Article 50 of the EU AI Act takes effect August 2, 2026 — less than a month away. If your organization deploys chatbots, generates synthetic images or video, uses emotion recognition systems, or publishes AI-generated content about public figures or current events, you have binding transparency obligations under EU law that apply from that date. The Code of Practice that creates a presumption of regulatory conformity has a signatory deadline of July 22, 2026 — eleven days before enforcement begins.
Your company uses a customer-service chatbot. Your marketing team generates product images and ad copy using generative AI. Your HR platform uses a tool that categorizes candidate affect in video interviews. Your social media team produces synthetic video content featuring public figures. Each of these scenarios maps to a specific Article 50 obligation, and the provider or deployer responsible for compliance is not always who you expect.
Key Takeaways
- Article 50 creates four distinct transparency obligations; providers bear responsibility for obligations 1 and 2, deployers bear responsibility for obligations 3 and 4. The provider/deployer split matters — the compliance action required differs by role.
- The European Commission published the Article 50 Code of Practice on June 10, 2026. Organizations that sign by July 22 are included on the initial signatory list published before enforcement begins, securing a presumption of conformity that shifts the evidentiary burden to regulators.
- Generative AI systems already on the EU market before August 2, 2026 have until December 2, 2026 to meet the machine-readable marking requirement under Article 50(2) — but the chatbot disclosure obligation under Article 50(1) applies from August 2 for all systems.
The Four Article 50 Obligations
One aspect that catches non-EU organizations off guard: Article 50 has genuine extraterritorial reach. Under Article 2(1) of the Regulation, providers established outside the EU whose AI systems are placed on the EU market, or whose systems' outputs are used in the EU, fall within scope. A US-based generative AI provider whose image or video generation tool is used by EU businesses must implement machine-readable marking. A non-EU chatbot provider whose system is deployed by EU-established organizations must implement Article 50(1) disclosure. The obligations run to who controls the system's design and deployment, not where that entity is incorporated.
Article 50 splits its obligations between providers and deployers along functional lines.
Obligation 1 — Chatbot and virtual assistant disclosure (Article 50(1)) | Provider obligation
Providers of AI systems designed to interact directly with people — chatbots, virtual assistants, automated phone systems — must design and build those systems so that users are informed they are interacting with an AI. This obligation sits with the provider, not the deployer, because it is a design requirement: the system must be capable of making the disclosure, not just used in a way that makes the disclosure.
The disclosure must occur "at the latest at the time of the first interaction." European Commission guidelines published in May 2026 interpret this as requiring transparent identification before or immediately upon engagement — not buried in terms and conditions, not available only on a help page, and not deferred until a user explicitly asks whether they are speaking to a human. A chatbot that identifies itself as "Aria" and does not disclose its AI nature until pressed violates this obligation regardless of whether users could have inferred it from context.
The exception is narrow: systems that are "obviously AI" — where a reasonably well-informed, observant and circumspect person would have no expectation of interacting with a human — may qualify. The guidelines suggest this applies to robotic voices in clearly scripted systems but not to conversational AI that mimics natural language.
Obligation 2 — Synthetic content machine-readable marking (Article 50(2)) | Provider obligation
Providers of generative AI systems producing synthetic audio, images, video, or text must ensure that outputs are marked in a machine-readable format and detectable as AI-generated. This is a technical provenance obligation: it enables detection tools, platforms, and regulators to verify whether content was AI-generated without relying on voluntary disclosure by the person who published it.
The European Commission's June 2026 Code of Practice acknowledges that no single marking technique currently satisfies all four required properties — effectiveness, interoperability, robustness, and reliability — simultaneously. A combination of techniques (cryptographic provenance metadata, watermarking, fingerprinting) is therefore required under the current state of the art. Providers who sign the Code of Practice benefit from a presumption of conformity with this obligation; those who do not must demonstrate compliance independently to their national market surveillance authority.
The transitional period applies here: providers of generative AI systems already on the EU market before August 2, 2026 have until December 2, 2026 to implement machine-readable marking. New systems placed on the market from August 2 onward must comply from day one.
There is a narrower carve-out that matters for publishers and content teams: AI-assisted text that has undergone substantive human editorial rework may not require machine-readable marking, because the final product is no longer AI-generated in the meaningful sense. The key word is "substantive." Adding a paragraph, restructuring arguments, and rewriting passages on the basis of editorial judgment qualifies. Cursory review, light formatting changes, or minor rewording does not. Publishers relying on this carve-out should document the editorial workflow and the nature of the human contribution to the final text.
Obligation 3 — Emotion recognition and biometric categorization disclosure (Article 50(3)) | Deployer obligation
Deployers using emotion recognition systems or biometric categorization systems must inform people that such systems are operating on them. This obligation falls on the deployer because the decision to deploy these systems in a particular context — a video interview, a retail analytics system, a customer service floor — is the deployer's choice, not the provider's.
The obligation requires active disclosure: people must be told the system is in use, not merely given the opportunity to discover it. HR teams deploying AI-powered video interview tools should treat this as a mandatory pre-interview disclosure, not a buried terms-of-service item.
Obligation 4 — Deepfake and AI-generated public content disclosure (Article 50(4)) | Deployer obligation
Deployers publishing deepfakes or AI-generated content about real people, places, events, or matters of public interest must disclose that the content is artificially generated or manipulated. The Commission guidelines adopt a broad interpretation of "deepfake" — content does not have to be a sophisticated impersonation to fall within scope. AI-generated or AI-manipulated content that closely resembles a real person, object, place, or event and has the potential to mislead a reasonable viewer is covered.
One aspect frequently misread: online platforms that merely host or distribute AI-generated content created by others are not "deployers" under Article 50(4). The obligation falls on the entity that actively uses an AI system to produce or manipulate the content, not on the downstream platform providing infrastructure for its distribution. A social media platform is not a deployer simply because a user uploads AI-generated video — unless the platform itself used AI to generate or manipulate that content. Organizations that aggregate or republish AI-generated content they did not produce should analyze the chain carefully before assuming Article 50(4) applies to them.
The satire and artistic exception applies here, but it is narrow. Satirical, creative, or fictional content is not fully exempt — it benefits from a "reduced disclosure obligation": one that need only go far enough to avoid impairing the artistic work or its impact. A clearly labeled parody may satisfy this with a brief disclosure. A realistic synthetic video of a political figure delivering a fabricated statement does not qualify simply because the creator intended it as commentary.
| Obligation | Article 50 paragraph | Who is responsible | Applies from |
|---|---|---|---|
| Chatbot / virtual assistant disclosure | 50(1) | Provider | August 2, 2026 |
| Synthetic content machine-readable marking | 50(2) | Provider | August 2, 2026 (December 2, 2026 for pre-existing systems) |
| Emotion recognition / biometric categorization disclosure | 50(3) | Deployer | August 2, 2026 |
| Deepfake / AI-generated public content disclosure | 50(4) | Deployer | August 2, 2026 |
The Code of Practice and the July 22 Deadline
The European Commission published the final Article 50 Code of Practice on June 10, 2026. Signing the Code creates a presumption of conformity with Article 50(2) and Article 50(4) obligations — meaning regulators must affirmatively prove non-compliance rather than companies having to prove compliance. The Code has two sections: one for providers, one for deployers, and they may be signed independently.
The Commission encourages organizations to submit the completed signatory form by 18:00 CET on July 22, 2026, to be included on the initial signatory list published before August 2. Organizations can sign after that date by emailing the form to the EU AI Office, but will not appear on the initial list. Signing later does not remove the presumption of conformity — the benefit is available regardless of timing — but the initial list carries reputational and regulatory signaling value that late signatories will not have on enforcement day.
Penalties and Enforcement
Non-compliance with Article 50 carries fines of up to €15 million or 3% of global annual turnover, whichever is greater. Enforcement falls to national market surveillance authorities in each EU member state, not a single centralized authority. This means the enforcement landscape will vary by country in the short term — some authorities will act faster than others — but any EU authority can act against any system deployed to EU users.
Secure Privacy's Privacy & AI Governance Platform provides the AI Governance module for documenting Article 50 compliance obligations per system — capturing provider/deployer role, applicable obligations, disclosure implementation status, and Code of Practice signatory status — alongside the data mapping infrastructure needed to identify which AI systems in your portfolio are in scope.
Sign the Code of Practice now — the EU AI Office signatory form for the Article 50 Code of Practice is available at the European Commission's digital strategy portal. Signing by July 22, 2026 secures your place on the initial conformity list before August 2 enforcement begins.
Frequently Asked Questions
Does Article 50 apply to internal AI tools, or only to consumer-facing systems?
Article 50(1) applies to AI systems designed to interact directly with people. An internal chatbot used by employees — a support bot, an internal knowledge assistant — qualifies as a system interacting with people. The obligation to disclose the AI nature applies to the provider of that system. Internal deployment does not create an exemption. Article 50(3) similarly applies to emotion recognition and biometric categorization used internally, such as in HR or workforce management contexts.
What does "machine-readable format" mean in practice for Article 50(2)?
The Commission's guidelines require synthetic content to carry provenance metadata that detection tools, platforms, and regulators can read without manual intervention. Currently no single technique satisfies all four required properties (effectiveness, interoperability, robustness, reliability) simultaneously. The Code of Practice provides a framework under which a combination of techniques — cryptographic metadata, watermarking, and fingerprinting — is accepted as the current state of the art. Providers should monitor the C2PA (Coalition for Content Provenance and Authenticity) standard, which is the leading interoperability framework for content credentials.
Does the transitional period apply to chatbot disclosure or only to synthetic marking?
The transitional period until December 2, 2026 applies specifically to the machine-readable marking requirement under Article 50(2) for generative AI systems already on the EU market before August 2, 2026. The chatbot disclosure obligation under Article 50(1) has no transitional period — it applies from August 2, 2026, to all interactive AI systems, including those already deployed.
When does the satire exception actually apply?
The satire and artistic exception is narrower than most organizations assume. It applies when disclosure would impair the artistic work or its satirical impact. A clearly labeled parody account posting synthetic content can satisfy the obligation with brief framing. A realistic synthetic video of a political figure making a statement they did not make does not qualify as satire simply because the creator claims it is commentary. The test is whether a reasonable viewer would need disclosure to avoid being misled.
What is the difference between Article 50 and the GDPR transparency obligations for AI?
Article 50 is an EU AI Act transparency obligation focused on the AI nature of the system and the synthetic nature of content. GDPR Article 13 requires transparency about personal data processing — including when AI makes decisions about individuals. If an AI system both interacts with users and processes their personal data, both sets of transparency obligations apply and must be addressed in the relevant notices. Article 50 disclosure about AI identity does not substitute for GDPR Article 13/14 information about data processing.
What should a deployer do if their provider's chatbot system does not yet support Article 50(1) disclosure?
Article 50(1) is a provider obligation — the design responsibility sits with the system's provider. Deployers should request documentation confirming the provider has implemented compliant disclosure and assess whether the system's user interface supports the required "at the latest at first interaction" timing. If the provider has not implemented disclosure, deployers should raise it as a contractual requirement in vendor agreements and, where necessary, implement an overlay disclosure at the deployment layer pending provider compliance.
For organizations mapping Article 50 obligations across multiple AI systems and multiple vendor relationships, Secure Privacy's Privacy & AI Governance Platform provides the AI system registry, vendor management, and documentation workflow needed to track compliance status per obligation per system before August 2, 2026.




