Digital Omnibus: European Parliament Approves. What Changes for Italian SMEs

On 16 June 2026 the European Parliament approved the Digital Omnibus with 423 votes in favour, 57 against and 174 abstentions. It is not yet binding law — the Council's formal adoption and publication in the Official Journal are still pending — but the political consensus is settled. For Italian SMEs, the most significant change is the revised compliance timeline.

We have followed this package step by step: first with the analysis of the Omnibus simplification package, then with the provisional political agreement of 7 May 2026. The plenary vote now closes the parliamentary phase. This article explains what was approved, what still needs to happen, and — above all — what changes operationally.

What the European Parliament Voted On

The 16 June vote adopted compromise amendment 118; no other amendments were adopted. Parliament's position therefore reflects the interinstitutional agreement already reached in trilogue, under Art. 294 TFEU. The vote count — 423 for, 57 against, 174 abstentions — reflects a less compact political consensus than the negotiating mandate, but sufficient.

The text amends Regulation (EU) 2024/1689 (AI Act) along three main axes:

• New prohibitions under Art. 5: explicit ban on AI systems intended or used to create or manipulate non-consensual intimate content ("nudifying tools") and AI-assisted creation of child sexual abuse material (CSAM). The prohibition targets the system's function; the regulation of content distribution also falls under other legal frameworks (DSA, national criminal law).
• AI literacy (Art. 4): the Digital Omnibus replaces the obligation to "ensure" a specific individual literacy level with the duty to "adopt measures to support the development of AI literacy" — a proportionate, organisational approach more workable for SMEs.
• AI Office powers: expanded supervisory competences for the European AI Office, particularly over GPAI (general-purpose AI) models and high-risk system providers.

What Still Needs to Happen Before It Becomes Law

Parliamentary approval is a fundamental but not final step. Before the Digital Omnibus enters into force, three phases must be completed:

1. Formal Council adoption: the Council of the European Union must adopt the text in the same version approved by Parliament. No new negotiation is required, but the formal procedure has its administrative timelines.
2. Signatures by the Presidents: the text is jointly signed by the Presidents of the European Parliament and the Council.
3. Publication in the EU Official Journal: only from the date of OJ publication does the regulation enter into force and application deadlines begin to run.

Until that point, Regulation (EU) 2024/1689 remains unchanged in its original dates. Companies that organised themselves for August 2026 made the right call — and if the Digital Omnibus encounters delays in formal adoption, those deadlines would remain operative.

The New Deadline Map (Once the Digital Omnibus Is in Force)

Assuming the Council adopts the text and the OJ publishes within expected timelines, the Digital Omnibus reshapes the AI Act calendar as follows:

Compared to the original calendar, the most significant shift for service-sector SMEs concerns Annex III systems: from August 2026 to December 2027, giving 16 additional months to complete system inventory, technical documentation, human oversight designation, and log retention setup.

The Detail Many SMEs Overlook: New Art. 5 Prohibitions

The Digital Omnibus does not only shift deadlines. It adds two new categories of prohibited AI practices. The first covers systems that generate, modify, or distribute intimate non-consensual images, videos or audio of identifiable persons — so-called NCII (Non-Consensual Intimate Imagery). The second prohibits AI systems used to produce or distribute CSAM (Child Sexual Abuse Material).

These new prohibitions apply from 2 December 2026 — they do not slide to 2027. For most SMEs this is not a deadline that affects internal systems. It becomes relevant for:

• Generative content platforms that allow the creation of realistic images of real people — they must verify that systems in use cannot produce such output.
• Image/video generation API providers — they must update terms of service and content filtering mechanisms.
• Deployers of avatar or voice synthesis systems — the risk assessment must include the possibility of abusive use.

What to Do Now — Recommended Operational Stance

The window between parliamentary approval and formal Council adoption is a planning opportunity, not a pause. SMEs that were racing towards August 2026 can now manage compliance with more breathing room, but the preparatory work remains the same.

Priority actions to complete before end of 2026:

1. AI system inventory: complete or update the mapping of all AI systems purchased or in use, with classification against Annexes I and III. This is not a one-shot task — the SaaS market evolves rapidly and the catalogue must be kept current.
2. Vendor checks on Art. 50(2) (machine-readable labelling): the Digital Omnibus moves to 2 December 2026 the obligation for providers to ensure that generative systems produce machine-readable labelled output. If you use image generation, text synthesis, or voice synthesis tools facing end users, verify that your vendor has implemented this. Other Art. 50 obligations follow the original AI Act calendar.
3. Notice updates for interactive systems: if your website uses chatbots or AI assistants, update end-user notices (Art. 50(1)). This obligation was not deferred by the Digital Omnibus — it applies from 2 August 2026.
4. AI literacy programme (Art. 4): the Digital Omnibus reframes the obligation — from "ensuring" individual competencies to "adopting measures" to support their development. The approach is organisational: map AI systems in use, classify users by role and risk, define acceptable-use policies, run differentiated training paths, and document evidence. This cannot be improvised close to a deadline.
5. SaaS vendor contracts: even though the Annex III deadline moves to 2027, contracts with vendors should be updated now, while your negotiating position is stronger. Request compliance clauses and disclosure of technical documentation before renewal.

Sanctions: Ceilings Unchanged, but AI Office Gains Stronger Powers

The general ceilings of Art. 99 remain unchanged from the original AI Act:

• Prohibited practices (Art. 5): up to €35M or 7% of global turnover
• High-risk / deployer obligations: up to €15M or 3%
• False information to authorities: up to €7.5M or 1%

For SMEs, the lower of the absolute ceiling and the percentage threshold applies (Art. 99(6)). The Digital Omnibus does, however, strengthen the AI Office's powers to issue measures, information requests, inspections and sanctions for entities within its jurisdiction — particularly GPAI model providers and systems linked to large-scale platforms. At national level, Law 132/2025 designated AgID and ACN within Italy's AI governance framework; the practical operativity of enforcement powers should be monitored pending the adoption of implementing decrees.

Sources

• European Parliament — AI Act: EP approves simplification measures and nudifier app ban (16 June 2026)
• Council of the EU — ST-10599-2026-INIT: note on Parliament's first-reading position (17 June 2026)
• NicFab — Digital Omnibus on AI: European Parliament approves the agreed text (16 June 2026)
• Regulation (EU) 2024/1689 — AI Act, official EUR-Lex text
• Art. 5 AI Act — prohibited practices (annotated)
• Art. 50 AI Act — transparency obligations
• Legge 132/2025 — AI Resources (sistema nazionale di governance)
• Colombo — Digital Omnibus AI: the new Art. 4 on AI literacy and corporate training (LinkedIn Pulse)