AI Regulations come into force - IDPC designated as a Market Surveillance Authority for certain High-Risk AI Systems under Annex III of the AI Act

AI Regulations come into force - IDPC designated as a Market Surveillance Authority for certain High-Risk AI Systems under Annex III of the AI Act

 

13 October 2025

On 10 October 2025, the Government published Legal Notice 227 of 2025, entitled the Artificial Intelligence (Designation of the Information and Data Protection Commissioner for the purposes of Regulation (EU) 2024/1689) Regulations, 2025.

The Legal Notice, issued under the Data Protection Act, Chapter 586 of the Laws of Malta, designates the Information and Data Protection Commissioner as the Market Surveillance Authority (MSA) for the monitoring of certain high-risk AI systems, listed under Annex III of the EU AI Act. These are:

  • high-risk biometric systems insofar as the systems are used for law enforcement purposes, border management, and justice and democracy, where permitted by law;
  • high-risk systems intended to evaluate and classify emergency calls by natural persons or to be used to dispatch, or to establish priority in the dispatching of emergency first response services;
  • high-risk systems used for law enforcement, insofar as their use is permitted by law;
  • high-risk  systems  used  for  migration,  asylum  and border control management, in so far as their use is permitted by law; and
  • high-risk systems used for administration of justice and democratic processes.

The Legal Notice also provides for the use of real-time remote biometric identification system in publicly accessible spaces for the purposes of law enforcement and sets out, inter alia, that such processing shall be subject to a prior authorisation granted by a Magistrate. These systems shall be notified to the Commissioner, and the notification shall contain the information specified under Article 5(6) of Regulation (EU) 2024/1689 without including sensitive operational data. The same requirement of an ex-ante request for authorisation to a Magistrate shall also apply to high-risk AI systems involving post-remote biometric identification. 

The Commissioner, as the designated market surveillance authority of these high-risk AI systems, may institute enforcement action applicable to infringements of the Regulation (EU) 2024/1689 committed by operators. This may include the imposition of administrative penalties, warnings and non-monetary measures. Additionally, the legal notice provides that the Commissioner shall also be empowered to impose an administrative penalty on a public authority or body, where such an administrative penalty shall not exceed €50,000 for each infringement, together with a daily penalty of €50 for each day during which the infringement persists.

The legal notice is accessible here.