Economy, Business and Trade

The MDIA Sandbox, is intended to guide solution owners throughout a residency of to four years, as they align their solution with established control objectives based on international standards, in a phased and gradual approach.

At the end of each phase, an independent third-party technical assessment is conducted by a selected MDIA recognised Systems Auditor or an MDIA recognised Technical Expert Natural Person as per conditions in the latest Sandbox Programme Guidelines, until the project is in alignment with all control objectives and/or proposed milestones.

We recommend that the latest Sandbox Programme Guideline Document is referred to for up-to-date superseding information about the programme.
 

Forming part of the Technology Sandbox brings about a number of advantages to the applicant:

•    It allows the development of the solution to be in line with predefined control objectives aligned with international standards, thus reducing the risk failure which would adversely affect users.
•    It provides technological assurance to investors and end users, providing certainty in the functional correctness and dependability of such technologies and the underlying operational processes, thus making the solution a notch more attractive.
•    Provides legal and regulatory certainty even in line with developing EU regulations in technological camps.
•    Provides a competitive edge to competing solutions.
•    Ensures that following sandbox residency, MDIA certification process is seamless.

At the end of the Sandbox residency the applicant will get a Mark of Credit, and after a defined number of assessments, the applicant can be in a position to obtain the full MDIA certification, indicating that the solution provides technological assurances for various stakeholders, including users and investors.
 

The Sandbox is specifically designed to cater for start-ups, smaller players or any other entity seeking the correct development of their IDPS, through a process that consists of a number of Technical Soundness Reviews conducted by MDIA recognised Systems Auditor or an MDIA recognised Technical Expert Natural Person and is monitored by the Authority.

Residency in the Sandbox will be phased in a manner which is appropriately customised for the needs of each particular Applicant. Despite the different conditions, all Sandbox residents will go through three main phases, namely: 

1. Standard onboarding phase, 
2. Monitored Sandbox Residency phase, 
3. Standard offboarding phase.

Onboarding starts when the Applicant submits a completed Sandbox Application Form. 

The Authority shall conduct a technical evaluation of the Application Form received together with any due diligence processes on the Applicant and Technical Officer which the Authority deems necessary. 

The Applicant shall cooperate with and provide the Authority with any and all documents required for such due diligence verifications upon request. The Authority shall thereafter notify the Applicant of the outcome of this process. Upon a successful outcome, the Applicant must thereafter appoint an MDIA recognised Systems Auditor or an MDIA recognised Technical Expert Natural Person, who shall be approved by the Authority before being engaged in performing the initial and subsequent Technical Soundness Reviews. 

The Applicant shall trigger an Initial Technical Soundness Review of the current state of the IDPS prior to it onboarding the Sandbox. Such a report shall be received by the Authority within three (3) months of the Authority’s approval of the MDIA recognised Systems Auditor or the MDIA recognised Technical Expert Natural Person, or as requested by the Authority. 

A tri-party meeting is thereafter set up between the prospective resident, the MDIA recognised Systems Auditor or the MDIA recognised Technical Expert Natural Person and MDIA to discuss the outcome of the said report. 

In the case of a positive Initial Technical Soundness Review Report, or one which identifies minor issues which the Authority deems to be acceptable, the prospective resident shall be notified and admitted into the Sandbox. 

The Authority, at its sole discretion, reserves the right to refuse admittance into the Sandbox to any prospective resident. Once accepted in the Sandbox, the Authority will issue a Sandbox Residency Acceptance Notice (“the Notice”) which provides the details of how the IDPS shall be identified, including any public key or a brand name and which will carry a unique number for purposes of identification. The IDPS shall post this Notice, in a publicly accessible location which shall be specified by the Authority, in an easily accessible and legible format so it can be viewed and understood by all users of the IDPS.

Documents required
 

As part of the submitted Application form, amongst others the applicant is required to submit:

• A short summary of the proposition and its stage of development. 
• A Residency Plan which provides information about the IDPS, describes how the IDPS will develop throughout its Sandbox residency, planned assessments, reporting plans and residency risk assessment.
• A Sandbox Blueprint providing a description of the technology, limitations, relevant processes, security measures and technology risk assessment. 
• An updated Business Plan for the IDPS to ensure that the Sandbox residency is aligned with the business mandate of the company making use/deploying such a technology. 
• An application form of the Technical Officer which provides basic information on the person selected by the applicant for the role of Technical Officer.