MDIA Logo - Malta Digital Innovation Authority Logo

TARF

The Technology Assessment Recognition Framework (TARF) by the MDIA is a tiered framework designed to provide varying degrees of recognition to a wide range of technologies, from emerging to traditional, aligning with international standards and industry best practices.

TARF is scalable, allowing seamless integration of new technologies. It is targeted towards owners or operators of technology solutions, who want to assess and obtain recognition for their technology-related controls.

TARF’s Official Recognition aims to provide varying degrees of confidence for stakeholders like Lead Authorities, investors, developers, suppliers, end-users, and the public. The framework is flexible, allowing applicants to choose what they want to be assessed against, with different assessment levels building on each other for higher trust levels.

TARF’s 4 Assessment Levels

Level 0
Self-Assessment (sector-specific).

Level 1
Technology Sandbox.

Level 2
Technology Review.

Level 3
Technology Assurance.

Technology Domains

While TARF can be applied to any software-based technological solution, it is also able to focus on specific technology domains:

  • Cloud Computing;
  • Internet of Things (IoT);
  • Artificial Intelligence (AI);
  • Distributed Ledger Technologies (DLT).

Aligned with International Standards

TARF looks at controls to keep in line with international information security frameworks, including:

  • Accountability;
  • Availability;
  • Confidentiality;
  • Integrity;
  • Privacy.

Official Recognition by the MDIA

The MDIA provides official recognition depending on the Assessment Levels undertaken:

Acknowledgment
Denotes participation at TARF Level 0 (Self-Assessment).

Mark of Credit
Verifies undergoing of Technology Review at TARF Level 1 or 2.

Certification
Provided for technology solutions that successfully undergo a TARF Level 3 assessment.

The Components & Requirements of TARF

Level 0 Level 1 Level 2 Level 3
Assessor Applicant Technical Expert Systems Auditor
Methodology Self-Assessment Sandbox Programme Technology Review Reasonable Assurance Assessment (ISAE 3000)
Technology Domains Sector Specific
  • General Innovative Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types Specific to each Initiative
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Monitoring Prior to Onboarding
IDPS Blueprint Not required Required
Nature of Assessment Questionnaire Programme-specific Technology Review Report ISAE 3000
Assessment Scope Maturity Assessment Maturity Development
  • Type 1:
    Control Design Implementation
  • Type 2:
    Control Design Implementation & Operating Effectiveness
Level 0
Assessor Applicant
Methodology Self-Assessment
Technology Domains Sector Specific
Control Types Specific to each Initiative
Due Diligence Monitoring
IDPS Blueprint Not required
Nature of Assessment Questionnaire
Assessment Scope Maturity Assessment
Level 1
Assessor Technical Expert
Methodology Sandbox Programme
Technology Domains
  • General Innovative Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Prior to Onboarding
IDPS Blueprint Required
Nature of Assessment Programme-specific
Assessment Scope Maturity Development
Level 2
Assessor Technical Expert
Methodology Technology Review
Technology Domains
  • General Innovative Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Prior to Onboarding
IDPS Blueprint Required
Nature of Assessment Technology Review Report
Assessment Scope
  • Type 1:
    Control Design Implementation
  • Type 2:
    Control Design Implementation & Operating Effectiveness
Level 3
Assessor Systems Auditor
Methodology Reasonable Assurance Assessment (ISAE 3000)
Technology Domains
  • General Innovative Technology
  • Cloud Computing
  • Internet of Things
  • Artificial Intelligence
  • Blockchain
Control Types
  • Accountability
  • Availability
  • Confidentiality
  • Integrity
  • Privacy
Due Diligence Prior to Onboarding
IDPS Blueprint Required
Nature of Assessment ISAE 3000
Assessment Scope
  • Type 1:
    Control Design Implementation
  • Type 2:
    Control Design Implementation & Operating Effectiveness

TARF FAQ’s

For more information, please review the TARF guidelines by clicking this link.

TARF is targeted towards owners and operators of technological solutions, who want to undergo a review of their technology controls and obtain official recognition by a National Authority.

Finding the right Assessment Level depends on your objectives as a technology solutions owner or operator.

  • Level 0 is aimed at providing insight on the current maturity levels;
  • Level 1 is a residency in a Sandbox programme led by a technical expert where controls are expected to mature over time;
  • Level 2 takes on a more detailed technology review by an independent technical expert;
  • Level 3 on the other hand, is more in line with a traditional audit approach and while being the most onerous, offers the highest levels of trust.

Technology review programmes offered by the MDIA are largely compatible with TARF at different assessment levels:

Guidelines

As part of this public consultation, three (3) documents were released: 

  1. The TARF Guidelines (Kindly note that the TARF Guidelines will be uploaded shortly)
  2. The TARF Control Objectives provide an outline of the different control statements for each applicable Assessment Level and Technology domain; and 
  3. The TARF Fee Schedule presents the proposed fees in relation to obtaining recognition from the MDIA.