With 2 August 2026 just weeks away, Article 50 of the EU AI Act imposes transparency obligations on a far broader range of organisations than most businesses realise. The article covers four distinct situations: AI systems that interact directly with users; AI that generates synthetic content; emotion recognition and biometric categorisation systems; and deepfakes or AI-generated text published in the public interest.
Article 50 is not limited to high-risk AI. Any organisation that uses generative AI to produce content, runs a customer-facing chatbot, or deploys emotion recognition technology falls within scope, regardless of where the company is based, provided it operates in the EU market.
• Article 50 transparency obligations apply from 2 August 2026. The machine-readable marking requirement for synthetic content under Article 50(2) has been deferred to 2 December 2026 for generative AI systems already on the market.
• Four distinct obligations apply: chatbot disclosure, synthetic content marking, emotion recognition notice, and deepfake and AI-text labelling.
• The obligations fall on providers (those who build AI systems) and deployers (those who put them to use), and sometimes on both.
• Penalties for non-compliance reach €15 million or 3% of global annual turnover, whichever is higher.
• Exemptions exist for law enforcement purposes, with a limited carve-out for deepfake content in artistic or satirical works.
Article 50 of Chapter IV of the EU AI Act establishes transparency rules for certain AI systems. The core requirement is that people interacting with AI, or consuming AI-generated content, should know they are doing so.
The obligations here are distinct from Chapter III, which governs high-risk AI. A business with no high-risk AI systems may still face significant Article 50 obligations. AI transparency requirements now extend across the full range of AI deployments, from customer service chatbots to content generation tools.
According to compliance data gathered by the Future of Life Institute’s AI Act Compliance Checker, transparency obligations are the second most common compliance trigger across all types of organisations, after AI literacy requirements, affecting around 33% of respondents assessed.
A provider is an entity that develops or markets an AI system, typically the company that builds or trains it. A deployer is an entity that puts an AI system to use for a specific purpose, often an organisation that has licensed or adopted an AI product built by someone else.
Under Article 50(1) and 50(2), the obligation rests primarily with providers: they must build disclosure and marking mechanisms into the system before it reaches users. Under Article 50(3) and 50(4), the obligation rests with deployers: they must inform individuals when they deploy emotion recognition systems or when they publish AI-generated deepfake or public-interest content.
In practice, many organisations act as both provider and deployer, depending on which part of their AI portfolio is under examination.
Under Article 50(1), providers of AI systems intended to interact directly with natural persons must design them so users know they are communicating with AI. The disclosure must happen at the start of the interaction.
This covers chatbots, virtual assistants, and automated phone systems. The Commission’s draft Guidelines confirm that AI agents, autonomous AI systems that carry out tasks on behalf of users, also fall within this provision.
The exception is narrow. It applies only where it is “obvious from the point of view of a reasonably well-informed, observant and circumspect natural person” that they are dealing with AI. Businesses should not rely on this exception without careful analysis. A chatbot operating under a human-sounding name without any indication it is automated will not meet the threshold.
There is also an exception for AI systems lawfully authorised to detect, prevent, investigate, or prosecute criminal offences, unless those systems are available for public use.
Providers of AI systems that generate synthetic audio, images, videos, or text must mark their outputs in a machine-readable format and ensure they are detectable as artificially generated or manipulated.
This is a technical, provenance-based obligation. Machine-readable marking enables detection tools to verify whether content is AI-generated, even after it has circulated widely. A visible label alone is not sufficient to comply.
Technical standards for this marking are being developed through the Code of Practice on AI-generated content and parallel EU standardisation work. A standardised EU label, a visual “AI” mark (localised as “KI” in German, “IA” in French, and so on), is currently under development.
One exception: where the AI system performs only an assistive function for standard editing, such as grammar correction, and does not substantially alter the content or its meaning, the marking obligation does not apply.
Under Article 50(3), deployers that use AI systems to recognise people’s emotions or categorise them biometrically must inform the individuals subject to those systems.
This applies in contexts such as customer sentiment analysis, retail behaviour analytics, and certain HR technology applications. Deployers must first check whether their use case is prohibited under Article 5 of the AI Act, which bans emotion recognition in workplaces and educational institutions. Where use is permitted, the disclosure requirements in Article 50(3) apply.
Processing under these systems must also comply with GDPR and applicable data protection rules, Regulation 2018/1725 for EU institutions, and Directive 2016/680 for law enforcement contexts.
Article 50(4) imposes two separate obligations on deployers.
Deepfakes: Deployers using AI to create or manipulate image, audio, or video content that resembles real persons, places, or events and would falsely appear authentic must disclose that the content has been artificially generated or manipulated. The definition of “deepfake” in Article 3(60) excludes clearly fantastical content: AI-generated imagery of dragons or physically impossible scenarios falls outside its scope.
Where deepfake content forms part of an artistic, creative, satirical, or fictional work, the disclosure obligation is reduced. The deployer must still disclose the existence of AI-generated content, but may do so “in an appropriate manner that does not hamper the display or enjoyment of the work.” This exception is more limited than it appears: the disclosure requirement remains, with only the form of disclosure given flexibility.
AI-generated text published in the public interest: Where deployers publish AI-generated or manipulated text to inform the public on matters of public interest, they must disclose that the text is AI-generated. This covers news publishers, government communications, and any organisation producing AI text with an informational public purpose.
There is a carve-out: the disclosure obligation does not apply where the AI-generated content has gone through substantive human review and a natural or legal person holds editorial responsibility for the publication. Cursory review or brief approval by a staff member is not enough. The human review must be genuine and editorial responsibility must be clearly held.
Article 50(5) provides that the information required under paragraphs 1 to 4 must be given at the latest at the time of the first interaction or exposure. For a chatbot, this means before or at the very start of the conversation. For AI-generated audio or video, this means at the beginning of the content.
The disclosure must be clear and distinguishable. It cannot be buried in the terms and conditions, placed in small text in a website footer, or shown only as a brief flash label. In sensitive contexts, a single disclosure at first interaction may not be sufficient and may need to be repeated.
All four paragraphs of Article 50 include a carve-out for AI systems lawfully authorised to detect, prevent, investigate, or prosecute criminal offences, provided those systems are not made available for public use.
For Article 50(4) deepfake content, there is the limited artistic and satirical carve-out described above. Disclosure is still required, but the form can be adapted to fit the creative context.
For Article 50(4) AI-generated public interest text, the human editorial review carve-out applies where the review is substantive and editorial responsibility is clearly and formally assigned.
Article 99(4)(g) of the EU AI Act places Article 50 transparency obligations under the second tier of the penalty framework. Non-compliance can result in fines of up to €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher.
For SMEs and start-ups, the fine is capped at the lower of the percentage or the absolute amount.
The penalties framework becomes operative on 2 August 2026, the same date Article 50 comes into force.
The AI Omnibus, a provisional agreement reached in May 2026 amending the AI Act, defers the machine-readable marking requirement under Article 50(2) for generative AI systems already on the market before 2 August 2026.
Those systems have until 2 December 2026 to comply with the marking requirement. All other Article 50 obligations remain in force from 2 August 2026 without deferral: chatbot disclosure under Art 50(1), emotion recognition notice under Art 50(3), and deepfake and AI-text disclosure under Art 50(4).
Generative AI systems launched after 2 August 2026 must meet the marking requirement from the date they go live and cannot rely on the transitional period.
Providers of chatbots and virtual assistants should review their current user interfaces and confirm that AI disclosure is clearly presented at the start of every interaction. An AI system operating under a human name without any disclosure will not satisfy Article 50(1).
Providers of generative AI systems should assess current technical capacity for machine-readable output marking and track the Code of Practice and EU standardisation work. The December 2026 deferral covers existing systems only.
Deployers of emotion recognition or biometric categorisation systems should first screen each use case against Article 5 prohibitions, then design clear notice mechanisms for individuals who are exposed, and review how personal data processing meets GDPR obligations.
Deployers publishing AI-generated content should map which outputs are intended to inform the public. For deepfake content, plan disclosure from the outset. For AI-generated text, determine whether you can rely on the human editorial review carve-out, and document the review process carefully if you do.
Engaging a Data Protection Officer or AI compliance specialist at this stage helps organisations identify gaps and establish defensible processes before enforcement begins.
Article 50 places disclosure obligations on a wide range of organisations, not just those running high-risk AI. Any business using a chatbot, producing AI-generated content, deploying emotion recognition, or publishing AI-written text with a public purpose should be reviewing compliance now.
The deadline of 2 August 2026 leaves very little time. The remaining weeks are best used reviewing disclosure mechanisms, documenting editorial review processes, and checking supplier contracts to confirm that vendors will meet their own obligations under the Act.
Yes. The EU AI Act applies to providers and deployers of AI systems operating in the EU market, regardless of where the organisation is based. A company headquartered outside the EU that runs a chatbot available to EU users falls within the scope of Article 50(1).
Article 3(60) of the AI Act defines a deepfake as AI-generated or manipulated image, audio, or video content that resembles existing persons, objects, places, or events and would appear to be authentic or truthful. The definition does not extend to clearly fantastical content. AI imagery of physically impossible scenarios or fictional creatures falls outside the scope of the provision.
The carve-out applies only where human review is substantive and a named natural or legal person holds clear editorial responsibility for the publication. Cursory approval or content that has merely been read once by a staff member is unlikely to meet the standard. Organisations relying on this exception should document the review process carefully and ensure editorial responsibility is formally assigned.
The two frameworks run in parallel. Article 50(3) explicitly requires that deployments of emotion recognition and biometric categorisation comply with the GDPR, Regulation 2018/1725, and Directive 2016/680. The AI Act does not replace GDPR obligations: both apply simultaneously. Compliance with one does not guarantee compliance with the other.
Under the AI Omnibus provisional agreement of May 2026, generative AI systems already on the market before 2 August 2026 have until 2 December 2026 to comply with the machine-readable marking requirement set out in Article 50(2). All other Article 50 obligations apply from 2 August 2026 without a transitional period.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.