
• trade mark issues – protecting game titles, logos and branding from misuse or infringement in competitive markets;
• piracy – the illegal replication and distribution of games on third-party platforms;
• ownership disputes – determining the ownership of IP created by employees, contractors or collaborators; and
• cross-border enforcement – enforcing IP rights in a digital environment where games are accessed and distributed globally, often leading to jurisdictional complexities.

Creators in Malta have robust IP protection under local law and international agreements. Key rights include:

• copyright protection automatically granted to original works, including software, artwork, music, and storylines. Developers can enforce exclusive rights to reproduce, distribute, or modify their works;
• trade mark registration – developers can register trade marks for game titles, logos and other distinctive identifiers, protecting them from unauthorised use in virtual and physical environments;
• patent rights – although less common, game developers can patent novel technical solutions or processes, such as unique game mechanics or software innovations;
• contractual protections – developers can use licensing agreements, non-disclosure agreements (NDAs), and employment contracts to safeguard IP ownership and usage; and
• international protections – Malta’s adherence to international treaties, such as the Berne Convention and the TRIPS Agreement, provides creators with extended IP protection across member states.

Key considerations for copyright in digital and virtual assets include:

• originality – copyright protection applies to original works that demonstrate creativity, including virtual assets like in-game items, environments and characters;
• ownership – developers must clearly define IP ownership in agreements with employees, freelancers and collaborators;
• licensing – clear licensing terms are crucial for digital assets, especially when assets are sold or transferred within games;
• fair use and derivative works – developers should be mindful of potential conflicts arising from user-generated content (UGC) and the adaptation of copyrighted works; and
• global accessibility – copyright enforcement in a virtual environment requires monitoring and addressing infringement across multiple jurisdictions.

Trade mark laws in Malta extend to virtual goods and services, provided the marks meet the requirements of distinctiveness and registrability. Key applications include:

• virtual branding – developers can trade mark logos, names and slogans used within games or on associated platforms, protecting them from imitation;
• protection in virtual environments – trade marks can be enforced to prevent unauthorised use of branding in metaverses, in-game economies or virtual marketplaces;
• merchandising – trade mark protection allows developers to expand into physical and virtual merchandise while maintaining control over branding; and
• international considerations – given the global nature of virtual goods, developers must consider trade mark registration in key jurisdictions to ensure comprehensive protection.

The implications for user-generated content (UGC) on IP rights include:

• ownership and licensing – clear terms of service are critical to define ownership and licensing rights for UGC, balancing user creativity with developer control;
• infringement risks – UGC may unintentionally or deliberately infringe third-party IP rights, exposing developers to legal liabilities;
• moderation and enforcement – developers must implement robust systems to monitor and moderate UGC to prevent IP violations;
• commercialisation – when monetising UGC, developers should ensure appropriate licensing arrangements and obtain permissions where necessary; and
• moral rights – developers must consider moral rights of UGC creators, such as the right to attribution, even in commercial gaming environments.

Relevant Laws and Regulations

Data protection

The Data Protection Act (Chapter 586 of the Laws of Malta), mandates strict guidelines for the collection, processing and storage of personal data. Organisations operating within Malta, including social media platforms, must adhere to the provisions under the Data Protection Act to ensure user privacy and data security.

Advertising standards

The Consumer Affairs Act (Chapter 378 of the Laws of Malta) regulates advertising practices, prohibiting misleading and deceptive advertisements. This Act applies to all forms of advertising, including those disseminated via social media platforms.

Broadcasting Act

While primarily focused on traditional media, the Broadcasting Act (Chapter 350 of the Laws of Malta) also encompasses certain aspects of online content dissemination, ensuring that content is accurate, fair and balanced.

Copyright Act (Chapter 415)

The Copyright Act (Chapter 415 of the Laws of Malta) protects intellectual property on social media, preventing unauthorised reproduction and distribution of content such as images, videos and music.

Trademarks Act (Chapter 597)

The Trademarks Act (Chapter 597 of the Laws of Malta) ensures brand protection on social media, preventing misuse of logos, business names and slogans.

Cybersecurity Act (Regulation (EU) 2019/881)

Strengthens online security by setting EU-wide cybersecurity standards for social media platforms.

Consumer Affairs Act (Cap. 378)

The Consumer Affairs Act (Chapter 378 of the Laws of Malta) regulates advertising and influencer marketing on social media to protect consumers from misleading promotions, hidden sponsorships and online scams, ensuring transparency in e-commerce and digital transactions.

Key Legal Challenges in Malta Regarding Social Media

IP Protection in the digital sphere

In Malta, the Copyright Act (Chapter 415 of the Laws of Malta) and Trademarks Act (Chapter 597 of the Laws of Malta) govern IP rights, including digital content on social media. However, enforcing these rights is challenging due to the rapid and widespread sharing of copyrighted materials across platforms.

Cybersecurity and misinformation risks

Malta’s cybersecurity framework is still evolving, with no specific social media cybersecurity law beyond existing criminal code provisions and the Cybersecurity Act (Regulation (EU) 2019/881). The lack of platform-specific legislation means that enforcement often relies on reporting mechanisms within social media platforms, which are not always effective in addressing fake accounts, deepfake technology or cyberbullying incidents.

Malta Communications Authority (MCA)

The MCA regulates electronic communications and eCommerce in Malta, ensuring compliance with online service standards. Its relevance to social media lies in monitoring ISPs and digital platforms. It has investigative and enforcement powers, including the enforcement of fines and sanctions for non-compliance with electronic communications regulations.

Office of the Information and Data Protection Commissioner (IDPC)

The IDPC enforces data protection laws, particularly under the GDPR and Malta’s Data Protection Act. It oversees social media platforms by ensuring lawful processing of personal data and user privacy compliance. It has the authority to investigate breaches, issue fines and order the cessation of unlawful data processing.

Malta Competition and Consumer Affairs Authority (MCCAA)

The MCCAA safeguards consumer rights and fair trading, including advertising and marketing on social media. It ensures that businesses and influencers comply with truthful advertising standards and avoid deceptive practices. Its enforcement powers include investigations, consumer complaints handling and legal actions against misleading online content.