Malta’s Eurobarometer result is a practical warning for Windows and Microsoft 365 admins: generative AI has already become a daily habit for many users, including at work and in education, and policy needs to catch up now. Lovin Malta, citing the European Commission’s Special Eurobarometer 572 on the Digital Decade, reports that Malta leads the EU in daily use of tools such as ChatGPT, Google Gemini, and Microsoft Copilot. The immediate takeaway is simple: if users are already comfortable using AI every day, organizations should not wait for a perfect long-term strategy before setting basic rules for Copilot, Edge, Microsoft 365 data, browser-based AI tools, and endpoint governance.
Lovin Malta’s report on the Eurobarometer findings frames the story plainly: Malta leads the EU in daily ChatGPT and generative AI use. According to the figures it cites from the European Commission’s Special Eurobarometer 572 – The Digital Decade 2026, 38% of Maltese respondents use generative AI every day in their personal lives, compared with an EU average of 20%.
That is not a marginal lead. It means Malta is operating at almost twice the EU-wide daily personal-use rate in a technology category that only recently became a mainstream consumer habit. The relevant comparison is not whether Maltese users are “ahead” in some vague digital-readiness sense; it is that daily generative AI use has crossed from early adopter behavior into something much closer to ordinary software use.
The work and education figure is even more important for WindowsForum readers. Malta also topped the EU ranking for daily use at work or in education, with 39% of respondents saying they use generative AI every day in professional or academic settings. That places tools such as Microsoft Copilot, ChatGPT, and Gemini directly inside the workflows where documents, emails, spreadsheets, code, student assignments, customer records, and internal strategy actually live.
This is where the consumer AI story becomes an IT governance story. A chatbot used to plan a holiday is one thing. A chatbot used daily inside an office, classroom, help desk, legal department, finance function, or software team is something else entirely. The latter changes how information is drafted, summarized, searched, copied, pasted, reviewed, and sometimes trusted.
For Windows estates, the lesson is immediate. Users may be reaching AI through Edge, standalone browser tabs, Microsoft 365 apps, Teams workflows, mobile devices, browser extensions, consumer accounts, or sanctioned enterprise tools. Admins who treat generative AI as a future procurement question may already be behind the actual behavior on their networks.
Malta’s numbers suggest that for a large minority of users, the decision has already been made. Generative AI is not waiting for a three-year transformation roadmap. It has arrived through browser sessions, mobile apps, Microsoft 365 integrations, school assignments, messaging conversations, and informal workplace habits.
That can be an advantage. A digitally receptive population can experiment quickly, normalize new tools, and expose practical use cases before larger countries finish debating whether the tools are a fad. Malta’s reported 86% figure among existing AI users who say their usage has increased over the past year is the adoption curve in miniature. More than half of Maltese AI users, 55%, said their usage has “increased a lot.”
Those two numbers are the real accelerant. Daily usage is the snapshot; increased usage is the velocity. A country where most current users say they are using AI more than before is not merely adopting a product category. It is building habits.
But habit formation is exactly what makes governance harder. Once users have discovered that AI can draft emails, rewrite text, summarize documents, generate formulas, explain code, translate rough notes, or help produce presentations, a blunt ban becomes unrealistic. Workers do not easily give up tools that save time, especially when comparable tools are available through personal accounts, mobile devices, and browser-based services.
That is why Malta’s lead should make enterprise IT nervous and interested at the same time. It shows the upside of a population willing to try new productivity tools. It also shows the speed at which unofficial workflows can become institutional facts before procurement, legal, compliance, and security teams have defined the rules.
That proximity changes the risk model. Traditional software governance was built around applications with recognizable boundaries. A spreadsheet program edited spreadsheets. An email client handled email. A browser accessed the web. Generative AI behaves more like a cross-application assistant: it ingests context, produces text, summarizes other people’s work, and encourages users to move information between systems.
The Eurobarometer finding does not prove that Copilot is the main driver of Malta’s workplace AI use. The survey coverage groups generative AI tools together and names multiple services, including ChatGPT, Gemini, and Copilot. What it does show is that Malta has the user behavior Microsoft has been designing for: frequent AI use, comfort with assistance tools, and a large share of respondents using AI in work or education.
That distinction matters. The confirmed survey fact is daily generative AI usage. The inference for WindowsForum readers is that Microsoft-heavy organizations in Malta-like environments should expect Copilot-style features to meet less cultural resistance than they might have a year or two ago. If users are already using AI in browser tabs, the addition of AI inside Microsoft 365 may feel less like a radical change and more like consolidation.
The challenge is that Copilot-style integration makes governance both easier and more complicated. Easier, because enterprise-managed tools can be tied to identity, policy, licensing, logging, and administrative controls. More complicated, because once AI is woven into everyday productivity software, admins must govern not merely access to a chatbot but the flow of organizational knowledge through prompts, summaries, generated drafts, and user decisions based on machine output.
This is why the Malta data matters beyond Malta. It points to a near future where the question for IT departments is not “Should we allow generative AI?” but “Which generative AI are our users already using, with what data, under which account, and with what review process?”
That combination breaks a lazy narrative in the AI debate. High adoption does not automatically mean hostility to regulation. In Malta’s case, the people using AI most intensely are also strongly supportive of public rules around it. They want the benefits, but they do not appear to want a pure “move fast and break things” model imported wholesale into education, work, and public life.
For the EU, that matters because the Digital Decade agenda is not only about access and adoption. The European Commission’s Digital Decade 2026 Eurobarometer materials describe the survey as covering citizens’ views on digitalisation, digital rights, support for digital policy, generative AI use, European digital sovereignty, governance preferences, and concerns such as disinformation and online manipulation. Malta’s result sits inside that broader European argument: digital transformation is desirable, but trust is part of the infrastructure.
There is a practical lesson here for businesses. Users may resist slow approvals, clumsy security questionnaires, and policies that treat all AI as forbidden magic. But they may welcome clear rules that tell them which tools are approved, which data must never be entered, when AI output must be checked, and how to disclose AI-assisted work. The demand is not necessarily for less oversight. It is for oversight that matches the reality of use.
This is especially relevant for education. If 39% of Maltese respondents report daily generative AI use in work or education, schools and universities cannot treat AI as an external cheating device only. They need policies that distinguish between brainstorming, tutoring, translation, summarization, writing substitution, code generation, and assessment fraud. Those distinctions are hard, but avoiding them simply pushes usage underground.
The same applies inside companies. A finance analyst using AI to summarize public filings is not in the same risk category as an employee pasting confidential payroll data into a consumer chatbot. A developer using AI to explain a library function is not in the same category as one accepting generated security-sensitive code without review. Mature AI governance starts by recognizing those differences instead of pretending a single policy sentence can cover them all.
The numbers are also about reported behavior. Respondents are saying how often they use generative AI, and reported usage can be shaped by memory, definitions, social desirability, and confusion about what counts as AI. Some users may count a dedicated chatbot. Others may count AI-assisted search, writing suggestions, translation, or features built into software they already use.
That ambiguity is not a reason to dismiss the finding. In fact, it may be part of the story. As AI becomes embedded in mainstream software, users increasingly experience it less as a separate product and more as a capability. The line between “using AI” and “using modern software” is going to get blurrier.
The Malta result should therefore be read as a strong directional signal: a high share of Maltese respondents recognize generative AI as part of their daily personal and professional or academic lives. Whether every respondent defines the category identically is less important than the broader cultural shift. People know these tools exist, they are using them frequently, and many say they are using them more than before.
That is precisely the point at which security and compliance teams need to stop waiting for perfect measurement. In most organizations, shadow IT was never discovered by waiting for perfect inventories. It was discovered by looking at expense reports, browser logs, OAuth permissions, help desk tickets, user surveys, and the sudden appearance of unfamiliar workflows. Generative AI will be no different.
The European Commission made Digital Decade 2026 Eurobarometer materials available as part of its wider reporting on citizens’ views of digitalisation, digital rights, digital policy priorities, generative AI use, sovereignty, governance, and online risks.
Lovin Malta reported on the Eurobarometer findings, highlighting Malta’s lead in daily ChatGPT and generative AI use and citing the Maltese figures for personal, workplace, and education use.
People use tools more readily when they expect those tools to matter. If AI is perceived as a threat, adoption may still happen, but it tends to be reluctant, hidden, or externally imposed. If AI is perceived as useful, adoption becomes exploratory and self-directed. Malta’s figures suggest the latter dynamic is powerful.
This has a familiar pattern. The personal computer spread not only because companies bought machines, but because users found their own reasons to use them. Smartphones became indispensable not because every employer mandated them, but because personal convenience and work utility reinforced each other. Cloud storage, messaging apps, and video meetings followed similar paths: consumer behavior softened the ground for enterprise dependence.
Generative AI is following the same route, but faster. A worker can learn a chatbot in minutes. A student can use one without waiting for the school’s learning platform to integrate it. A small business owner can draft marketing copy, customer replies, or spreadsheet formulas without hiring a consultant. That low barrier to entry is why the technology spreads before institutions are ready.
For Microsoft, this is the environment Copilot was built to serve. The company does not need every user to understand model architecture. It needs users to believe that AI assistance belongs in everyday productivity tasks. Malta’s reported behavior suggests that belief is already widespread there.
Yet optimism should not be confused with literacy. A person can be enthusiastic about AI and still overtrust fabricated output, mishandle personal data, or fail to distinguish between a useful draft and a reliable answer. That is why the 84% support for regulating AI is so important. It indicates that Maltese respondents may see AI as both useful and risky, which is a healthier starting point than either panic or blind faith.
This is a procurement issue, but it is also a user-experience issue. If approved AI tools are slow, unavailable, poorly integrated, or wrapped in vague warnings, users will route around them. If the approved tool cannot summarize the kind of documents users actually handle, they will copy the text elsewhere. If the enterprise policy says “do not enter confidential data” but never explains what that means in ordinary work, users will guess.
For Windows estates, the practical surface area is broad. Users may interact with AI through Edge, Windows-integrated experiences, Microsoft 365 apps, Teams meetings, browser extensions, mobile apps, third-party SaaS platforms, developer tools, and search engines. A narrow blocklist will not create a strategy. It will create a false sense of control.
The risks are also broader than data leakage. There is hallucination risk, where plausible but wrong output enters documents or decisions. There is provenance risk, where no one can later tell whether a paragraph, slide, code snippet, or policy draft was AI-generated. There is licensing and copyright uncertainty around generated content. There is bias and discrimination risk if AI-generated recommendations influence hiring, grading, lending, or public service decisions. There is operational risk if employees become dependent on tools without fallback processes.
And there is the quieter risk of organizational amnesia. If employees use AI to summarize instead of read, draft instead of think, or decide instead of verify, the institution may save time while losing expertise. That does not mean AI should be avoided. It means AI adoption has to be paired with deliberate review points, training, and accountability.
Malta’s adoption numbers make this visible because they compress the future. Other EU countries may not be at the same daily-use rate, but the trajectory is familiar: personal use, then informal work use, then official pilots, then integration, then dependence. By the time dependence is obvious, the easiest policy choices have already passed.
Students have strong reasons to use generative AI: explanation, translation, brainstorming, rewriting, coding help, and assignment completion. Teachers have equally strong reasons to worry: plagiarism, unequal access, shallow learning, and assessment integrity. Administrators face the unenviable job of writing rules that are neither naïve nor unenforceable.
Malta’s high daily-use environment suggests that the “ban it and move on” approach is especially brittle. Even if a school restricts AI on managed Windows devices, students can access tools elsewhere. Even if an assignment forbids AI assistance, detection is unreliable and can produce false accusations. The better approach is to redesign some assessments around process, oral defense, in-class work, source evaluation, and visible revision history.
That does not mean surrendering standards. It means specifying where AI use is educationally valuable and where it defeats the point of the task. Using AI as a grammar coach may be acceptable in one context and unacceptable in another. Asking AI to explain a concept may support learning; submitting AI-generated analysis as one’s own may not. The policy has to be tied to the learning objective.
The same logic applies to workplace training. Employees need to understand not only how to prompt a model but when not to use one. AI literacy is not merely “write better prompts.” It includes data classification, verification, accountability, privacy, security, and domain judgment. A country can have high AI adoption and still have uneven AI competence.
This distinction is crucial for Microsoft-heavy organizations. Copilot can lower friction, but it does not magically supply judgment. If a user asks for a summary of a long document, the output may be useful. If the user relies on that summary for a legal, medical, financial, HR, or security-sensitive decision without review, the organization has a process problem, not just a software problem.
That is an important point for vendors. The AI industry often frames regulation as a drag on deployment. But in markets where users are enthusiastic and anxious at the same time, rules can legitimize adoption. Clear requirements around safety, transparency, data handling, and accountability can make it easier for governments, schools, and enterprises to approve AI use at scale.
The European Commission’s framing of the Digital Decade survey connects generative AI use with digital rights, sovereignty, governance preferences, and concerns about online manipulation. That broader context matters because generative AI is not only a productivity tool. It is also a content engine, a search interface, a coding assistant, a tutoring system, a summarizer, and a persuasive text generator.
Malta’s numbers therefore point to the central European bargain: embrace digital transformation, but do not leave it entirely to platform vendors. The public wants useful AI, but it also wants safety. It wants digital policy to remain a priority. It wants the next decade to be shaped rather than merely endured.
For IT leaders, this means policy alignment will matter. Internal AI rules that mirror broader public expectations around safety, privacy, and accountability will be easier to defend. Rules that look arbitrary, performative, or purely obstructionist will be ignored.
The organizations that succeed will not be the ones with the longest AI policy PDFs. They will be the ones that translate risk into daily practice: which button to use, which data not to paste, which output to verify, which decisions require a human owner, and which AI tools are approved for which tasks.
That shift will put pressure on software vendors to make AI feel invisible. Microsoft’s direction with Copilot, Google’s direction with Gemini, and OpenAI’s consumer and enterprise offerings all point toward the same destination: AI as an embedded layer rather than a separate application. For WindowsForum readers, the Microsoft version of that future is especially important because it sits close to Windows endpoints, Microsoft 365 content, Entra identity, Teams collaboration, Edge browsing, SharePoint permissions, OneDrive files, and the administrative controls that govern them.
The confirmed Malta finding is about reported generative AI use, not about one vendor winning the market. But the operational lesson for Microsoft environments is clear. If users already see AI as part of daily work, then Copilot governance cannot be treated as a license checkbox. It has to be part of endpoint management, data governance, browser policy, identity review, information protection, and user training.
Admins should also avoid the opposite mistake: assuming that a Microsoft-controlled AI deployment automatically solves shadow AI. A well-managed Copilot rollout can reduce the temptation to paste work into consumer tools, but only if users understand what is allowed, if the approved experience is useful, and if data permissions are already under control. Copilot can surface what users are already permitted to access; that makes oversharing in SharePoint, Teams, and OneDrive a governance issue before it becomes an AI issue.
This is where WindowsForum’s practical lens matters. The story is not simply that Malta likes AI. It is that a modern Windows-and-Microsoft 365 estate now has to assume AI behavior at the endpoint, in the browser, in the productivity suite, and in the user’s daily habits. That requires policy that is clear enough for ordinary employees, technical controls that map to real data risk, and training that treats AI as a normal work tool with abnormal failure modes.
The forward-looking lesson is not to panic and not to coast. Malta shows how fast generative AI can move from curiosity to routine. The organizations that handle the next phase best will be the ones that make approved AI easier than risky AI, clean up Microsoft 365 permissions before expanding Copilot access, govern Edge and endpoint behavior realistically, and teach users that AI output is assistance, not authority.
For Windows admins, the work this week is modest but urgent: find the AI tools already in use, decide which ones are approved, protect sensitive Microsoft 365 data, set Edge and endpoint expectations, and publish rules that employees can actually follow. Malta’s lead may be a national statistic, but the operational warning is local: if your users can reach AI, they are probably already building workflows around it.
Malta Turns the AI Pilot Into the Default Setting
Lovin Malta’s report on the Eurobarometer findings frames the story plainly: Malta leads the EU in daily ChatGPT and generative AI use. According to the figures it cites from the European Commission’s Special Eurobarometer 572 – The Digital Decade 2026, 38% of Maltese respondents use generative AI every day in their personal lives, compared with an EU average of 20%.That is not a marginal lead. It means Malta is operating at almost twice the EU-wide daily personal-use rate in a technology category that only recently became a mainstream consumer habit. The relevant comparison is not whether Maltese users are “ahead” in some vague digital-readiness sense; it is that daily generative AI use has crossed from early adopter behavior into something much closer to ordinary software use.
The work and education figure is even more important for WindowsForum readers. Malta also topped the EU ranking for daily use at work or in education, with 39% of respondents saying they use generative AI every day in professional or academic settings. That places tools such as Microsoft Copilot, ChatGPT, and Gemini directly inside the workflows where documents, emails, spreadsheets, code, student assignments, customer records, and internal strategy actually live.
This is where the consumer AI story becomes an IT governance story. A chatbot used to plan a holiday is one thing. A chatbot used daily inside an office, classroom, help desk, legal department, finance function, or software team is something else entirely. The latter changes how information is drafted, summarized, searched, copied, pasted, reviewed, and sometimes trusted.
For Windows estates, the lesson is immediate. Users may be reaching AI through Edge, standalone browser tabs, Microsoft 365 apps, Teams workflows, mobile devices, browser extensions, consumer accounts, or sanctioned enterprise tools. Admins who treat generative AI as a future procurement question may already be behind the actual behavior on their networks.
Malta’s numbers suggest that for a large minority of users, the decision has already been made. Generative AI is not waiting for a three-year transformation roadmap. It has arrived through browser sessions, mobile apps, Microsoft 365 integrations, school assignments, messaging conversations, and informal workplace habits.
The Small-State Advantage Is Also a Control Problem
Malta’s size matters. With 518 respondents in Malta out of more than 26,000 people surveyed across all 27 EU member states, the Eurobarometer gives a country-level snapshot rather than an enterprise telemetry feed. But small countries can show social adoption patterns faster than larger markets because changes can diffuse through schools, employers, public services, and professional networks with less friction.That can be an advantage. A digitally receptive population can experiment quickly, normalize new tools, and expose practical use cases before larger countries finish debating whether the tools are a fad. Malta’s reported 86% figure among existing AI users who say their usage has increased over the past year is the adoption curve in miniature. More than half of Maltese AI users, 55%, said their usage has “increased a lot.”
Those two numbers are the real accelerant. Daily usage is the snapshot; increased usage is the velocity. A country where most current users say they are using AI more than before is not merely adopting a product category. It is building habits.
But habit formation is exactly what makes governance harder. Once users have discovered that AI can draft emails, rewrite text, summarize documents, generate formulas, explain code, translate rough notes, or help produce presentations, a blunt ban becomes unrealistic. Workers do not easily give up tools that save time, especially when comparable tools are available through personal accounts, mobile devices, and browser-based services.
That is why Malta’s lead should make enterprise IT nervous and interested at the same time. It shows the upside of a population willing to try new productivity tools. It also shows the speed at which unofficial workflows can become institutional facts before procurement, legal, compliance, and security teams have defined the rules.
| Measure | Malta | EU average or EU scope | Why it matters |
|---|---|---|---|
| Daily personal generative AI use | 38% | 20% EU average | Malta is almost twice the EU average for everyday consumer use. |
| Daily generative AI use at work or in education | 39% | EU ranking led by Malta | AI is embedded in professional and academic workflows, not just personal curiosity. |
| Existing AI users whose usage increased over the past year | 86% | Highest in EU, according to Lovin Malta’s report | Adoption is still accelerating rather than stabilizing. |
| Existing AI users whose usage “increased a lot” | 55% | Highest in EU, according to Lovin Malta’s report | Heavy-use behavior is becoming more common. |
| Believe AI and automation will have the biggest positive impact over the next decade | 52% | 39% EU average | Maltese respondents are more optimistic about AI’s practical future. |
| Support regulating AI to ensure it remains safe | 84% | Malta figure from the survey coverage | High adoption is coexisting with demand for guardrails. |
Copilot Is Not Just Another App in This Story
The inclusion of Microsoft Copilot alongside ChatGPT and Google Gemini is not incidental. For Windows users, Copilot represents one of the most direct paths by which generative AI becomes part of the default computing environment rather than a separate destination. If a user meets AI through ChatGPT, the action is explicit: open the service, type a prompt, copy the output. If a user meets it through Microsoft’s ecosystem, AI can sit closer to Word, Excel, Outlook, Teams, Edge, Windows search, and enterprise identity.That proximity changes the risk model. Traditional software governance was built around applications with recognizable boundaries. A spreadsheet program edited spreadsheets. An email client handled email. A browser accessed the web. Generative AI behaves more like a cross-application assistant: it ingests context, produces text, summarizes other people’s work, and encourages users to move information between systems.
The Eurobarometer finding does not prove that Copilot is the main driver of Malta’s workplace AI use. The survey coverage groups generative AI tools together and names multiple services, including ChatGPT, Gemini, and Copilot. What it does show is that Malta has the user behavior Microsoft has been designing for: frequent AI use, comfort with assistance tools, and a large share of respondents using AI in work or education.
That distinction matters. The confirmed survey fact is daily generative AI usage. The inference for WindowsForum readers is that Microsoft-heavy organizations in Malta-like environments should expect Copilot-style features to meet less cultural resistance than they might have a year or two ago. If users are already using AI in browser tabs, the addition of AI inside Microsoft 365 may feel less like a radical change and more like consolidation.
The challenge is that Copilot-style integration makes governance both easier and more complicated. Easier, because enterprise-managed tools can be tied to identity, policy, licensing, logging, and administrative controls. More complicated, because once AI is woven into everyday productivity software, admins must govern not merely access to a chatbot but the flow of organizational knowledge through prompts, summaries, generated drafts, and user decisions based on machine output.
This is why the Malta data matters beyond Malta. It points to a near future where the question for IT departments is not “Should we allow generative AI?” but “Which generative AI are our users already using, with what data, under which account, and with what review process?”
A Public That Wants AI Also Wants Rules
The most politically interesting part of the Maltese result is not enthusiasm. It is enthusiasm paired with regulatory appetite. Lovin Malta reports that 91% of respondents said digital policy should remain a priority for the EU, while 84% backed regulating AI to ensure it remains safe, even if that means placing restrictions on developers.That combination breaks a lazy narrative in the AI debate. High adoption does not automatically mean hostility to regulation. In Malta’s case, the people using AI most intensely are also strongly supportive of public rules around it. They want the benefits, but they do not appear to want a pure “move fast and break things” model imported wholesale into education, work, and public life.
For the EU, that matters because the Digital Decade agenda is not only about access and adoption. The European Commission’s Digital Decade 2026 Eurobarometer materials describe the survey as covering citizens’ views on digitalisation, digital rights, support for digital policy, generative AI use, European digital sovereignty, governance preferences, and concerns such as disinformation and online manipulation. Malta’s result sits inside that broader European argument: digital transformation is desirable, but trust is part of the infrastructure.
There is a practical lesson here for businesses. Users may resist slow approvals, clumsy security questionnaires, and policies that treat all AI as forbidden magic. But they may welcome clear rules that tell them which tools are approved, which data must never be entered, when AI output must be checked, and how to disclose AI-assisted work. The demand is not necessarily for less oversight. It is for oversight that matches the reality of use.
This is especially relevant for education. If 39% of Maltese respondents report daily generative AI use in work or education, schools and universities cannot treat AI as an external cheating device only. They need policies that distinguish between brainstorming, tutoring, translation, summarization, writing substitution, code generation, and assessment fraud. Those distinctions are hard, but avoiding them simply pushes usage underground.
The same applies inside companies. A finance analyst using AI to summarize public filings is not in the same risk category as an employee pasting confidential payroll data into a consumer chatbot. A developer using AI to explain a library function is not in the same category as one accepting generated security-sensitive code without review. Mature AI governance starts by recognizing those differences instead of pretending a single policy sentence can cover them all.
The Survey Is a Signal, Not a Census
A responsible reading of the Eurobarometer data requires some restraint. The Malta sample size cited by Lovin Malta is 518 respondents. That is enough to make the finding meaningful in the context of a Eurobarometer survey, but it is not the same thing as telemetry from every Maltese device, school, employer, or Microsoft 365 tenant.The numbers are also about reported behavior. Respondents are saying how often they use generative AI, and reported usage can be shaped by memory, definitions, social desirability, and confusion about what counts as AI. Some users may count a dedicated chatbot. Others may count AI-assisted search, writing suggestions, translation, or features built into software they already use.
That ambiguity is not a reason to dismiss the finding. In fact, it may be part of the story. As AI becomes embedded in mainstream software, users increasingly experience it less as a separate product and more as a capability. The line between “using AI” and “using modern software” is going to get blurrier.
The Malta result should therefore be read as a strong directional signal: a high share of Maltese respondents recognize generative AI as part of their daily personal and professional or academic lives. Whether every respondent defines the category identically is less important than the broader cultural shift. People know these tools exist, they are using them frequently, and many say they are using them more than before.
That is precisely the point at which security and compliance teams need to stop waiting for perfect measurement. In most organizations, shadow IT was never discovered by waiting for perfect inventories. It was discovered by looking at expense reports, browser logs, OAuth permissions, help desk tickets, user surveys, and the sudden appearance of unfamiliar workflows. Generative AI will be no different.
Timeline
The European Commission’s Special Eurobarometer 572 – The Digital Decade 2026 survey was conducted across all 27 EU member states and included 518 respondents in Malta, according to the survey coverage.The European Commission made Digital Decade 2026 Eurobarometer materials available as part of its wider reporting on citizens’ views of digitalisation, digital rights, digital policy priorities, generative AI use, sovereignty, governance, and online risks.
Lovin Malta reported on the Eurobarometer findings, highlighting Malta’s lead in daily ChatGPT and generative AI use and citing the Maltese figures for personal, workplace, and education use.
Malta’s Optimism Is a Productivity Bet
More than half of Maltese respondents, 52%, believe AI and automation will have the biggest positive impact on their lives over the next decade, compared with a European average of 39%. That optimism is not just mood music. It helps explain why adoption can accelerate quickly.People use tools more readily when they expect those tools to matter. If AI is perceived as a threat, adoption may still happen, but it tends to be reluctant, hidden, or externally imposed. If AI is perceived as useful, adoption becomes exploratory and self-directed. Malta’s figures suggest the latter dynamic is powerful.
This has a familiar pattern. The personal computer spread not only because companies bought machines, but because users found their own reasons to use them. Smartphones became indispensable not because every employer mandated them, but because personal convenience and work utility reinforced each other. Cloud storage, messaging apps, and video meetings followed similar paths: consumer behavior softened the ground for enterprise dependence.
Generative AI is following the same route, but faster. A worker can learn a chatbot in minutes. A student can use one without waiting for the school’s learning platform to integrate it. A small business owner can draft marketing copy, customer replies, or spreadsheet formulas without hiring a consultant. That low barrier to entry is why the technology spreads before institutions are ready.
For Microsoft, this is the environment Copilot was built to serve. The company does not need every user to understand model architecture. It needs users to believe that AI assistance belongs in everyday productivity tasks. Malta’s reported behavior suggests that belief is already widespread there.
Yet optimism should not be confused with literacy. A person can be enthusiastic about AI and still overtrust fabricated output, mishandle personal data, or fail to distinguish between a useful draft and a reliable answer. That is why the 84% support for regulating AI is so important. It indicates that Maltese respondents may see AI as both useful and risky, which is a healthier starting point than either panic or blind faith.
The Enterprise Risk Is No Longer Hypothetical
When 39% of respondents in a country say they use generative AI every day at work or in education, the relevant enterprise question changes. It is no longer whether employees might try AI someday. It is whether organizations know which AI tools are already being used and whether the sanctioned tools are good enough to keep users away from riskier alternatives.This is a procurement issue, but it is also a user-experience issue. If approved AI tools are slow, unavailable, poorly integrated, or wrapped in vague warnings, users will route around them. If the approved tool cannot summarize the kind of documents users actually handle, they will copy the text elsewhere. If the enterprise policy says “do not enter confidential data” but never explains what that means in ordinary work, users will guess.
For Windows estates, the practical surface area is broad. Users may interact with AI through Edge, Windows-integrated experiences, Microsoft 365 apps, Teams meetings, browser extensions, mobile apps, third-party SaaS platforms, developer tools, and search engines. A narrow blocklist will not create a strategy. It will create a false sense of control.
The risks are also broader than data leakage. There is hallucination risk, where plausible but wrong output enters documents or decisions. There is provenance risk, where no one can later tell whether a paragraph, slide, code snippet, or policy draft was AI-generated. There is licensing and copyright uncertainty around generated content. There is bias and discrimination risk if AI-generated recommendations influence hiring, grading, lending, or public service decisions. There is operational risk if employees become dependent on tools without fallback processes.
And there is the quieter risk of organizational amnesia. If employees use AI to summarize instead of read, draft instead of think, or decide instead of verify, the institution may save time while losing expertise. That does not mean AI should be avoided. It means AI adoption has to be paired with deliberate review points, training, and accountability.
Malta’s adoption numbers make this visible because they compress the future. Other EU countries may not be at the same daily-use rate, but the trajectory is familiar: personal use, then informal work use, then official pilots, then integration, then dependence. By the time dependence is obvious, the easiest policy choices have already passed.
Action checklist for admins
- Inventory AI access across browsers, Microsoft 365, endpoint software, SaaS apps, developer tools, and mobile workflows rather than treating AI as a single website category.
- Define approved tools for different data classes, including what may be used with public, internal, confidential, regulated, and customer data.
- Publish plain-language rules for prompts, file uploads, meeting transcripts, email summarization, code generation, and AI-assisted decision-making.
- Configure identity, logging, retention, and tenant controls for enterprise AI tools where available, especially for Microsoft Copilot-style deployments.
- Review Edge policies, browser extensions, sign-in behavior, and consumer AI access on managed Windows devices.
- Train users to verify outputs, spot hallucinations, and disclose AI assistance where accuracy, authorship, or compliance matters.
- Review education and workplace assessment processes so AI assistance is permitted, limited, or prohibited based on task purpose rather than blanket assumptions.
Minimum viable AI policy for this week
- Name the approved AI tools. If Microsoft 365 Copilot or Copilot Chat is approved, say which users, groups, and data classes it is approved for.
- Ban the obvious high-risk inputs: passwords, secrets, private keys, unreleased financials, customer records, regulated personal data, confidential HR files, and privileged security information in unapproved AI tools.
- Require human review for AI-assisted legal, HR, finance, security, medical, public-facing, and customer-impacting work.
- Tell users when disclosure is required, such as AI-assisted policy drafts, customer communications, published content, or assessed student work.
- In Microsoft 365, review sensitivity labels, sharing permissions, retention settings, and overshared SharePoint or OneDrive content before expanding Copilot access.
- In Edge and on Windows endpoints, review extension controls, browser sign-in rules, and whether consumer AI services should be allowed, warned, or blocked on managed devices.
Education Will Feel the Shock First
The work-and-education grouping in the survey is useful but also frustrating. A daily-use rate of 39% across professional and academic settings tells us that AI is present in serious contexts, but it does not separate the office from the classroom. Still, education deserves special attention because the incentives are so immediate.Students have strong reasons to use generative AI: explanation, translation, brainstorming, rewriting, coding help, and assignment completion. Teachers have equally strong reasons to worry: plagiarism, unequal access, shallow learning, and assessment integrity. Administrators face the unenviable job of writing rules that are neither naïve nor unenforceable.
Malta’s high daily-use environment suggests that the “ban it and move on” approach is especially brittle. Even if a school restricts AI on managed Windows devices, students can access tools elsewhere. Even if an assignment forbids AI assistance, detection is unreliable and can produce false accusations. The better approach is to redesign some assessments around process, oral defense, in-class work, source evaluation, and visible revision history.
That does not mean surrendering standards. It means specifying where AI use is educationally valuable and where it defeats the point of the task. Using AI as a grammar coach may be acceptable in one context and unacceptable in another. Asking AI to explain a concept may support learning; submitting AI-generated analysis as one’s own may not. The policy has to be tied to the learning objective.
The same logic applies to workplace training. Employees need to understand not only how to prompt a model but when not to use one. AI literacy is not merely “write better prompts.” It includes data classification, verification, accountability, privacy, security, and domain judgment. A country can have high AI adoption and still have uneven AI competence.
This distinction is crucial for Microsoft-heavy organizations. Copilot can lower friction, but it does not magically supply judgment. If a user asks for a summary of a long document, the output may be useful. If the user relies on that summary for a legal, medical, financial, HR, or security-sensitive decision without review, the organization has a process problem, not just a software problem.
Regulation Becomes More Plausible When Users Already See the Value
The 84% Maltese support for regulating AI to ensure safety is easy to read as a constraint on innovation. It may be the opposite. When people are already using a technology and believe it will have a positive impact, they may support regulation because they want the technology to be durable, trustworthy, and socially acceptable.That is an important point for vendors. The AI industry often frames regulation as a drag on deployment. But in markets where users are enthusiastic and anxious at the same time, rules can legitimize adoption. Clear requirements around safety, transparency, data handling, and accountability can make it easier for governments, schools, and enterprises to approve AI use at scale.
The European Commission’s framing of the Digital Decade survey connects generative AI use with digital rights, sovereignty, governance preferences, and concerns about online manipulation. That broader context matters because generative AI is not only a productivity tool. It is also a content engine, a search interface, a coding assistant, a tutoring system, a summarizer, and a persuasive text generator.
Malta’s numbers therefore point to the central European bargain: embrace digital transformation, but do not leave it entirely to platform vendors. The public wants useful AI, but it also wants safety. It wants digital policy to remain a priority. It wants the next decade to be shaped rather than merely endured.
For IT leaders, this means policy alignment will matter. Internal AI rules that mirror broader public expectations around safety, privacy, and accountability will be easier to defend. Rules that look arbitrary, performative, or purely obstructionist will be ignored.
The organizations that succeed will not be the ones with the longest AI policy PDFs. They will be the ones that translate risk into daily practice: which button to use, which data not to paste, which output to verify, which decisions require a human owner, and which AI tools are approved for which tasks.
Malta Is a Preview of the Copilot-Normal Workplace
The most useful way to read the Malta data is as a preview of normalization. Once daily AI use reaches this level, the novelty discourse collapses. The tool is no longer remarkable because it can produce a poem or summarize an article. It becomes part of how people draft, revise, search, explain, and decide.That shift will put pressure on software vendors to make AI feel invisible. Microsoft’s direction with Copilot, Google’s direction with Gemini, and OpenAI’s consumer and enterprise offerings all point toward the same destination: AI as an embedded layer rather than a separate application. For WindowsForum readers, the Microsoft version of that future is especially important because it sits close to Windows endpoints, Microsoft 365 content, Entra identity, Teams collaboration, Edge browsing, SharePoint permissions, OneDrive files, and the administrative controls that govern them.
The confirmed Malta finding is about reported generative AI use, not about one vendor winning the market. But the operational lesson for Microsoft environments is clear. If users already see AI as part of daily work, then Copilot governance cannot be treated as a license checkbox. It has to be part of endpoint management, data governance, browser policy, identity review, information protection, and user training.
Admins should also avoid the opposite mistake: assuming that a Microsoft-controlled AI deployment automatically solves shadow AI. A well-managed Copilot rollout can reduce the temptation to paste work into consumer tools, but only if users understand what is allowed, if the approved experience is useful, and if data permissions are already under control. Copilot can surface what users are already permitted to access; that makes oversharing in SharePoint, Teams, and OneDrive a governance issue before it becomes an AI issue.
This is where WindowsForum’s practical lens matters. The story is not simply that Malta likes AI. It is that a modern Windows-and-Microsoft 365 estate now has to assume AI behavior at the endpoint, in the browser, in the productivity suite, and in the user’s daily habits. That requires policy that is clear enough for ordinary employees, technical controls that map to real data risk, and training that treats AI as a normal work tool with abnormal failure modes.
The forward-looking lesson is not to panic and not to coast. Malta shows how fast generative AI can move from curiosity to routine. The organizations that handle the next phase best will be the ones that make approved AI easier than risky AI, clean up Microsoft 365 permissions before expanding Copilot access, govern Edge and endpoint behavior realistically, and teach users that AI output is assistance, not authority.
For Windows admins, the work this week is modest but urgent: find the AI tools already in use, decide which ones are approved, protect sensitive Microsoft 365 data, set Edge and endpoint expectations, and publish rules that employees can actually follow. Malta’s lead may be a national statistic, but the operational warning is local: if your users can reach AI, they are probably already building workflows around it.
References
- Primary source: Lovin Malta
Published: 2026-07-09T09:00:17.270514
Malta Leads EU In Daily ChatGPT And AI Use, New Survey Finds
Malta has been ranked as the European Union’s top user of generative artificial intelligence, with more people using tools like ChatGPT, Google Gemini and Microsoft Copilot every day than in any other member state. According to the latest Eurobarometer survey, 38% of Maltese use generative...lovinmalta.com - Related coverage: better-internet-for-kids.europa.eu
Malta - Policy monitor country profile
The Better Internet for Kids (BIK) Policy monitor is a tool used to compare and exchange knowledge on policy making and implementation in EU Member States, Iceland and Norway on the pillars and recommendations of the European Strategy for a Better Internet for Children (BIK+ strategy). The 2026...better-internet-for-kids.europa.eu - Related coverage: kpmg.com
KPMG Global AI Pulse shows accelerating AI investment globally, with Eurostat ranking Malta among EU leaders in Gen AI adoption
Three out of four global leaders will prioritise AI investment despite economic uncertainty, KPMG Global AI Pulse survey finds.
kpmg.com
- Related coverage: economy.gov.mt