The Boardroom Brief | Dr Ian Gauci, Managing Partner GTG Legal on Building Legal Certainty in AI, Crypto and Digital Regulation

With more than 25 years at the forefront of technology law, Dr Ian Gauci has advised governments, regulators and businesses on the legal frameworks shaping digital innovation. In this edition of the Boardroom Brief, he reflects on Malta’s early move into blockchain regulation, the growing complexity of Europe’s AI and crypto rules, and why legal certainty has become a competitive advantage for businesses operating in regulated sectors. He also shares his perspective on the future of European supervision, the importance of integrated governance, and Malta’s evolving role as a hub for technology, fintech and digital assets.

Dr Gauci, you have spent over 25 years advising governments, regulators and businesses on technology law. What drew you to that space originally?

Honestly, it was timing more than design. I graduated at a moment when Maltese law had barely begun engaging with electronic communications, and there was no obvious path into what we now call technology law. I started doing work for the MCA on e-commerce, then on electronic signatures, then on trust services, and each piece opened the next. What kept me there was a particular kind of intellectual unease. Technology consistently asked questions our legal categories had not been built to answer, and somebody had to do the building. Over time it became clear that the most useful place to stand was at the intersection of policy, regulation and practice. Close enough to the technology to understand it, but rigorous enough about the law that the advice would survive contact with a regulator. That is still where I try to operate.

Back in 2017 you served on Malta's National Blockchain Strategy Taskforce at a time when many countries had yet to even consider how to regulate digital assets. What was the thinking behind Malta's early move, and how has it shaped the country's reputation as a crypto asset hub?

We had a small jurisdiction with a working financial services framework, a mature gaming regulator and serious technical capacity. The taskforce identified that distributed ledger technology raised questions of legal certainty that no European framework was then addressing, and that Malta had a genuine comparative advantage in moving first. What we built in 2018, is what allowed Malta to absorb MiCAR and Dora without rupture and faster than others. The reputation followed the framework, not the other way round.

AI is transforming virtually every sector and the legal landscape around it is evolving rapidly. Where do you see the most exciting opportunities for businesses that get their AI strategy right from a legal perspective?

The opportunity is for businesses that treat AI governance as a competitive asset rather than a compliance cost. Under the AI Act, risk based obligations are not merely about avoiding fines but about building trust by design. The truth however is that most of the exciting stuff in AI right now is being done by people who do not really understand what they are walking into legally. The AI Act gets a lot of attention but it does not sit alone. It rubs against MiFID, against DORA, cyber resilience, data obligations, and cybersecurity laws as well as against things that are still being written. If you are building something serious in a regulated space, you cannot treat the legal side as something you bolt on at the end. What I find interesting is the clients who come in early, before they have a product, and want to think about it properly from the start, at a design stage. Those are the ones who actually get somewhere.

You have been vocal recently on the debate around ESMA's proposal to centralise supervision of crypto firms, arguing that the real risk is fragmented accountability rather than regulatory inconsistency. Do you think Europe is approaching this the right way?

The way the press is framing this is wrong. It is being painted as Malta against the Commission. It is not. Our arguments are not jurisdictional. They are about the structure itself and how it would behave anywhere in the Union you apply it.

A large CASP is one firm. One stack. One risk profile. The proposal takes that one firm and splits the supervision of it between ESMA, the national authority and AMLA. Then you have DORA on top asking for an integrated view of operational and IT risk for the same firm. Once you split it like that, the unity is gone.

What worries me more is what sits underneath all of this. Subsidiarity. Once you centralise one pillar, you do not stop there. The other pillars start tilting with it. So the real question is whether Europe wants supervisory depth or supervisory scale. Right now the proposal is confusing the two.

From a legal perspective, what is the case for businesses choosing Malta as a place to innovate and grow?

The case is no longer the case it was in 2018. The first mover story has matured into something more substantive. Malta has an EU passport, a financial regulator with hands on experience of MiCAR, DORA and the EMI and PI regimes, a digital innovation authority with a working certification framework, and a gaming regulator that understands software risk better than most prudential supervisors. The MFSA fintech sandbox is operational and the MDIA technology assurance sandbox sits alongside it. Add proximity. To policymakers, to regulators, to the industry and advisors. You then have a jurisdiction where serious questions can be answered quickly and authoritatively. Malta does not pretend to be the largest market. It offers something different. Legal certainty, institutional access and regulatory seriousness in a workable size.