Malta has issued Legal Notice 162 of 2026 to align its tax cooperation framework with EU Directive (EU) 2023/2226 (DAC8), introducing expanded reporting obligations for crypto-asset service providers and updated rules on automatic exchange of information.
Malta has published Legal Notice 162 of 2026 in the Official Gazette, introducing the Cooperation with Other Jurisdictions on Tax Matters (Amendment) Regulations, 2026, which implement Council Directive (EU) 2023/2226 of 17 October 2023 (DAC8).
DAC8 establishes due diligence procedures and reporting requirements for crypto-asset service providers, requiring them to collect and report data on transactions involving EU-resident users. The rules apply from 1 January 2026. In-scope crypto-asset service providers must begin collecting the relevant information from that date, while the corresponding reporting obligations will apply from 2027. Failure to meet timely reporting obligations may result in penalties being imposed on the crypto-asset service provider.
A central element of the amendments is the introduction of the Crypto-Asset Reporting Framework (CARF). Reporting Malta-based crypto-asset service providers, including those authorised under the Markets in Crypto-Assets (MiCA) Regulation or operating from Malta for tax purposes, must report detailed transaction data for “reportable users.” This includes aggregate gross amounts of crypto transactions, units involved, and the number of acquisitions and disposals against fiat currency or other crypto-assets. Providers must also report retail payment transactions exceeding USD 50,000.
Under the due diligence requirements, service providers are required to obtain self-certifications to determine users’ tax residency. Where users fail to comply after two reminders within a 60-day period, providers must restrict their ability to carry out further transactions. The first exchange of crypto-asset-related information is scheduled within nine months after the end of the 2026 calendar year.
The regulations also strengthen Malta’s framework for the automatic exchange of information (AEOI) with other EU Member States. This includes employment income, director’s fees, pensions, royalties, immovable property income, life insurance products, and detailed financial account data such as balances and investment income. Cross-border tax rulings involving individuals may also be exchanged where they exceed EUR 1.5 million or determine tax residency.
New provisions reinforce legal safeguards, confirming that information protected by attorney-client privilege or classified as commercial, industrial, or professional secrets is exempt from disclosure. An anti-tipping-off offence is also introduced, with penalties of up to EUR 115,000, imprisonment of up to two years, or both, for unlawful disclosure of tax investigations.
On data protection, the framework requires compliance with the General Data Protection Regulation (GDPR), while allowing certain restrictions on data subject rights where necessary for tax enforcement. Data retention is generally limited to a minimum of five years and no longer than necessary for regulatory purposes.
A detailed penalty regime is introduced for non-compliance by crypto-asset service providers. Sanctions include fines for failure to register (EUR 500), failure to retain records (EUR 2,500), late reporting (EUR 2,500 plus EUR 100 per day, capped at EUR 20,000), and inaccurate reporting (up to EUR 50,000 in serious cases). Senior officials submitting false information may face personal liability, with penalties ranging from EUR 10,000 to EUR 30,000.
The amendments also introduce an electronic identification service for user verification and a European Commission tool to validate Taxpayer Identification Numbers (TINs), aimed at strengthening cross-border tax compliance and reducing reporting errors.
The DAC8 obligations will generally apply from 2026, with the first reporting due in 2027.
