MDIA Logo - Malta Digital Innovation Authority Logo

The period for submission of applications is CLOSED and we are currently evaluating the feedback received.

TAAF

The Technology Assurance Assessment (TAAF) Framework by the MDIA is a tiered framework designed to provide varying degrees of technological assurances for a wide range of technologies, from emerging to traditional, aligning with international standards and industry best practices.

TAAF is scalable, allowing seamless integration of new technologies. It is targeted towards owners or operators of technology solutions, who want to assess and obtain recognition for their technology-related controls.

TAAF’s Official Recognition aims to provide varying degrees of confidence for stakeholders like Lead Authorities, investors, developers, suppliers, end-users, and the public. The framework is flexible, allowing applicants to choose what they want to be assessed against, with different assessment levels building on each other for higher trust levels.

TAAF’s 4 Assessment Levels

Level 0
Self-Assessment (sector specific).

Level 1
Technology Control Design Review.

Level 2
Technology Control Effectiveness Review.

Level 3
Technology Audit.

Technology Domains

While TAAF can be applied to any software-based technological solution, it is also able to focus on specific technology domains:

  • Cloud Computing;
  • Internet of Things (IoT);
  • Artificial Intelligence (AI);
  • Distributed Ledger Technologies (DLT).

Aligned with International Standards

TAAF looks at controls to keep in line with international information security frameworks, including:

  • Accountability;
  • Availability;
  • Confidentiality;
  • Integrity;
  • Privacy.

Official Recognition by the MDIA

The MDIA provides official recognition depending on the Assessment Levels undertaken:

Acknowledgment
Denotes participation at TAAF Level 0 (Self-Assessment).

Recognition
Verifies undergoing of Technology Review at TAAF Level 1 or 2.

Certification
Provided for technology solutions that successfully undergo a TAAF Level 3 assessment.

The Components & Requirements of TAAF

Level 0 Level 1 Level 2 Level 3
Assessor Applicant Technical Expert Systems Auditor
Methodology Self-Assessment Technology Review Assurance Assessment (ISAE3000)
Technology Domains Sector Specific
  • General/Traditional Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types Specific to each Initiative
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Monitoring Prior to Onboarding
IDPS Blueprint Not required Required
Risk Level Low Medium High
Nature of Assessment Questionnaire Technology Review Report ISAE 3000
Assessment Scope Maturity Assessment Control Design Control Design & Operational Effectiveness
  • Type 1:
    Control Design
  • Type 2:
    Control Design & Operational Effectiveness
Level 0
Assessor Applicant
Methodology Self-Assessment
Technology Domains Sector Specific
Control Types Specific to each Initiative
Due Diligence Monitoring
IDPS Blueprint Not required
Risk Level Low
Nature of Assessment Questionnaire
Assessment Scope Maturity Assessment
Level 1
Assessor Technical Expert
Methodology Technology Review
Technology Domains
  • General/Traditional Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Prior to Onboarding
IDPS Blueprint Required
Risk Level Medium
Nature of Assessment Technology Review Report
Assessment Scope Control Design
 Level 2
AssessorTechnical Expert
MethodologyTechnology Review
Technology Domains
  • General/Traditional Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due DiligencePrior to Onboarding
IDPS BlueprintRequired
Risk LevelMedium
Nature of AssessmentTechnology Review Report
Assessment ScopeControl Design & Operational Effectiveness
Level 3
Assessor Systems Auditor
Methodology Assurance Assessment (ISAE3000)
Technology Domains
  • General/Traditional Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Prior to Onboarding
IDPS Blueprint Required
Risk Level High
Nature of Assessment ISAE 3000
Assessment Scope
  • Type 1:
    Control Design
  • Type 2:
    Control Design & Operational Effectiveness

TAAF FAQ’s

For more information, please review the TAAF guidelines by clicking this link.

TAAF is targeted towards owners and operators of technological solutions, who want to undergo a review of their technology controls and obtain official recognition by a National Authority.

Finding the right Assessment Level depends on your objectives as a technology solutions owner or operator.

  • Level 0 is aimed at providing insight on the current maturity levels;
  • Levels 1 and 2 take on a more detailed technology review by an independent technical expert;
  • Level 3 on the other hand, is more in line with a traditional audit approach and while being the most onerous, offers the highest levels of trust.

Technology review programmes offered by the MDIA are largely compatible with TAAF at different assessment levels:

Public Consultation

The MDIA is in the process of evaluating feedback received from industry stakeholders, during an open consultation, on the proposed TAAF Framework. 

As part of this public consultation, three (3) documents were released: 

  1. The TAAF Guidelines provide a detailed description of the TAAF Framework; 
  2. The TAAF Control Objectives outlines the different control statements for each applicable Assessment Level and Technology domain; and 
  3. The TAAF Fee Schedule presents the proposed fees in relation to obtaining recognition from the MDIA.

The consultation is now closed. Feedback was accepted between the 19th of May 2023 and the 30th of June 2023.