Digital Omnibus on AI: The EU’s AI Act simplification and new AI Office powers

On 29 June 2026, the Council of the European Union gave its final green light to the Digital Omnibus on AI, a package of amendments that eases and delays parts of the EU AI Act, completing a legislative procedure that began when the European Commission published its proposal on 19 November 2025. It amends the EU AI Act, together with the EU’s civil aviation rules and machinery regulation. According to the European Parliament’s Legislative Observatory, the final act was signed on 8 July 2026, and the Digital Omnibus is now awaiting publication in the Official Journal of the European Union, a necessary step before it can enter into force, ahead of the original 2 August 2026 deadline for several high-risk AI obligations.

Much of the public attention on the Digital Omnibus has focused on the delay to high-risk AI rules and the new ban on AI-generated intimate imagery. The full legal text of the amending regulation also reorganises, in detail, responsibility for supervising AI systems that operate within very large online platforms regulated under the Digital Services Act, and amends several other elements of the way the AI Act is enforced, points that have drawn less attention so far.

The Council describes this regulation as part of a wider legislative package known as Omnibus VII, one of several ‘omnibus’ simplification efforts the Commission has proposed across different policy areas. It was also listed in the Parliament and the Council in their Joint Declaration on EU legislative priorities for 2026, signalling the priority both institutions attached to its rapid finalisation.

Why the Commission proposed the amendments

 Architecture, Building, Office Building, City, Urban, High Rise, Flag

According to the recitals of the Digital Omnibus on AI, the amendments respond to problems identified once parts of the AI Act began to apply in August 2024. The recitals point to delays in the preparation of harmonised technical standards needed by providers of high-risk AI systems in order to demonstrate compliance, as well as delays by several member states in setting up the national authorities and conformity assessment bodies responsible for checking that compliance. Taken together, the recitals state that these delays created a heavier compliance burden than originally expected.

The Commission’s proposal also links the amendments to a broader competitiveness rationale, describing them as part of a wider effort by EU leaders to reduce administrative burdens on business, following the recommendations of the Draghi and Letta reports on European competitiveness. Industry associations also lobbied for the amendments throughout 2025.

The trade group DIGITALEUROPE told policymakers that compliance with the AI Act could cost companies in the region of EUR 3.3 billion a year across the EU, and that a company of around 50 employees developing an AI-based product could face initial compliance costs of between EUR 320,000 and EUR 600,000.

How the Digital Omnibus was negotiated

 People, Person, Audience, Crowd, Indoors, Lecture, Room, Seminar, Adult, Male, Man, Female, Woman, Head

The AI-specific amendments were separated from the wider Digital Omnibus package, which also proposes amendments to the GDPR, the ePrivacy Directive, the Data Act, and the NIS2 Directive on cybersecurity, due to the approaching deadline for high-risk AI obligations. According to the Legislative Observatory’s procedure record, Parliament’s Internal Market Committee voted on the proposed regulation on 18 March 2026, and the Parliament adopted its first-reading position on 26 March 2026.

The Parliament and the Council negotiators reached a political agreement on the Digital Omnibus early on 7 May 2026. The Council’s Permanent Representatives Committee confirmed the agreement in a letter dated 13 May 2026. The Parliament formally adopted the Digital Omnibus on 16 June 2026, the Council gave its final approval on 29 June 2026, and the final act was signed on 8 July 2026.

The regulation’s preamble records that the European Central Bank was consulted and issued a formal opinion, published in the Official Journal in April 2026, as required under EU legislation for measures affecting payments and financial infrastructure. The European Economic and Social Committee delivered its opinion on 18 March 2026, and the Committee of the Regions gave its opinion on 7 May 2026. National parliaments, including those of Czechia, Italy, the Netherlands, Portugal, Romania, Germany, Poland and France, also submitted subsidiarity contributions during the process. The Parliament’s public transparency register separately records meetings on this regulation between the two co-rapporteurs and organisations, including Google, the AI start-up Mistral AI, the digital rights group EDRi, the privacy group noyb, and the standards and conformity body TIC Council, reflecting the range of interests, from large technology firms to civil society, that engaged with the negotiations.

New deadlines for high-risk AI obligations

Under the amended Article 113 of the AI Act, the obligations for high-risk AI systems set out in Sections 1 to 3 of Chapter III will now apply from 2 December 2027 for systems classified as high-risk under Article 6(2) and Annex III, which covers areas such as biometrics, critical infrastructure, education, employment, law enforcement, migration and border management. For systems classified as high-risk under Article 6(1) and Annex I, meaning AI systems embedded in products already covered by other EU safety legislation, such as machinery or medical devices, the new deadline is 2 August 2028. Both deadlines were originally set for 2 August 2026.

A separate provision clarifies how the AI Act’s grace period for so-called legacy systems, set out in Article 111(2), applies. Once at least one unit of a given type and model of high-risk AI system has been lawfully placed on the market before the relevant cut-off date, further units of the same type and model can continue to be placed on the market or put into service without additional certification, as long as the system’s design does not change significantly. Any significant redesign after the cut-off date triggers full compliance with the AI Act, including conformity assessment.

To help providers meet the new deadlines, the Digital Omnibus requires the Commission to request that European standardisation bodies develop technical standards aligned with existing product-safety standards, reducing duplication for companies that have to comply with both the AI Act and sectoral legislation. The Commission must also publish guidance on post-market monitoring plans by 2 September 2027, as well as guidance to help providers of Annex I high-risk systems apply the AI Act alongside sectoral rules by 1 August 2027. Watermarking obligations for AI-generated content, which allow such content to be detected and traced, benefit from a separate four-month transitional period for systems already on the market before 2 August 2026.

Changes to AI literacy and the use of sensitive data for bias correction

 Person, Security, First Aid, Fungus, Plant

A further amendment loosens the AI Act’s AI literacy obligation. Instead of requiring providers and deployers to ensure a sufficient level of AI literacy among their staff, the amended Article 4 requires them to take measures supporting the development of that literacy among staff and other people involved in the operation of their AI systems. The European Artificial Intelligence Board is tasked with adopting recommendations that set common objectives to guide how the Commission and member states support this obligation.

A new Article 4a allows providers and deployers of AI systems to process special categories of personal data, such as data revealing ethnicity or health status, for the specific purpose of detecting and correcting bias, subject to a list of privacy safeguards, including data minimisation, restrictions on transferring the data to third parties, and deletion once the bias has been corrected. The final text requires this processing to be strictly necessary, a stricter standard than the version originally proposed by the Commission. This followed a joint opinion issued by the European Data Protection Board and the European Data Protection Supervisor in January 2026, which recommended reinstating the stricter standard.

AI Office gains exclusive powers over general-purpose AI and large platforms

 Logo, Nature, Night, Outdoors, Text, Symbol

Article 75 of the AI Act, which governs the market surveillance of AI systems, has been substantially rewritten. Under the new provisions, the Commission’s AI Office becomes exclusively responsible for supervising two categories of AI systems. The first category comprises AI systems built on general-purpose AI models, where the same provider, or providers belonging to the same undertaking, developed both the underlying model and the AI system built on it. This exclusive competence carries several exceptions. It does not apply to AI systems related to products already covered by EU product-safety legislation, AI systems used as critical infrastructure, systems provided by law enforcement authorities, border management authorities or financial institutions in specific circumstances, or certain systems used in the administration of justice, all of which remain under national supervision.

The second category covers AI systems that constitute, or are integrated into, a very large online platform or a very large online search engine designated under the Digital Services Act (DSA), the EU’s rulebook for online platforms. The recitals state that empowering the Commission, through the AI Office, to act as a market surveillance authority for these systems is intended to ensure that enforcement of the AI Act and the DSA is carried out consistently, given the scale and potential societal impact of very large platforms and search engines.

For AI systems that are embedded in, or form part of, a designated very large platform or search engine, the Digital Omnibus specifies that the DSA’s own risk assessment, mitigation, and audit obligations, laid down in Articles 34, 35, and 37 of that regulation, serve as the first point of entry for assessing the AI system. This is without prejudice to the AI Office’s separate power to investigate and enforce breaches of the AI Act after the fact. The Commission services that enforce the DSA and the AI Office are required to coordinate, exchange views regularly, and take account of any fines already imposed on the same company for the same conduct, so that the combined penalties remain proportionate and do not amount to double punishment for the same infringement.

Outside this narrower platform-related category, national market surveillance authorities retain a role. Where a national authority has well-founded reasons to suspect that a provider or deployer of an AI system under the AI Office’s exclusive competence has breached the AI Act, it may ask the AI Office, through a designated national contact point, to investigate. The AI Office must tell that authority within four months whether it intends to act, and keep it informed of major developments and the eventual outcome.

The recitals acknowledge that taking on this expanded role will require the AI Office to be adequately staffed and resourced. Whether the Commission allocates sufficient capacity for the AI Office to supervise both general-purpose AI models and large platforms is an operational question that will only become clear as implementation proceeds, rather than one resolved by the legislation itself.

New ban on AI-generated intimate imagery and child sexual abuse material

image

The Digital Omnibus amends Article 5 of the AI Act, which lists AI practices that are prohibited outright. It adds a prohibition against placing on the market, putting into service, or using AI systems that generate or manipulate realistic images, video or audio of an identifiable person’s intimate parts, or of that person engaged in sexually explicit activity, without that person’s free, specific, informed and unambiguous consent. It adds a parallel prohibition covering AI systems that generate or manipulate child sexual abuse material, subject to a narrow exception for activities that are lawful under national law, such as material generated by law enforcement authorities for the purposes of criminal investigation.

For providers, the prohibition applies in two situations: where generating or manipulating such material is the system’s intended purpose, or where that outcome is a reasonably foreseeable and reproducible result of the system’s design and the provider has not put in place reasonable and adequate safeguards, such as content filtering or abuse-detection mechanisms, to prevent it. For deployers, the prohibition applies only where the AI system is actually used for that purpose, meaning the ordinary use of a lawful system for unrelated purposes is not covered, nor is accidental generation of such content.

The prohibited material is defined narrowly. It covers realistic depictions, meaning a person’s face, voice or body shown in a credible, real-life manner, and specifically named intimate parts or depictions of sexually explicit activity. Cartoonish or physically impossible depictions fall outside the prohibition, as does content generated with the depicted person’s consent, non-realistic artistic nude work that does not depict an identifiable person, and legitimate medical applications such as anatomical simulations. Simple enhancements to existing images, such as adjusting brightness or adding a caption, are not treated as prohibited manipulation unless they increase the level of nudity or explicitness shown. Companies have to ensure that their systems comply with these rules by 2 December 2026.

Other simplification measures

The Digital Omnibus extends several compliance simplifications that previously applied only to small and medium-sized enterprises to a new category of small mid-cap enterprises, companies that have outgrown the SME definition but remain much smaller than large corporations. It also gives all SMEs, including start-ups, the option to comply with parts of the AI Act’s quality management system requirements in a simplified way, an option previously limited to microenterprises.

The deadline for each member state to have at least one operational national AI regulatory sandbox, a controlled environment in which providers can test AI systems under regulatory supervision, has been extended to 2 August 2027. The same provisions allow the AI Office itself to set up an EU-level sandbox for AI systems that fall under its exclusive competence, with priority access for SMEs, start-ups and small mid-cap enterprises, operating alongside, and not instead of, national sandboxes.

A further change moves the EU machinery regulation from one section of the AI Act’s product-safety annex to another, shifting AI-enabled machinery towards a more sector-specific approach. Under the new arrangement, the Commission must adopt delegated acts by 2 August 2028 incorporating the AI Act’s health and safety requirements directly into the machinery regulation, rather than requiring manufacturers to apply both frameworks in parallel.

Data protection authorities raise fundamental rights concerns

 Guitar, Musical Instrument, Accessories, Diamond, Gemstone, Jewelry

Before the political agreement was reached, the European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the Commission’s initial proposal. The two authorities said they supported the general aim of addressing implementation issues, but raised concerns that several measures could weaken human rights protections built into the AI Act. They warned that extending the legacy systems exception would allow more high-risk AI systems to reach the market without being subject to the Act’s safeguards and urged the co-legislators to keep any delay to transparency obligations as short as possible.

The two authorities also opposed the Commission’s original plan to remove the registration obligation for providers who conclude that their Annex III systems are not high-risk, arguing that this would weaken accountability and make it harder for market surveillance authorities to respond quickly to problem systems. That registration obligation was retained, in a streamlined form, in the Digital Omnibus as finally approved in June. As set out above, the authorities’ recommendation to apply a strict necessity standard to the processing of sensitive data for bias correction was also reflected in the final version of the Digital Omnibus.

Not all of the authorities’ recommendations were taken on board in the same way. Their broader concern, that postponing obligations for high-risk AI systems may leave fundamental rights protections unenforced for longer in a fast-moving technological area, remains a live point of disagreement between the co-legislators and civil society groups, as discussed further below.

Reactions: competitiveness framing meets rights concerns

 Astronomy, Outer Space

Council and Parliament negotiators presented the changes as a way to make the AI Act more workable without altering its underlying risk-based structure. Co-rapporteur Arba Kokalari said the agreement showed that politics can move just as quickly as technology, linking the simplification to the Commission’s broader competitiveness agenda. Co-rapporteur Michael McNamara said the deal combined simplification measures with new safeguards against nudification apps and AI-generated child sexual abuse material.

Civil society organisations took a more critical view of the overall direction of the package. The digital rights group Liberties argued that the final agreement weakens several safeguards contained in the original AI Act, and described the postponement of high-risk obligations as a delay to fundamental rights protections that were due to take effect in August 2026.

Industry associations generally welcomed the changes. DIGITALEUROPE, which had been among the most vocal critics of the AI Act’s original compliance costs and timeline, broadly supported the direction of the simplification package, while continuing to call for further alignment between the AI Act and other overlapping EU digital rules.

What happens next

The Digital Omnibus on AI will enter into force once it is published in the Official Journal of the European Union. Until then, the AI Act’s original provisions and timeline remain legally in force, including the prohibitions on unacceptable AI practices and the obligations applicable to general-purpose AI models that have applied since August 2025.

A separate Commission exercise, the Digital Fitness Check, is expected to examine the DSA and the wider digital rulebook directly, with a report on its findings due in the first quarter of 2027 according to legal commentary on the process. That exercise, rather than the AI Omnibus itself, is where the more direct question of simplifying the DSA is likely to be decided and where the institutional link now established between the AI Office and DSA-regulated platforms may be revisited.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Nobel laureates call for urgent AI economic planning

Sixteen Nobel laureates have joined leading economists and AI researchers in calling for urgent preparation for the economic changes that more powerful AI systems could trigger.

The statement, titled We Must Act Now: A Statement on AI’s Transformation of the Economy, was released by the Stanford Digital Economy Lab.

It was organised by economists Erik Brynjolfsson, Ajay Agrawal, Anton Korinek and Tom Cunningham, and has been signed by more than 200 experts.

The statement warns that AI may become radically more powerful over the next decade, potentially driving an economic transformation larger than the Industrial Revolution but unfolding over a much shorter period.

The signatories say AI could bring major gains in living standards, but also risks, including large-scale job displacement.

They argue that economists, policymakers and technology leaders must act now to understand these impacts and prepare society for the transition.

The statement calls for incentives, guardrails and institutions that steer AI towards complementing human labour and benefiting society.

Its authors stress that the economic outcome of AI is not predetermined and will depend on choices made by governments, companies and researchers.

Why does it matter?

The statement adds weight to the debate over AI’s economic impact because it brings together Nobel laureates, economists, AI researchers and technology leaders around a common warning: societies may have far less time to adapt to AI than they had during earlier technological shifts. Its central message is not that job displacement is inevitable, but that policy choices made now will shape whether AI raises living standards broadly or concentrates economic power and leaves many workers behind.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

UK MPs call for clearer sovereign AI strategy

UK MPs have called on the government to set out a clearer strategy for building sovereign AI and other critical technology capabilities.

A new report from the Science, Innovation and Technology Committee warns that the UK may not be able to rely on allies for access to technologies essential to economic growth and national security.

The committee said the government has not clearly defined what sovereign capability means, how it should be measured or what success would look like.

MPs also criticised the absence of a coherent strategic framework for using the UK’s scientific research and institutions to support wider diplomatic and economic goals.

Instead, the report says the government has taken an opportunistic approach to international science and technology agreements, risking substituting activity for strategy.

AI is identified as a central arena for global competition and collaboration.

The committee said recent US restrictions on access to advanced AI models show how reliance on partners can leave the UK exposed if access to critical technologies changes suddenly.

MPs called on the government to define sovereign capability in key technology areas, identify critical supply-chain dependencies and use those assessments to guide investment, procurement and research funding.

The report also warned that the UK continues to struggle to turn world-class research into large domestic technology companies, with many promising firms forced to scale overseas.

It called for targeted investment, stronger public procurement and later-stage funding to help commercialise homegrown innovation in strategic sectors.

Why does it matter?

The report places sovereign AI inside a wider debate about technology dependence, national security and economic resilience. AI capability increasingly depends on access to compute, models, talent, data, infrastructure and supply chains that foreign governments or companies may control. The committee warns that the UK cannot treat partnerships as a substitute for strategy. It needs to decide which capabilities it must own, where it should collaborate and where reliable access is enough.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Google open-sources k8s-aibom to detect shadow AI

Google has open-sourced k8s-aibom, a lightweight Kubernetes controller designed to detect unregistered AI workloads and generate standardised inventories of the AI models, runtimes and frameworks operating inside a cluster.

The tool targets shadow AI: workloads deployed by developers without formal registration or integration with an organisation’s security and governance systems. Such deployments can evade conventional security scanners, particularly where organisations avoid privileged agents, kernel-level access or manual changes to Kubernetes workloads.

Google says k8s-aibom addresses that gap by continuously monitoring Kubernetes APIs and container environments. It detects running AI components and generates CycloneDX 1.6 Machine Learning Bills of Materials (ML-BOMs) based on what is actually executing, rather than what was intended during the build process.

The controller runs as a single unprivileged deployment in the k8s-aibom-system namespace. It does not require sidecars, eBPF modules, privileged DaemonSets or modifications to developers’ continuous integration and deployment pipelines.

The controller monitors KServe resources, deployments, StatefulSets, DaemonSets and jobs across a cluster. It then analyses container images, environment variables and command-line arguments to identify different categories of AI workloads.

Supported systems include inference runtimes such as vLLM, Triton Inference Server, TGI, and Ollama; agent frameworks including LangChain, AutoGen, and CrewAI; retrieval and vector database tools such as Milvus, Qdrant, and pgvector; and distributed training and evaluation workloads.

Once identified, the components are compiled into CycloneDX ML-BOM documents. These records can be stored as Kubernetes custom resources or exported to destinations including Google Cloud Storage and webhook endpoints.

Google also designed the tool to produce identical ML-BOM documents when given identical cluster inputs. This deterministic behaviour is intended to support GitOps workflows, allowing security and reliability teams to compare records and identify changes when AI dependencies drift.

Unlike build-time scanners, which document what organisations intended to deploy, k8s-aibom observes live clusters to identify which AI systems are actually running, how they are connected and how those findings were established.

A confidence model separates detected components into three categories. Declared assets are explicitly specified in workload configurations, inferred assets are identified through runtime patterns, and unresolved assets indicate that an AI presence was detected but the precise model, version, or weights could not be established.

Unresolved findings can therefore be prioritised for further security review, while declared and inferred classifications help auditors distinguish documented engineering intent from conclusions reached by the controller.

Google says the controller follows least-privilege principles and can export records using a dedicated identity with permission to create objects in Cloud Storage. Creation preconditions can prevent existing ML-BOM records from being silently overwritten, strengthening the historical evidence available to security and compliance teams.

Google also positions k8s-aibom as a tool for regulatory and standards compliance. Runtime inventories could help organisations gather evidence relevant to the EU AI Act, the NIST AI Risk Management Framework and ISO/IEC 42001 requirements for AI asset management.

Why does it matter?

Shadow AI has become a growing governance challenge as developers deploy AI tools outside formal security and compliance processes. Without visibility into what is actually running in production, organisations may struggle to assess risk, investigate incidents or demonstrate regulatory compliance.

By generating inventories of live AI workloads rather than relying solely on build-time records, k8s-aibom could help organisations improve AI governance while supporting audits, security operations and compliance with emerging AI standards and regulations.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

WHO and Portugal to host global AI health conference

WHO/Europe and the Government of Portugal will co-host a global high-level conference on AI in health on 15 and 16 July 2026 in Lisbon.

The event will bring together senior government officials, regulators, clinicians, civil society, multilateral organisations, academics and industry representatives.

The conference aims to turn political commitment to AI in health into coordinated, practical and equity-oriented action.

Discussions will focus on where AI is already delivering value in health and care, how successful approaches can be scaled, and how countries can avoid common implementation failures.

Key themes include governance and strategic leadership, legal and ethical frameworks, accountability, liability, risk management, data governance, digital infrastructure and interoperability.

Participants will also examine workforce preparedness, institutional capacity, sustainable implementation models and responsible AI investment.

WHO said the discussions are designed to support countries at different levels of digital maturity and health-system capacity.

The conference is anchored in WHO’s global and regional priorities, including the need for resilient, data-driven health systems and responsible AI adoption grounded in equity, human rights, interoperability and institutional capacity.

Why does it matter?

AI in health can support diagnostics, service delivery, system planning and patient care, but unsafe or poorly governed deployment can create risks around bias, liability, privacy, interoperability and accountability. WHO/Portugal conference matters because it focuses on implementation rather than principles alone. Its agenda highlights the practical conditions countries need before scaling AI in health: strong governance, usable data infrastructure, prepared workforces, clear legal frameworks and sustainable investment.

Meta expands Louisiana AI data centre with $50 billion investment

Meta has announced plans to expand its data centre in Richland Parish, Louisiana, increasing the site’s AI computing capacity to 5 GW as part of the company’s broader investment in AI infrastructure. Meta said the expansion represents an investment of more than $50 billion and will support more than 1,000 permanent jobs once the facility becomes operational.

According to Meta, the project includes more than $1 billion in local infrastructure improvements, covering roads, water and wastewater systems. The company also said it has awarded more than $1.6 billion in contracts to Louisiana businesses since construction began in 2024.

The project also includes workforce development initiatives. Meta has committed $5 million to Louisiana Delta Community College for scholarships and training programmes related to data centre employment, while continuing to support local schools, businesses and community initiatives through grants and skills programmes.

Meta said the expanded campus forms part of its wider investment in AI infrastructure across the United States as demand for computing capacity continues to grow.

Why does it matter?

The expansion reflects the rapid growth in demand for AI computing infrastructure as technology companies invest heavily in data centres capable of training and running increasingly advanced AI models. Access to large-scale computing power is becoming a key competitive advantage in the AI industry.

The project also illustrates the broader economic impact of AI infrastructure investments. Beyond computing capacity, hyperscale data centres require significant spending on energy, water, transport and workforce development, making them increasingly important drivers of regional economic development.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU expands cybersecurity and resilience support for Armenia

The Council of the EU has officially launched the EU Partnership Mission in Armenia (EUPM Armenia), a new civilian mission under the Common Security and Defence Policy (CSDP) that will help strengthen the country’s resilience against hybrid threats, including cyberattacks and disinformation.

The advisory mission, established in April 2026 at the request of the Armenian government, will initially operate for two years.

EUPM Armenia will provide strategic advice, technical expertise and institutional capacity-building in areas including cybersecurity, foreign information manipulation and interference (FIMI), and illicit financial flows.

The mission will also establish a dedicated project cell to deliver targeted assistance while promoting a whole-of-government approach to tackling hybrid threats. The Council stressed that the mission is advisory in nature and will not participate in Armenia’s national decision-making.

According to the Council, the mission forms part of the EU’s broader strategy to strengthen Armenia’s resilience, democratic institutions and security capabilities while fully respecting the country’s sovereignty and ownership.

The mission follows the adoption of the EU-Armenia Strategic Agenda in December 2025, which identified countering hybrid threats and disinformation as key priorities for bilateral cooperation. Cosmin George Dinescu has been appointed Head of Mission.

EU High Representative Kaja Kallas described the deployment as part of a broader package of political and economic support for Armenia. She said the mission would help strengthen Armenia’s ability to respond to cyber threats, disinformation and illicit financial flows while increasing its resilience to external pressure.

Why does it matter?

The launch of EUPM Armenia reflects the EU’s growing focus on civilian security and resilience alongside traditional defence cooperation. By providing expertise on cybersecurity, disinformation and institutional resilience rather than military assistance, the mission illustrates how the EU is increasingly addressing hybrid threats through governance, capacity-building and technical cooperation.

The mission also highlights the expanding role of cybersecurity and information resilience in international partnerships. As hybrid threats become more sophisticated, governments are placing greater emphasis on strengthening institutions and public-sector capabilities before crises emerge rather than responding after attacks occur.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ENISA introduces cybersecurity assessment tool for SMEs

The European Union Agency for Cybersecurity (ENISA) has introduced a Cyber Resilience Maturity Assessment Model to help micro, small and medium-sized enterprises (SMEs) strengthen cybersecurity and prepare for the EU’s Cyber Resilience Act (CRA). The framework offers a structured way for organisations to assess their current cyber resilience, identify weaknesses and improve product security over time.

Designed primarily for manufacturers of products with digital elements, the framework provides a structured way for organisations to assess their cyber resilience, identify weaknesses and improve product security over time. It evaluates five areas, such as governance, risk management, vulnerability management, product lifecycle management and cybersecurity skills.

Businesses are classified as having basic, intermediate or advanced cybersecurity maturity. A downloadable assessment tool allows organisations to track progress through repeated self-assessments, although ENISA notes that achieving a higher maturity level does not replace compliance with the CRA.

Alongside the framework, ENISA published the results of a survey of 194 organisations across 31 countries. While 66% of respondents were aware of the CRA, many said they had only a limited understanding of its practical requirements. Medium-sized companies generally demonstrated stronger cybersecurity maturity than micro-enterprises, with incident response and product lifecycle management emerging as the weakest areas.

More than 70% of SMEs said they needed practical support, including technical guidance and secure development templates. Respondents also cited limited budgets, staff and time as major barriers to compliance, prompting ENISA to recommend targeted guidance, financial support and stronger outreach to smaller businesses.

Why does it matter?

SMEs make up a large share of Europe’s digital economy and supply chains, yet many lack the resources needed to meet increasingly demanding cybersecurity requirements. ENISA’s maturity model gives organisations a practical way to assess their readiness, strengthen product security and prepare for compliance with the Cyber Resilience Act.

The findings also highlight that regulation alone is unlikely to improve cybersecurity. Smaller businesses will need practical guidance, technical support and investment to meet new standards, making implementation as important as the legislation itself.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Saudi Arabia launches AI tool for national data insights

Saudi Arabia’s Ministry of Economy and Planning has launched the beta version of INSAIGHTS, an agentic AI tool integrated into the Data Saudi Platform. The system is designed to improve how users access, analyse, and interact with national economic and social data.

INSAIGHTS allows users to convert questions into instant insights and analytics by drawing on more than 7,500 indicators available through the platform. The tool aims to support decision-makers, researchers, analysts and the public with faster access to reliable information for data-driven decisions.

The launch forms part of Saudi Arabia’s wider digital transformation agenda under Vision 2030 and the National Transformation Program. The Ministry plans to continue expanding the tool’s capabilities while using emerging technologies to improve transparency, innovation and user experiences across its digital ecosystem.

Why does it matter?

The INSAIGHTS highlights Saudi Arabia’s growing focus on AI as a tool to improve public data accessibility and strengthen evidence-based decision-making. By combining AI capabilities with extensive national datasets, the platform could help organisations and individuals extract insights more efficiently.

The initiative also demonstrates how governments are increasingly adopting agentic AI systems to enhance digital services and economic planning. As the technology develops, platforms like INSAIGHTS may become important models for using AI to improve transparency, research capabilities and public-sector innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Malaysia launches consultations on AI Governance Bill

Malaysia’s Ministry of Digital has launched public engagement sessions on its proposed AI Governance Bill, marking the next step towards establishing the country’s first dedicated legal framework for AI governance.

The sessions, organised by the National AI Office throughout July 2026, aim to explain the proposed framework, encourage dialogue and gather feedback from government agencies, industry, businesses, academia and the public.

According to the Ministry, the AI Governance Bill will become Malaysia’s first horizontal legal framework dedicated specifically to AI governance. It is intended to establish common principles that complement existing legislation and create a more coherent governance framework across sectors.

The proposed legislation adopts a risk-based approach, recognising that AI-related risks can arise throughout a system’s lifecycle. Governance responsibilities would be allocated according to the roles and level of control exercised by different parties.

The Ministry also highlighted incident reporting, appropriate safeguards and regulatory sandboxes as key mechanisms for supporting responsible innovation and strengthening public trust.

Digital Minister Gobind Singh Deo told Parliament on 24 June that the bill would not regulate AI-generated content directly. Existing laws and regulatory frameworks would continue to govern illegal content.

A nationwide consultation through the Unified Public Consultation portal was expected to begin on 10 July 2026, providing another channel for individuals, businesses and organisations to submit feedback before the legislation is finalised.

The Ministry said the process is intended to be transparent, inclusive and consultative, supporting Malaysia’s ambition to become a trusted and globally competitive AI hub under the Towards an AI Nation 2030 roadmap.

Why does it matter?

The proposed AI Governance Bill would provide Malaysia with a single legal framework for AI governance rather than relying on sector-specific rules. By combining a risk-based approach with regulatory sandboxes, incident reporting and public consultation, the government is seeking to balance innovation with legal certainty and public trust.

The initiative also reflects a broader regional trend, with governments across Asia increasingly introducing dedicated AI governance frameworks to support investment while preparing for the safe deployment of increasingly capable AI systems.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!