Legal & Regulatory Updates - December Issue
Welcome to the fourth and final edition of our Legal & Regulatory Updates for 2025. In this issue, we bring you the latest developments designed to keep you informed and ahead in a fast-evolving landscape. We cover:
- Interplay between the Digital Services Act (DSA) and the General Data Protection Regulation (GDPR): EDPB Guidelines 3/2025
- Digital Omnibus Package: How the EU is reshaping the digital landscape – Part I
- Navigating Wages in Malta
- The Appointment of Process Agents in Cross-Border Transactions: Ensuring compliance with Maltese procedural law
- Due Diligence in the Age of Synthetic Reality: Managing Deepfake AI Risks
We hope you find this edition informative and engaging.
We strive to provide content that is both relevant and practical, offering legal insight that supports sound decision-making. Your feedback is always appreciated as we continue to refine and enhance our publications.
Yours sincerely,
GVZH Advocates
Disclaimer: The content of this newsletter is for informational purposes only and should not be construed as legal advice.
Welcome to the latest edition of our Legal & Compliance Bulletin. This issue brings together notable legal, regulatory, and compliance developments across a range of sectors, focusing on changes that may have practical implications for your organisation. Our aim is to keep you informed and well-prepared in an evolving regulatory landscape.
Outlined below is an overview of the key updates from this quarter:
Malta Gaming Authority (MGA)
- On 1 December 2025, the MGA announced the results of its second ESG Code of Good Practice reporting cycle, awarding ESG Code Approval Seals to a new cohort of online gaming licensees. This confirms ongoing supervisory focus on ESG reporting and transparency requirements for licensees who voluntarily sign up to the Code.
- On 7 October 2025, the MGA launched a self-assessment tool to help individuals evaluate their gambling habits, as part of its safer gambling framework.
- On 31 October 2025, the MGA published findings of a thematic review on betting activity on Maltese football competitions, looking at patterns of betting, integrity risks, and supervisory expectations.
- On 30 October & 27 November 2025, the MGA issued multiple notices listing websites and entities with which it has no connection, clarifying misuse of the MGA name / logo and warning the public and operators.
Malta Financial Services Authority (MFSA)
- On 2 October 2025, the MFSA issued a circular to credit institutions (including foreign branches) on the 2026 Single Resolution Fund (SRF) Ex-Ante Contribution – Data Reporting Form (DRF).
On 7 October 2025, the MFSA issued a circular to credit institutions (including foreign branches) on Supervisory Reporting Requirements (ITS v4.1). The circular aligns local supervisory reporting obligations with the updated European Implementing Technical Standards, introducing revised reporting templates and updated submission timelines. - On 6 October 2025, the MFSA issued a Conduct of Business Circular describing the Spanish CNMV’s position on advertising of crypto-assets by CASPs and highlighting relevance for Maltese-licensed entities targeting Spanish investors.
- On 20 November 2025, the MFSA issued a Circular in Relation to Directive (EU) 2023/2025 on Credit Agreements for Consumers and its transposition, including amendments to the Conduct of Business Rulebook for Credit Institutions Offering Retail Products.
- On 20 October 2025, the MFSA issued a Consultation Document on the Transposition and Implementation of AIFMD II and UCITS VI, with a closing date of 24 November 2025.
- On 23 October 2025, the MFSA issued a consultation document on General Code of Conduct for Decision Makers (Ref 08-2025)
Consultation on a General Code of Conduct for Decision Makers in the Financial Services Industry, focusing on governance, culture, conflicts of interest and ethical standards for board members and senior management.
Financial Intelligence Analysis Unit (FIAU)
- On 3 December 2025, the FIAU together with the Central Bank of Malta, published a Q&A document on AML/CFT clarifications under Regulation (EU) 2024/886 on instant payments.
- In October 2025 the FIAU issued a new sectorial guidance – “Guidance Note for Limited (Registered) CSPs” added under the CSPs / Trustees section. It sets out how “limited” CSPs should interpret and comply with AML/CFT obligations, including risk-based CDD, ongoing monitoring and beneficial ownership verification.
- On 29 October 2025 the FIAU drew attention to updated FATF lists of:
- High-Risk Jurisdictions subject to a Call for Action, and
- Jurisdictions under Increased Monitoring, and noted that the documents are available under “Country Statements”.
Information and Data Protection Commissioner (IDPC)
- On 10 October 2025, the IDPC issued Legal Notice 227 of 2025, which entered into force on the same date and was announced on 13 October 2025. The Artificial Intelligence (Designation of the Information and Data Protection Commissioner for the purposes of Regulation (EU) 2024/1689) Regulations, 2025 (S.L. 586.14) designate the IDPC as the Market Surveillance Authority (MSA) for certain high-risk AI systems under Annex III of the EU AI Act.
- On 13 October 2025 the IDPC issued the article “AI Regulations come into force”
IDPC explains that it will supervise specific categories of high-risk AI, including:- High-risk biometric systems for law enforcement, border management, justice/democracy,
- AI systems used to handle and prioritise emergency calls,
- Systems used in migration, asylum and border control management, and
- Systems used in administration of justice and democratic processes. (IDPC).
The legal notice also:
- Requires prior judicial authorisation (Magistrate) for use of real-time and post-remote biometric identification in public spaces;
- Empowers the Commissioner to impose administrative penalties up to €50,000 per infringement on public authorities, plus daily penalties of €50 for continuing infringements. (IDPC)
Interplay between the Digital Service Act (DSA) and General Data Protection Regulation (GDPR): Draft EDPB Guidelines 3/2025
The European Data Protection Board (EDPB) has issued its first draft guidelines examining how the Digital Services Act (DSA) interacts with the General Data Protection Regulation (GDPR), providing initial guidance on the practical overlap between these two key EU frameworks.
Digital Omnibus Package: How the EU is reshaping the digital landscape – Part I
The European Commission published the EU Digital Simplification Package (the “Digital Omnibus”) on 19 November, introducing two legislative proposals aimed at streamlining the EU’s digital regulatory framework. This article examines the political drivers behind the initiative and the main proposed changes to GDPR, e-Privacy and cybersecurity laws.
Navigating Wages in Malta
The Employment and Industrial Relations Act (Chapter 452 of the Laws of Malta) (“EIRA”) is the principal legislative framework governing employment relationships in Malta. Together with its subsidiary legislation, the EIRA provides comprehensive protection of employees’ wages, one of the most fundamental rights under Maltese labour law.
The Appointment of Process Agents in Cross-Border Transactions: Ensuring Compliance with Maltese Procedural Law
In cross-border transactions, non-local contracting parties increasingly appoint a process agent to act as a local representative authorised to receive judicial and other official documents on their behalf. This practice has become standard, as it avoids the cost and procedural complexity associated with serving documents through international channels.
Due Diligence in the Age of Synthetic Reality: Managing Deepfake AI Risks
Artificial intelligence has reshaped digital communication, but its rapid evolution has also intensified the risks of manipulated and deceptive content.