If your business uses a chatbot, generates marketing copy with AI, or is building any kind of AI-powered tool, you need to read this.
Updated 19 June 2026: the European Parliament approved the Digital Omnibus on 16 June 2026, confirming the postponed high-risk obligations (2 December 2027 and 2 August 2028) and a grace period to 2 December 2026 for the machine-readable marking of AI-generated content. The Article 50 transparency duties this guide focuses on (disclosing chatbots and labelling deepfakes) still apply from 2 August 2026, so the practical advice below stands. For the full timeline of how these rules have evolved, see Age of AI Governance: A Timeline.
The EU AI Act’s transparency obligations take effect on 2 August 2026. MDIA, Malta’s Digital Innovation Authority, has been designated as the enforcer. And most of Malta’s 35,000+ SMEs are adopting AI tools without knowing that new legal obligations are months away.
I’ve spent the past few months going through the Act in detail, talking to people in the ecosystem, and figuring out what it actually means in practice. Here’s what I’ve learned.
What Is the EU AI Act?
It’s the world’s first comprehensive AI regulation. Think GDPR, but for AI. It’s an EU Regulation, so it applies directly in Malta, with no transposition needed.
The Act classifies AI systems by risk and imposes obligations proportional to that risk. For most SMEs, the compliance burden is manageable. But it’s not zero.
The Risk Tiers That Actually Matter
Minimal Risk: Your internal analytics dashboards, workflow automations, inventory tools, basic data processing. No specific obligations. Most internal AI falls here. You’re fine.
Limited Risk: Chatbots, content generation tools, AI assistants that talk to customers. This is where most SME-facing AI sits. The obligation is transparency: tell users they’re interacting with AI, and label AI-generated content. Straightforward, but you have to actually do it.
High Risk: Recruitment screening, credit scoring, insurance pricing, critical infrastructure. Full compliance framework: risk assessments, data governance, human oversight. Most SMEs won’t touch this tier unless they’re in regulated sectors, and after the May 2026 Digital Omnibus, these obligations now land on 2 December 2027 (Annex III) and 2 August 2028 (AI embedded in products).
Unacceptable Risk: Social scoring, real-time biometric surveillance, manipulative AI. Banned outright since February 2025.
What’s Already in Force
This is what most people miss. Not everything starts in August.
Since 2 February 2025: Article 5 prohibited practices are enforceable right now. If your AI does anything classified as unacceptable risk, you’re already in violation. Subliminal manipulation, exploitation of vulnerabilities, social scoring: these are live. Most legitimate business AI won’t trigger this, but check.
2 August 2026: Article 50 transparency obligations kick in. This is the big one. If you run a chatbot, virtual assistant, or any AI that interacts with people, you must disclose it. Clearly and proactively.
What Article 50 Requires in Practice
For most SMEs, Article 50 is the key obligation. Here’s what it means day-to-day:
Conversational AI (chatbots, assistants, agents): tell users they’re talking to AI before or at the first interaction. Not in the terms of service. Not in small print. Up front.
AI-generated content (text, images, audio, video): if you publish it externally, mark it as AI-generated in a machine-readable format.
Synthetic media: any artificially generated or manipulated content must be disclosed. Marketing materials, social posts, anything public-facing.
The Trap Most SMEs Miss: Branding AI Makes You the Provider
Here’s the point that catches people off guard. The Act splits duties between the provider of an AI system and the deployer who uses it. Most SMEs assume they’re only ever deployers: they bought the tool, someone else built it, so the heavy obligations sit with the vendor.
That holds until you put your name on it. Under Article 3(3), the moment you brand an AI system as your own (even one you didn’t build, even a white-labelled chatbot or a tool you’ve fine-tuned and rebadged) you become its provider in the eyes of the Act. Provider duties are heavier: you owe the Article 50(1) interaction notice, and for generative output the Article 50(2) marking obligation.
For a Maltese SME launching a branded AI assistant, this is the single most consequential line in the regulation. It’s not a reason to avoid branded AI; it’s a reason to design the disclosure in from the start, so the duties are satisfied at launch rather than retrofitted under enforcement. That handover is exactly what we build into every AI integration we deliver.
MDIA: Enforcer and Opportunity
MDIA is Malta’s national competent authority under L.N. 226 of 2025. They regulate, audit, and enforce.
But MDIA is also a door opener. The Regulatory Sandbox lets you test AI systems under regulatory supervision: genuine advantage for early movers. ITAS Certification is voluntary but signals to the market that your AI has been independently reviewed. Both are worth exploring if you’re building AI into your product.
A Practical Compliance Checklist
1. Audit your AI usage. List every AI tool your business uses. Categorise each by risk tier. Most will be Minimal or Limited. Do this now, not in July.
2. Add transparency notices. For any customer-facing AI, add a clear disclosure. Banner, first message, whatever: just make it obvious and proactive.
3. Label AI-generated content. If AI writes your marketing copy, creates images, or generates reports that go external, implement a labelling system. Machine-readable metadata is the standard.
4. Document your AI systems. Keep a register: what AI you use, what it does, what data it processes, what risk tier it falls under. Simple spreadsheet. This is your audit trail.
5. Review your vendors. Most SMEs use third-party AI tools. Check whether your vendors are compliant. Their gaps become your risk.
The Opportunity Most People Miss
Here’s my take: compliance is a competitive advantage, especially in a market this small.
Malta’s AI ecosystem is tight-knit. The businesses that show documented compliance early will build trust with clients, partners, and regulators. When enforcement starts, you want to be the business that’s already sorted, not the one scrambling. We publish our own AI governance framework for exactly this reason: it’s easier to ask clients to trust how you use AI when you’ve written it down.
The MDIA sandbox is open for businesses testing AI systems. For companies building AI products, this is a chance to shape how regulation works in practice rather than react to it after the fact.
Funding Your Compliance Work
Several grant schemes can fund AI compliance and implementation. Digitalise Your SME covers AI projects with up to 50–60% co-funding plus a 10% AI top-up via MDIA. Skills Development funds AI training at 70%. If you’re building AI into your product, the Innovate Scheme offers up to €250,000.
The Bottom Line
The EU AI Act is not a threat. It’s a framework that, properly navigated, builds trust and opens doors. But it requires action, and August is closer than it feels.
The businesses that prepare now will be the ones others turn to for guidance later.
Start your audit now. Implement transparency notices this month. Turn a regulatory requirement into the thing that sets you apart.

