ARTICLE
24 March 2026

Digital Omnibus On AI Proposal

BD
BDO Malta

Contributor

BDO Malta logo
Forming part of BDO’s Global Network, BDO Malta is a professional services and advisory firm, assisting companies in accelerating business growth through exceptional client service. Established in 1978, BDO Malta provide a wide portfolio of services including regulatory advisory, outsourcing, audit and assurance, tax & technology regulatory compliance to assist clients across different industries in growing their businesses efficiently.
Explore Firm Details
In our previous article, Digital Omnibus Regulation Proposal, we examined the Commission’s proposal published on 19 November 2025 (the “GDPR Omnibus”). On the same day, the Commission introduced a complementary initiative, the Digital Omnibus on AI Regulation Proposal (the “AI Omnibus”).
Malta Technology
Lara Borg Bugeja and Larkin Magro
Your Author LinkedIn Connections
Lara Borg Bugeja’s articles from BDO Malta are most popular:
  • within Technology topic(s)
  • in United States
BDO Malta are most popular:
  • within Government, Public Sector and Employment and HR topic(s)

In our previous article, Digital Omnibus Regulation Proposal, we examined the Commission’s proposal published on 19 November 2025 (the “GDPR Omnibus”). On the same day, the Commission introduced a complementary initiative, the Digital Omnibus on AI Regulation Proposal (the “AI Omnibus”). This second proposal forms part of the broader Digital Omnibus Package and specifically targets the streamlining, clarification and practical refinement of the interpretation and implementation of the AI Act. 

The AI Act, which came into force on the 13th June 2024, was met with criticism for hurdles and unrealistic deadlines, especially for high-risk AI-systems (HRAI). The Commission now seeks to, rather than give a complete revamp, repeal or otherwise reform, as it did with the GDPR Omnibus, it merely seeks to amend the AI Act, keeping the same considerations and goal intact. 

Extension of Deadlines for HRAI Compliance 

One of the most significant adjustments introduced by the GDPR Omnibus is the extension and added flexibility of compliance deadlines for HRAI systems under the AI Act. Although the initial timeline required most high risk obligations to apply by August 2026, businesses and regulators quickly became concerned that the deadlines were not reasonable. Many of the essential elements needed for compliance such as harmonised standards, common specifications, Commission guidance and fully operational national competent authorities, were not yet in place. This created the risk of imposing obligations that could not be effectively met and would place disproportionate burdens on businesses. 

To address these implementation challenges, the GDPR Omnibus creates a mechanism that links the activation of highrisk requirements to the availability of practical compliance support. Once the European Commission formally confirms that adequate measures are in place, the highrisk obligations will begin to apply after: 

  • 6 months for systems classified as highrisk under Article 6(2) and Annex III, and 

  • 12 months for systems classified as highrisk under Article 6(1) and Annex I. 

This staggered approach mirrors the structure of the AI Act and recognises the differing complexity of these categories. 

Importantly, this flexibility is timelimited. Even if standards or guidance remain delayed, the obligations must take effect no later than: 

  • December 2027 for Annex III highrisk systems, and 

  • August 2028 for Annex I highrisk systems. 

These adjusted deadlines strike a balance between ensuring legal certainty and giving organisations realistic preparation time to meet their obligations, while still keeping the overall AI Act implementation on track. 

Transitional Period for Generative AI Systems 

The GDPR Omnibus introduces a targeted grace period specifically for the transparency obligations that apply to generative AI systems under Article 50 of the AI Act. These transparency rules, covering requirements such as watermarking, metadata tagging, and ensuring the detectability of AIgenerated or AImanipulated content, are distinct from the broader compliance duties imposed on providers of generalpurpose AI (GPAI) models under Chapter V of the Act. 

Under the original AI Act, these transparency obligations were set to apply from August 2026, alongside several other provisions relating to highrisk AI systems. However, recognising the rapid evolution of generative AI technologies and the need for providers to adapt existing systems, the Digital Omnibus creates an additional sixmonth transition period for certain models. Specifically, generative AI systems placed on the EU market before August 2026 benefit from extra time to retrofit the necessary transparency features. 

According to the proposal, these providers will now have until February 2027 to comply with the newly applicable transparency obligations. This adjustment aims to avoid imposing undue burdens on providers of preexisting generative models and acknowledges the technical time needed to integrate watermarking and other detectability measures retroactively. 

It is important to emphasise that this grace period does not modify the alreadyestablished compliance deadlines for GPAI model provider obligations, which still require providers of generalpurpose AI models placed on the market before August 2025 to comply fully by August 2027. These obligations, such as maintaining training data summaries, providing technical documentation and implementing copyright compliance measures, remain unchanged. 

Taken together, these two timelines demonstrate that the GDPR Omnibus does not shorten or override any existing GPAI compliance periods. Instead, it introduces a practical transition measure to support providers in implementing transparencyspecific obligations for generative AI, while the core GPAI obligations under the original AI Act continue on their established path toward full application in 2027. 

SME’s and Small Mid-Caps 

The AI Omnibus introduces a series of targeted simplification measures designed to reduce the regulatory burden on SMEs, while extending these benefits to small midcap companies (SMCs). Recognising that smaller organisations face disproportionately high compliance costs, the proposal broadens existing SME relief mechanisms, such as simplified technical documentation requirements under Articles 11 and 16(2), reduced registration obligations for systems exempted from highrisk classification under Articles 6(3) and 49, as well as more flexible postmarket monitoring processes under Article 72, to include SMCs as well.  

These adjustments aim to make compliance more proportionate by reducing paperwork, easing administrative procedures and enabling smaller firms to meet regulatory expectations without the same resource strain faced by larger companies.  

The AI Omnibus also strengthens support mechanisms that help smaller entities bring AI systems to market responsibly. Most notably, it expands eligibility for regulatory sandboxes under Article 53, allowing SMCs, alongside SMEs, to test AI systems in supervised, realworld environments before deployment, and anticipates the creation of an EUlevel sandbox by 2028.  

Additionally, an amendment to Article 4 of the AI Act has been proposed, under which the direct AI literacy obligation currently imposed on providers and deployers would be removed. Instead of requiring companies to ensure that their staff possess a sufficient level of AI literacy, the proposal would transfer this responsibility to the European Commission and Member States, who would be tasked with promoting and supporting AIrelated training through guidance, resources, and voluntary initiatives. This shift is intended to ease the administrative burden on SMEs and small midcap companies, which often lack the internal capacity and specialised compliance teams needed to design and deliver structured AI literacy programmes. 

Finally, a new Article 4a would ease restrictions on processing sensitive personal data for the purpose of detecting and correcting bias, offering SMEs and SMCs greater flexibility in developing trustworthy AI systems. 

Altogether, these measures aim to make the AI Act more proportionate and innovationfriendly, ensuring that compliance is achievable for smaller and scaling companies without compromising the EU’s standards for trustworthy AI, strengthening, and operationalising these simplification pathways. 

Strengthening the EU AI Office 

A key institutional change proposed in the AI Omnibus is the significant expansion of the EU AI Office’s supervisory and coordination powers, addressing concerns that fragmented national enforcement could undermine consistent application of the AI Act across the Union. Under the proposal, the AI Office becomes the central authority responsible for the oversight of AI systems built on generalpurpose AI (GPAI) models, as well as AI systems that are part of Very Large Online Platforms (VLOPs) and Very Large Search Engines (VLOSEs) under the Digital Services Act. This centralisation ensures that the most systemically impactful AI systems, those capable of affecting millions of users across borders, are supervised with uniform standards rather than disparate national approaches.  

The AI Office would also gain strengthened market surveillance powers, enabling it to coordinate closely with national competent authorities and, where necessary, exercise exclusive oversight over certain classes of AI systems. The broader Digital Omnibus Package further frames the Office as a key governance actor, responsible for supporting businesses with clearer guidance, promoting AI literacy, and helping ensure that implementation of the AI Act remains practical and innovationfriendly. Collectively, these reforms position the AI Office as the EU’s central hub for AI oversight, improving regulatory coherence, reducing enforcement gaps between Member States and ensuring more predictable compliance pathways for organisations developing or deploying advanced AI systems. 

How does this affect businesses? 

Although the AI Omnibus has the potential to ease compliance pressures and clarify regulatory expectations, it is important for businesses to note that these changes remain at the proposal stage and are not yet law. If adopted, the extended deadlines for highrisk AI systems, the transitional period for generative AI transparency rules, and the simplified obligations for SMEs and midcaps would give organisations more realistic room to prepare.  

At the same time, the proposal signals a shift toward more centralised oversight through the EU AI Office, meaning firms should still invest in strong governance and dataprotection practices. In essence, the AI Omnibus offers prospective relief, but until finalised, businesses should treat it as an opportunity to prepare proactively rather than a guarantee of reduced obligations. 

BDO can help businesses navigate the changes introduced by the AI Omnibus with confidence. We support clients in assessing the impact of revised highrisk timelines, meeting new transparency obligations for generative AI and adapting to simplified requirements for SMEs and midcaps. Through targeted AI governance updates, practical compliance guidance, and ongoing monitoring of regulatory developments, we ensure your organisation remains aligned with the evolving AI Act while making the most of the streamlined framework proposed by the AI Omnibus. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Lara Borg Bugeja
Lara Borg Bugeja
Photo of Larkin Magro
Larkin Magro
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More