How MDIA’s certification can give you peace of mind about your technology

As has come to be expected nowadays with in the technology sector – a fact that is further amplified by the goal of maintaining ‘innovation’ – matters related thereto are dynamic by their very nature. In light of this, Malta has seen continuous progress, as well as changes, since the enactment of the Innovative Technology Arrangements and Services Act in 2018. The dynamism of the topic itself is also fuelled by external changes in the environment in which one operates the technology, or a regulatory framework tied to it.

Malta was at the forefront of creating legislative frameworks addressing Distributed Ledger Technology, and later also being the first to launch an Artificial Intelligence Strategy, as well as making an AI Certification Programme available to prospective technologists who may consider offering extra assurances to their users.

The word ‘assurances’ here is key, whereby the Malta Digital Innovation Authority – through its certification programme – delves into, by means of MDIA Approved Systems Auditors, at core, the functional correctness of a system.

In simpler terms, MDIA’s certification of technology gives assurances that ‘function’ is mapped to actioned reality, and that the button ‘transact’ is really doing the action to transact in line with the provided blueprint of the whole system. The blueprint is a document which highlights all the critical and important features which an ITA should include in the information submitted to the Authority during the application for the certification.

MDIA’s certification programme is, as far as the Authority is strictly concerned, a voluntary one. There is a very specific reason why this was made so. At MDIA, we recommend that certification is mandated by the lead authority that governs the sector of the specific technology (for example, DLT used in Finance, the lead authority who can really assess risk of a particular business/system would be MFSA) since the same lead authority is in the best position to decide whether MDIA’s certification ought to be mandated as part of say, a licensing requirement. If the system is granted certification by MDIA, this will be known officially as a certified ITA as per the established ITAS Act of the Laws of Malta.

It is opportune to take a moment to explain, in practical terms, the technological and logistical requirements of obtaining such MDIA Certification. The MDIA provides a certification process for ITAs, which certification indicates dependability of the ITA from a technological perspective. To qualify for certification, MDIA-licenced Systems Auditors must attest to the fidelity of the ITA with respect to the functionality specified in the ITA blueprint, and that the ITA has all the necessary components to ensure that all the necessary information is stored and synchronised in real-time to allow for continued assessment of the ITA and to allow for investigations if required at a later stage.

To achieve this, ITAs must include a Forensic Node, which is used to keep a trail of behaviour on the ITA as a whole. If the creation and upkeep of a Forensic Node is not feasible in technical terms, technical reasons why this requirement cannot be met need to be provided to the MDIA and the applicant must find an alternate technical arrangement acceptable to the Authority wherein all necessary ITA information is stored and synchronised in the Maltese jurisdiction in real-time and in a tamperproof manner.

The aim of the Forensic Node is to store all relevant information on the runtime behaviour of the ITA in real-time including, but not limited to, transactions carried on the DLT-components of the ITA. Since parts of an ITA may include an Off-DLT Application Layer, any relevant information and events relevant and accessible to the ITA on this layer is also to be stored on the Forensic Node.

As time progresses, it is normal for technologies to go in and out of hype cycles as well as usability and suitability cycles. This is part and parcel of technology. Through Legal Notice 389/2020, MDIA is now empowered to consider various technologies for certification that are not necessarily DLT based.

Quoting the key change that this change in legislation brought about, MDIA is now able to consider “Software and other architectures, not necessarily used in the context of DLT, smart contracts and related applications as well as other similar arrangements, but which are used or meant to be used, as a stand-alone or as part of a solution in sectors and areas which are deemed to be of a risky or critical nature, where their failure or misuse could amongst other things result in loss of life, grave prejudice to the well-being and rights of natural persons, significant asset loss or damage and significant damage to the environment.”

In the technologically-dependant world we live in, technology is a key asset necessary to sustain economic resilience, especially during such unprecedented times. Economical resilience cannot be sustained if digital resilience is not kept in view. This is where the Malta Digital Innovation Authority’s relevance comes in, since it is the only entity that can give assurance on the technology being used, and hence the user can have peace of mind that the technology is reliable and securely designed to do what it is meant to do; and was set-up in appropriate ways and had its claims verified by an independent party and stamped by a public governmental Authority.