Malta has depended on food imports for centuries. Governments here have long planned around that reality. An island with limited agricultural capacity needs to know what it does when ships stop arriving. The contingency is built in, not because disruption is likely on any given day, but because the cost of being unprepared, when it arrives, is too high.
Malta’s dependence on foreign digital infrastructure is at least as extensive. A substantial share of the infrastructure used by its regulated sectors, gaming, financial services, and shipping, is managed by large international organisations subject to foreign law, selected through procurement processes that optimised for cost and performance and rarely asked which legal jurisdiction applied, or what would happen if that jurisdiction became a problem. Nobody has built the contingency in. And the evidence that one is needed has been accumulating rapidly.
The evidence nobody commissioned
The pattern did not begin with a single event. Since 2022, at least 11 undersea internet and power cables in European waters have been damaged, with European defence officials describing several incidents as suspected sabotage and NATO stepping up Baltic Sea patrols in response. A Chinese flagged vessel came under investigation for severing key Baltic Sea cables. In the Red Sea, Houthi operations damaged multiple cable systems carrying internet traffic between Europe, Asia and Africa. Repair ships were reluctant to operate in active conflict zones, extending outages well beyond the initial incidents.
More recently, in early March 2026 and as reported by Reuters and other global news feeds, Iran’s Islamic Revolutionary Guard Corps launched drone strikes on Amazon Web Services facilities in the UAE and Bahrain, the first known deliberate physical attack on commercial data centres in military history. Further strikes on data centre infrastructure followed in the weeks after, on both sides of the conflict. These were not isolated incidents. They were the moment a two-year pattern of escalating attacks on digital infrastructure assets became impossible to ignore, even if the recent attacks are not the only lesson worth drawing.
The Ukraine example, often cited as evidence that cloud infrastructure is resilient under pressure, also deserves more careful reading. In early 2022, Ukraine moved critical government data to Microsoft and Amazon infrastructure. Government functions survived. What it showed was that Ukraine had no alternative. A sovereign state was forced to entrust its institutional memory to companies it could not direct, under law it did not write, because no sovereign alternative existed. For Malta, the question is whether it waits for a comparable moment of clarity or acts before one arrives.
Resilience and sovereignty are not the same thing.
A vision with a structural gap
Every piece of data processed by Malta’s regulated industries – player behaviour records for tens of millions of people, transaction flows across the full spectrum of licensed financial activity, vessel movements at global scale – sits in a building, in a specific country, under a specific legal framework. The analytical value flows to the platforms that process it. Very little returns to Malta. The intelligence those industries generate is a national asset. It is currently not treated as one.
The same imbalance exists in compute. Malta participates in European supercomputing through CALYPSO, an antenna node providing access to EuroHPC resources, but it has no domestic compute capacity at strategic scale on Maltese soil. As regulated industries integrate advanced analytical tools into compliance, risk assessment, and supervisory reporting, those tools increasingly run on infrastructure Malta does not control.
The point is that keeping data in Malta and capturing the value of what that data reveals are not the same thing. In a few years time, Malta could be licensing some of the most data-rich industries in Europe whilst lacking the domestic compute and analytical infrastructure needed to extract any of the intelligence that data contains.
Malta Vision 2050, launched in February this year, is in many respects a well written document. The digital chapters speak of AI governance, smart infrastructure, cloud adoption, and cybersecurity standards. These are the right ambitions. Each of those layers depends on a physical base layer of domestically governed infrastructure. That base layer is precisely what the Vision does not address.
Read the document carefully and a structural absence becomes visible. Data centres, processing capabilities and domestic digital infrastructure, do not appear as a strategic asset class. There is no investment framework, no capacity targets, no policy mechanism to encourage local providers to grow or modernise.
The layer that everything else depends on, is simply assumed to be available. And this assumption exists because digital infrastructure has never been recognised as a strategic national asset. Addressing this is not about mandating an authority to treat it as one, nor about changing how government buys technology. The issue runs deeper. It is about how government thinks. Solving it requires a political decision about what belongs in the category of things Malta cannot afford to take for granted.
The infrastructure behind the jurisdiction
Malta’s success as a gaming jurisdiction was built on a combination of regulatory clarity, legal infrastructure, talent, and the physical digital infrastructure that allowed operators to run mission-critical platforms from Maltese soil. Data centres were part of that foundation from the beginning, providing the low latency, highly available, locally governed hosting environment that made Malta not just a licensing address but an operational base.
That relationship deserves more recognition than it typically receives. Data centres are sovereignty infrastructure. They are the foundational physical layer that gives Malta’s regulatory authority genuine substance across gaming, financial services, healthcare, and the full range of its regulated economy. A jurisdiction that licenses industries but does not actively steward the infrastructure underpinning them is exposed in ways that are easy to overlook until the moment they become visible.
This is precisely why the gaming sector’s appearance in Vision 2050 matters so much. The document sets a target for operators to transition to renewable-powered data hosting by 2035. The sustainability direction is right. But the mandate is addressed entirely to operators, with nothing said about the local digital infrastructure assets that have helped anchor the sector’s operational presence in Malta.
In practice, a sustainability mandate without a local supply-side plan risks pushing sensitive workloads onto infrastructure outside Malta. Moreover, the question is not whether operators should use hosting or the cloud. That is a commercial decision, and global cloud platforms play a legitimate and important role. The question which matters is where such workloads are ultimately hosted and governed.
The lever Malta is not using
Addressing this gap requires political will and investment. Malta already has tools that others do not.
Malta is one of Europe’s most significant licensing jurisdictions. The Malta Gaming Authority administers licences spanning the entire EU. The Malta Financial Services Authority governs fintech and financial services entities of similarly broad reach. Because EU law in financial services is harmonised across Member States, the governance standards Malta sets travel with its licences across the single market.
That authority is a lever. It has already been used in the Vision 2050 green hosting mandate, demonstrating that Malta can apply infrastructure standards as a condition of licence. The more important question is how Malta uses policy and incentives to actively strengthen its domestic digital infrastructure capabilities, by making local sovereign capacity genuinely attractive rather than simply assumed.
Capital incentives for infrastructure investment, preferential treatment in renewable energy allocation, and a certification pathway that reflects Malta’s specific constraints, are some of these tools. Luxembourg reached this conclusion earlier, backing LuxConnect as national digital infrastructure and using it as the basis for sovereign cloud initiatives. The tools exist. What remains is the will and a decision to use them.
The window and what needs to happen
Vision 2050 is a living document. The KPI framework published alongside the final strategy is designed to be tracked and revised. The conversation about what the digital infrastructure layer should actually look like is still open. But infrastructure investment decisions have long lead times. The window to act ahead of the curve is narrower than it appears from a position of current comfort.
Several specific steps would move the conversation from recognition to action.
First, digital infrastructure should be formally designated as critical national infrastructure, giving data centres, cable landing points, and connectivity assets the legal status and policy priority they currently lack.
Second, the Vision 2050 green hosting target needs a supply-side complement, with incentives and a realistic transition pathway for local infrastructure providers facing the genuine physical and energy constraints of a small island.
Third, Malta’s licensing authorities should be used more deliberately, accepting EU-sovereign certified infrastructure as a short term option, whilst recognising that data hosted elsewhere, even in the EU, remains outside their direct control. Malta’s ambition should rise above the minimum baseline.
Fourth, for what Malta cannot build alone, a consortium of small EU Member States pooling sovereign cloud capacity through frameworks such as GAIA-X offers the scale that none can achieve individually.
Malta is small. In this context, that is as much an advantage as it is a constraint. Decisions can be made quickly and policies adjusted with a precision that is difficult to achieve in larger markets. Vision 2050 sets the right ambitions. What it lacks is recognition that digital infrastructure belongs in the same strategic category as the energy grid and the food supply chain, and that the data generated by Malta’s regulated industries is a national asset requiring active stewardship.
Malta knows what happens when ships stop arriving. The same clarity, applied to digital infrastructure, is what genuine strategic autonomy requires.
Dr Ian Gauci is Managing Partner of GTG and a technology and commercial lawyer with over 25 years of experience advising governments, regulators, and private clients across technology, cybersecurity, and digital transformation. He chairs the AI in Fintech working group at the MFSA and serves on several governance and advisory bodies across Malta’s digital and financial sectors.
Ing. Christian Sammut is Chief Executive Officer of BMIT Technologies plc, Malta’s largest digital infrastructure and managed IT services provider, listed on the Malta Stock Exchange. He has led BMIT through a period of significant strategic development and is a regular contributor on digital infrastructure, data sovereignty, and Malta’s technology landscape.
Mate Bacic takes over as CEO of Tipico Group
He takes over from Axel Hefer following Tipico’s acquisition by Banijay.
‘Work that once took days is now being done instantly’ – Bigbon CEO Nick Spiteri Paris
The retail group registered significant improvements in speed, accuracy and efficiency after embedding AI into its operations.
Dr Nadia Maria Vassallo: Shaping the future of education at IDEA College
Nadia Maria Vassallo continues to empower students with the skills to thrive in a global world.
New hospitality rules ‘delegate policing to private citizens,’ warns Casa Rooms Director
Cecil McCarthy warns that the benefits of any changes are contingent on their consistent enforcement by the authorities.
