Malta Implements EU AI Act and Data Act: A Business Compliance Guide

The regulatory landscape for technology in Malta is undergoing a major transformation. Business leaders and innovators must take note of two critical new Legal Notices (L.Ns) that implement major EU regulations.

These new rules, L.N. 226 of 2025 (the AI Act) and L.N. 222 of 2025 (the Data Act), designate local enforcement bodies and establish significant new compliance obligations for any organization deploying AI or using data.

With steep administrative penalties and new operational requirements, preparing now is not just recommended, it is essential. This guide breaks down what you need to know and the actionable steps to take.

Key Takeaways for Your Business

• New Laws Enacted: Malta has officially implemented the EU AI Act (via L.N. 226 of 2025) and the EU Data Act (via L.N. 222 of 2025).

• Primary Enforcer: The Malta Digital Innovation Authority (MDIA) is the lead competent authority for most provisions of both Acts.

• Key Timeline: Rules for high-risk AI systems (including documentation and registration) will come into force on August 2, 2026.

• Significant Penalties: Non-compliance with the AI Act can lead to administrative penalties of up to €350,000 or 1% of total worldwide annual turnover, plus daily penalties.

• SME Support Available: The MDIA will provide support for small and medium-sized enterprises (SMEs), including priority access to the national AI regulatory sandbox.

The EU AI Act in Malta (L.N. 226 of 2025)

This regulation implements the landmark EU AI Act, creating a legal framework for the development and deployment of Artificial Intelligence. Its primary goal is to ensure that AI systems used in the EU are safe and respect fundamental rights.

Enforcement and Key Dates

The Malta Digital Innovation Authority (MDIA) is designated as the market surveillance authority and the single point of contact for the AI Act. For high-risk AI systems in the financial sector, the MDIA will coordinate with the Malta Financial Services Authority (MFSA).

The most critical date for businesses is August 2, 2026, when key regulations for high-risk AI systems, including documentation, registration, and sandbox rules, come into force.

Penalties for Non-Compliance

The penalties for non-compliance are severe and designed to ensure accountability. Operators face:

• Administrative penalties up to €350,000 or up to 1% of total worldwide annual turnover, whichever is higher.

• Possible daily penalties of €12,000 for ongoing infringements.

The EU Data Act in Malta (L.N. 222 of 2025)

This regulation implements the EU Data Act, which establishes rules for fair access to and use of data. It aims to unlock the value of industrial data, giving both businesses and consumers more control over the data generated by their connected devices.

Enforcement and Penalties

• Enforcement: The MDIA is the competent authority for most provisions and acts as the data coordinator. The Malta Communications Authority (MCA) is responsible for enforcing specific articles (23-31, 34, and 35).

• Penalties: Infringements are subject to penalties based on several factors, including the gravity, scale, and duration of the infringement, any previous infringements, and the infringing party's annual EU turnover.

4 Actionable Steps to Prepare for AI Act Compliance

For any organization developing, deploying, or importing AI systems, proactive preparation is key. Here are the immediate steps to focus on:

1. Identify & Register High-Risk AI Systems: The most urgent task is to audit your current and planned AI systems to determine if they fall under the "high-risk" category as defined by the Act. Providers or authorised representatives of these systems must register them with the MDIA.

2. Establish Documentation Retention Policies: Providers or authorised representatives established in Malta are required to keep key conformity documents available for national authorities for ten (10) years. This necessitates robust internal data governance and documentation protocols.

3. Prepare for Language Requirements: Importers of AI systems must be ready to provide all conformity documentation in either Maltese or English upon request from the authorities.

4. Leverage SME & Start-up Support: If you are an SME or start-up, you are not alone. The MDIA is mandated to provide support, including priority access to the national AI regulatory sandbox and tailored support and training

How Our Experts Can Help You Navigate This

These new regulations create significant technical and strategic challenges. As specialists in data science and AI integration, we are uniquely positioned to help you turn these compliance hurdles into competitive advantages.

• AI System Audits: We can help you audit your existing AI tools and data science projects to identify which systems qualify as "high-risk" and what your specific obligations are.

• AI Upskilling & Literacy: Don't let your team navigate this alone. Our tailored AI literacy and upskilling courses can train your staff to understand these new legal responsibilities and foster a culture of compliant innovation.

• MDIA Sandbox Guidance: The AI regulatory sandbox is a powerful tool. We can guide your SME or start-up through the application process, helping you test your innovations in a safe and supported environment.

Frequently Asked Questions (FAQ)

Q: Who enforces the new AI Act in Malta? 

A: The Malta Digital Innovation Authority (MDIA) is the primary market surveillance authority. It coordinates with the MFSA for high-risk AI in financial institutions.

Q: What are the penalties for breaching the AI Act in Malta? 

A: Penalties can be up to €350,000 or 1% of total worldwide annual turnover, whichever is higher, plus possible daily penalties of €12,000.

Q: When do the high-risk AI rules start? 

A: Key regulations for high-risk AI systems, such as documentation and registration, come into force on August 2, 2026.

Q: Is there any help for small businesses (SMEs) to comply? 

A: Yes. The MDIA will provide priority access to the national AI regulatory sandbox and offer tailored support and training specifically for SMEs and start-ups.

Read the Full Regulations:

• L.N. 226 of 2025 (AI Act): https://legislation.mt/eli/ln/2025/226/eng

• L.N. 222 of 2025 (Data Act): https://legislation.mt/eli/ln/2025/222/eng

• EU Data Act (Full Text): https://mdia.gov.mt/services/the-data-act/

• EU AI Act (Full Text): https://mdia.gov.mt/services/artificial-intelligence/

Disclaimer: This article provides a general overview and is for informational purposes only. It does not constitute legal or professional advice. Always consult with a qualified professional for advice specific to your situation.