Technology Assurance Sandbox

MDIA, that is, the Malta Digital Innovation Authority, was established in 2018 to encourage the uptake of innovative technology, particularly newly deployed solutions, whilst ensuring that such technologies are deployed in line with recognised standards through its certification program, to provide technological assurance to a wide variety of stakeholders such as investors developers, solution users and the general public.

MDIA’s new flagship utility is the MDIA-TAS (Technology Assurance Sandbox) and is intended to guide solution owners throughout a residency of at most two years, as they align their solution with established Control Objectives based on international standards, in a phased and gradual approach. At the end of each phase an independent third-party technical assessment is conducted by a selected MDIA-authorised Systems Auditor (or an MDIA recognised Technical Expert as per conditions in latest Sandbox Program Guidelines), until applicant is in line with all Control Objectives and/or proposed Milestones. It is always recommended that the latest Guideline Document is referred to for up-to-date superseding information about Sandbox. After a defined number of assessments, Applicant will be in a position to obtain the full MDIA certification – indicating that the solution provides technological assurances for various stakeholders, including users and investors.

The Sandbox is designed with start-ups and smaller players in mind. It grants ultimate flexibility in the selection of which controls shall be applicable at which  stages within the Sandbox residency, as defined by applicants themselves, thus seamlessly integrates within the development plans of the individual applicant. The MDIA-TAS also presents low administrative costs and the possibility of applying for government grants to substantially cover System Auditor Assessment related costs.

The sandbox is based on a gradual attainment of technological assurances, together with uncompromised legal certainty, provided through requirements such as, due diligence processes of applicant the appointment of a Technical Officer who is duty bound to report and act in case of technology failure, and the setup of a forensic node to keep an audit log of the underlying system’s operations and transactions, and thus supporting possible investigation.

Forming part of the MDIA-TAS brings about a number of advantages to the applicant:

• It allows the development of the solution in line with predefined control objectives aligned with international standards, thus avoiding reducing the risk failure which would adversely affect users.
• It provides technological assurance to investors and end users, providing certainty in the functional correctness and dependability of such technologies and the underlying operational processes, thus making the solution a notch more attractive.
• Provides legal and regulatory certainty even in line with developing EU regulations in technological camps.
• Provides a competitive edge to competing solutions
• Ensures that following sandbox residency, MDIA certification process is seamless.

Residency in the MDIA-TAS will be phased in a manner which is appropriate for each particular applicant. Despite the different conditions, all participants will go through three main phases, namely:

1. Standard onboarding phase – Onboarding starts when the Applicant submits a completed ITA Application Form, identifying the Technical Officer through the Technical Officer Application Form. The Application form shall be accompanied by a Residency Plan which describes how the ITA will develop throughout its Sandbox Residency, a Sandbox Blueprint providing a description of the technology and a Business Plan. MDIA shall evaluate all Application Forms received against published Evaluation Criteria. Upon being notified of a positive outcome, the ITA is to contact and appoint an MDIA-licensed Systems Auditor, which shall perform the initial and subsequent Soundness Assessments throughout the Sandbox Residency. The applicant thereafter agrees to the MDIA-TAS ITA and TO Terms and Conditions and is considered to be a full resident of the Sandbox.

2. Monitored sandbox residency phase – In line with the defined Residency plan, Sandbox Residents shall trigger iterations of Technical Soundness Assessments which shall be in turn sent to the Authority for their endorsement. Any changes to the Technological Arrangement or the Technical officer are to be submitted to the Authority through a Change Request Form. All changes shall be evaluated which can either be  accepted or rejected.

3. Standard offboarding phase – Sandbox residents can exit in one of these ways: (i) when the ITA has advanced to full deployment and operations and proceeds to apply for full MDIA certification; (ii) the ITA provider chooses to withdraw from the sandbox for any reason at any stage; (iii) the Resident proposes changes to the conditions which are not accepted by the Authority; or (iv) the Authority decides to remove an ITA in case of violation of conditions, (v) the Authority decides to remove an ITA in case of failed milestone assessment or (vi) the MDIA terminates or suspends the sandbox. Any issues identified shall be first discussed with the applicant and the Authority may grant the applicant the opportunity to rectify prior to passing onto the standard off-boarding process.

All information related to MDIA sandbox processes is available from the Authorities official website mdia.gov.mt/sandbox under section Technology Assurance Sandbox.