Year in review: Fintech Law in Malta

GTG Legal

March 17 2026

This is an extract from Lexology In-Depth. Continue to In-Depth for the full content.

 All questions

Year in review

In 2023, the European Union issued MiCAR, establishing a unified regulatory framework for cryptoassets across the European Union. Drawing heavily from Malta's VFA Act, MiCAR regulates the issue and provision of services relating to cryptoassets that are not currently covered by existing financial services legislation, as well as asset-referenced tokens (ARTs) and e-money tokens (EMTs), with a primary focus on transparency, disclosure, authorisation and transaction supervision. As of 30 December 2024, MiCAR was fully enforced in  Malta, and the VFA Act is to be repealed by 3 July 2026.

In 2024, Malta enacted Chapter 647, the Markets in Crypto-Assets Act (the MiCA Act), bringing the VFA Act in line with MiCAR. Following the coming into force of the MiCA Act, the MFSA issued the Markets in Crypto-Assets Rulebook, which sets out rules applicable to entities within scope of the MiCA Act.

The Digital Operational Resilience Act (DORA) came into force on 17 January 2025. The aim of this new Regulation is to strengthen the cybersecurity and operational resilience of financial entities falling within its scope. The MFSA is the designated competent authority for digital operational resilience matters. On 8 March 2025, Legal Notice 71 of 2025 was issued to transpose the NIS2 Directive (Directive (EU) 2022/2555) into national law. The NIS2 Directive is an EU framework with the aim of enhancing cybersecurity across Member States and that has a broader scope than DORA. In January 2026 Malta also officially issued its intended transposition of the EU's Critical Entities Directive (Directive EU 2022/2557) into national legislation through the Resilience of Critical Entities and Infrastructures (Identification, Designation and Protection) Order 2026 (L.N. 5 of 2026).

On the other hand, the EU Cyber Resilience Act, which enhances cybersecurity standards of products that contain a digital component, requiring manufacturers and retailers to ensure cybersecurity throughout the life cycle of their products, entered into force on 10 December 2024. Its main obligations will apply from 11 December 2027. Furthermore, the EU AI Act, the world's first comprehensive regulation on artificial intelligence, entered into force on 1 August 2024, and the majority of its rules will apply as of 2 August 2026. Following this, Malta has put forward a draft AI strategy that tries to facilitate effective application for institutions that must operate under it. 

GTG Legal - Ian Gauci and Cherise Abela Grech