Regulatory framework in Malta for certification of Blockchains and Smart Contracts


09 May 2019

The country seeks to generate long-term value for businesses through the first regulation of its kind and one-of-a-kind certification

2018 marked a historical year for the blockchain and cryptocurrency industry, but even more notably, for the Mediterranean island country of Malta, a full member of the European Union since 2004.

Last November Malta had enacted 3 laws, creating a complete legal framework for blockchain technology. By doing this, Malta became the first country ever to establish official regulations for blockchain operators and following this news, several blockchain businesses moved their headquarters to the island. Malta’s blockchain laws sparked a great deal of interest due to their pioneering nature, but also as a result of their unparalleled concept.

  1. Virtual Financial Assets Act(“VFA Act”)lays out a regulatory framework for Initial Virtual Financial Asset Offerings and all enterprises dealing with Virtual Financial Assets (“VFA”). Business activities subject to the VFA Act include brokerages, crypto-exchanges (centralized and decentralized), wallet providers, asset managers, investment advisors, and market makers doing business in relation to virtual financial assets.
  2. The Malta Digital Innovation AuthorityAct (“MDIAAct”) establishes the Malta Digital Innovation Authority (“MDIA”), which is empowered to certify a platform’s innovative technology arrangement (“ITA”), that is, the technology behind the platform using distributed ledger technology (“DLT”) and smart-contracts. The MDIA also accredits Systems Auditors and Technical Administrators, who are key parts in the certification process. Once authorised by the MDIA, blockchain platforms should be able to establish a great deal of trust within the ecosystem, putting users’ minds at rest that a government authority has audited the system and the manner in which it treats user data.
  3. Innovative Technology Arrangements and Services Act ("ITAS Act”) sets out the regime applicable for the certification of the ITAs  and registration of technology service providers. ITA certification is voluntary except for two instances; when an ITA is being used by an Initial VFA Offering; or a gaming platform seeking to be licensed by the Malta Gaming Authority ("MGA")

Regulatory certification of ITAs

The application process for obtaining regulatory certification of ITAs is divided into two stages:

STAGE 1: Gathering requisite documents and filing a submission form to the MDIA. Once the MDIA is satisfied with general and specific requirements it issues a Letter of Intent.

STAGE 2: The System Auditor, appointed by the applicant, evaluates the platform and is responsible for issuing an opinion on it. The opinion is later reviewed by the MDIA, and if the assessment is satisfactory, the MDIA certifies the business in terms of the ITAS Act.

A technical administrator must be on-site at all times to verify that all statutory and regulatory pre-requisites have been addressed and oversee parameters and features as they develop hand-in-hand with regulation.

ITA certification is valid for a term of 2 years. 


To obtain certification, all applicants must meet generic and specific requirements as outlined by the Innovative Technology Arrangement Guidelines issued by the MDIA. 

In addition, ITA applicants must prove that their project abides by the purpose for which it has been established originally, and that the individuals involved are fit to carry out their functions as such. 

Applicants which are not habitually resident in Malta are required to appoint a Resident Agent whose purpose is to ensure compliance with statutory and regulatory requirements on on behalf of the applicant. 

Systems Audit

The applicant’s software must undergo a thorough review by a registered Systems Auditor, which must be an independent third party. 

The Systems Auditor’s task is to verify that the applicant’s system meets pre-defined general and specific standards with reference to the purposes, qualities, features, attributes and behaviours of the ITA.

There are two types of Systems Audit:

Type 1 Systems Audit: The Systems Auditor forms an opinion on whether a blockchain project is fairly explained and if the features within the project itself are fittingly crafted to meet the requirements. This is required for non-operative organisations (not yet live or which have operated for up to 6 months).

Type 2 Systems Audit: This covers the same points as defined in Type 1, but it also incorporates the auditor’s opinion on the features efficacy throughout the period covered by the audit. Type 2 is mandatory following 6 months from the platform’s launch date.  

Legal compliance and certification types

All applicants are strictly required to comply with the rules and regulations and follow the guidelines issued by the MDIA, in addition to their obligations under other laws governing the prevention of money laundering and financing of terrorism, protection of personal data and protection of consumers.

In terms of certification, two outcomes are potentially attainable, depending on the circumstances:

  1. Full certification – MDIA issues a certificate to the ITA stating the qualities, features, attributes, behaviours and aspects of the arrangement.
  2. Conditional certification – if one of the aforementioned requirements is not met within short times frames due to technical limitations, a conditional certification can be issued.


This is a new area of the law. Licences to VFA Agents have only just been issued and our fully owned company WHINNOVATION was amongst the first to be licensed. With time practice will develop and areas which require clarification will no doubt be clarified. 

If you have any queries, we will be happy to assist you. Kindly drop us an email at

This article does not constitute legal advice and does not establish a lawyer-client relationship with the reader.