The European Union's Artificial Intelligence Act is the first horizontal law on AI anywhere in the world, and as of June 2026 it is doing two things at once: getting stricter in a few places and slower almost everywhere else. In May 2026 the Parliament and the Council agreed a provisional deal, the Digital Omnibus, that pushes the rules for high-risk systems back by well over a year and lightens the load on smaller firms. If you run a business, the headline you took away was probably "the AI rules have been delayed". That is true, and it is also the least useful thing to do with the news.
Because the delay does not change the destination. It changes how much time you have to be ready for it. And for a small state, time is the one input we can actually use better than a large one.
What the Act actually does, in one paragraph
Strip away the noise and the Act is a risk ladder. A short list of uses is simply banned, and has been since 2 February 2025. A defined set of high-risk uses, things like AI in recruitment, credit scoring, or critical infrastructure, carries heavy duties around documentation, human oversight and testing. Most ordinary software sits below that line and carries only light transparency duties, such as telling people when they are dealing with a chatbot or looking at AI-generated content. Separately, the largest general-purpose models have had their own obligations since 2 August 2025. The penalties at the top end are serious: fines reaching the higher of 35 million euro or 7% of global turnover for the worst breaches. The part that gets lost in the panic is that most everyday business tools are not high-risk at all.
What just changed, and why it matters
The Commission published the Digital Omnibus package in November 2025, and on 7 May 2026 the Parliament and Council reached a provisional political agreement on the AI part of it. The substance, as it stands: the obligations for standalone high-risk systems move from 2 August 2026 to 2 December 2027; high-risk AI built into regulated products moves to 2 August 2028; there are tailored accommodations for small and medium firms and for small mid-caps; the deadline for national regulatory sandboxes slips from August 2026 to August 2027, alongside a new EU-level sandbox with priority access for smaller players; and a set of new prohibitions is added, including AI-generated intimate-image abuse and child sexual abuse material.
One honest caveat, because it is the kind I insist on. As I write, this is a provisional agreement. It still needs formal adoption and publication in the Official Journal before it is law, expected before August 2026. Deadlines that move once can move again, so the sane way to plan is for the rule, not the reprieve.
The reason for the delay is the part worth sitting with. The official rationale is that the technical standards were not ready, the governance was unclear, and compliance was costing more than expected. That is an admission, and a revealing one. When a flagship law slips on its own implementation, the lesson is not that the rules were wrong in principle. It is that the capacity to apply them was overestimated. Which is precisely the question a small state should be asking about itself.
Where this leaves a country like Malta
A small state cannot write its own AI rulebook, and should not try. The single market is the whole point: a Maltese firm sells into 450 million people under one set of rules, and fragmenting that to look busy would be self-harm. Malta did the sensible thing. Legal Notice 226 of 2025 plugs the country into the EU framework and names the Malta Digital Innovation Authority as the lead market-surveillance and competent authority and the single point of contact, with the Information and Data Protection Commissioner handling the data-sensitive cases and coordination with the Malta Financial Services Authority where finance meets high-risk AI. There is a national strategy, the Vision for Artificial Intelligence in Malta 2030, and an MDIA-run sandbox. On paper, the architecture is right.
The risk in a small state is never the law on paper. It is whether the named authorities have the people, the technical skill and the standing to actually supervise, advise, and when it comes to it, say no. A regulator that exists in a legal notice but cannot give a company a useful answer in a useful timeframe is worse than no regulator at all, because it adds delay without adding protection. That is the failure mode to design against, and the extra months are exactly the time to do it.
The trade-off, named
Here is the genuine tension, with both sides given their due. The case for moving fast on capacity is that a responsive regulator is a competitive asset. A small, well-staffed authority that gives a clear answer in weeks, where a large one takes months, is an edge a place like Malta can credibly offer the AI and fintech firms it wants to attract. The sandbox is not a box-ticking exercise. Done properly, it is a reason to set up here rather than somewhere larger and slower.
The case for caution cuts the other way. The temptation a small jurisdiction must resist is gold-plating: adding national requirements on top of the EU baseline to look serious. That throws the advantage away. A small market cannot afford to be more demanding than Frankfurt or Dublin for no extra protection, because the only thing it achieves is to send the firm to Frankfurt or Dublin. The line to hold is narrow and unglamorous: the EU baseline, applied quickly, with real help to comply, and nothing bolted on for show.
What I would do with the delay
Four things, none of them exotic. Staff and skill up the MDIA and the IDPC now, while the clock is generous, because December 2027 arrives faster than it reads. Make the sandbox real and market it, with a published timeline for a first response so that "responsive" is a commitment rather than a brochure word. Write plain-language guidance for small firms that tells them honestly which of their tools are high-risk and which are not, because most are not, and the fog around that question is doing real economic damage right now. And resist every temptation to gold-plate.
The deeper point is one I keep coming back to. For most of the things that matter in a small state, the binding constraint is not the rule and it is not the technology. It is administrative capacity and the discipline to build it before the deadline rather than after. Brussels has just handed Malta eighteen extra months on the hardest part of this law. The question is whether we treat that as time to prepare, or as permission to look away. One of those is a small-state advantage. The other is the oldest small-state mistake there is.
Questions readers ask
When do the EU AI Act's high-risk rules apply? Under the May 2026 Digital Omnibus deal, the obligations for standalone high-risk systems move to 2 December 2027 and those for high-risk AI embedded in regulated products to 2 August 2028, both later than the original 2 August 2026 date. The deal is provisional until formally adopted and published. Prohibited practices have applied since 2 February 2025 and general-purpose model rules since 2 August 2025.
Who enforces the AI Act in Malta? Legal Notice 226 of 2025 names the Malta Digital Innovation Authority as the lead competent and market-surveillance authority and single point of contact, with the Information and Data Protection Commissioner for data-sensitive systems and coordination with the Malta Financial Services Authority for high-risk AI used in finance.
Does the AI Act apply to ordinary business software? Mostly no. Most everyday tools fall outside the high-risk category and carry only light transparency duties, such as telling users when they are dealing with AI or AI-generated content.
Sources: European Commission, "AI Act" and "Navigating the AI Act"; Council of the EU press release, "Artificial Intelligence: Council and Parliament agree to simplify and streamline rules", 7 May 2026; Gibson Dunn and White & Case client notes on the Digital Omnibus agreement, May 2026; EU AI Act implementation timeline (artificialintelligenceact.eu); Malta, Legal Notice 226 of 2025, Artificial Intelligence Regulations; Malta Digital Innovation Authority (MDIA); "Strategy and Vision for Artificial Intelligence in Malta 2030". The Digital Omnibus changes described here were provisional at the time of writing and subject to formal adoption.