By Greg Nowak. Last updated 2026-07-16.
The EU AI Act’s next transparency deadline is not just a concern for model developers. From 2 August 2026, Article 50 applies to customer-facing bots, synthetic text and media, deepfakes, certain public-interest publications, emotion recognition, and biometric categorisation.
There is no single label that solves all of this. Article 50 gives providers and deployers different duties in different situations. Some concern the information a person sees. Others require a machine-readable mark embedded in an output. The available exceptions depend on the system, the content, and the way it is used.
For most businesses, the immediate job is operational: find every relevant AI touchpoint, decide who owns it, and work out whether the required control belongs in a website, chat widget, API, content-management system, media pipeline, or publishing process.
Article 50 sets out several separate duties
Providers of AI systems designed to interact directly with people must ensure that users are informed they are dealing with AI. That disclosure is not required when the AI involvement would already be obvious to a reasonably well-informed, observant, and circumspect person, given the circumstances and context.
Providers also have obligations for AI systems, including general-purpose AI systems, that generate synthetic audio, images, video, or text. Outputs must be marked in a machine-readable format and remain detectable as artificially generated or manipulated. As far as technically feasible, the method must be effective, interoperable, robust, and reliable. Article 50 also allows for content limitations, implementation costs, and the generally acknowledged state of the art.
Deployers face a different set of questions. People exposed to emotion-recognition or biometric-categorisation systems must be informed about their operation. Deployers must disclose artificially generated or manipulated image, audio, or video content that constitutes a deepfake. They must also disclose AI-generated or manipulated text published to inform the public about matters of public interest, unless the content has undergone human review or editorial control and an identifiable person or organisation holds editorial responsibility.
Where Article 50 paragraphs 1 to 4 require information, it must be clear, distinguishable, accessible, and available no later than the first interaction or exposure. That makes compliance an interface, content-design, and release-management issue as much as a legal one.
| AI touchpoint | Decision to make | Control to check | Likely owners |
|---|---|---|---|
| Website or support bot | Is the user told that they are interacting with AI, or is it already obvious in context? | Accessible disclosure at the first interaction | Product, web, accessibility, legal |
| Synthetic text, audio, image, or video | Who is the provider, and how are outputs made machine-detectable? | Provider marking capability and end-to-end testing | Vendor management, engineering, publishing |
| Deepfake used by the business | Does the deployer need to disclose that the content was generated or manipulated? | Disclosure suited to the medium and shown at exposure | Communications, content, legal |
| AI-generated public-interest text | Does the text qualify, and are the review and editorial-responsibility conditions met? | Disclosure or a documented exception assessment | Editorial, compliance, CMS owner |
| Emotion recognition or biometric categorisation | Who is exposed to the system, and how will they be informed? | Accessible notice and applicable data-protection controls | Privacy, security, system owner |
Inventory touchpoints, not just vendors
A software register might show that the company licenses one generative-AI service. It may not show that the same service powers a customer bot, an internal drafting assistant, a CMS integration, automated image production, an API, and a social-publishing workflow. Each use can involve a different audience, output, responsibility, and exception.
The inventory therefore needs to connect each underlying system with what people actually encounter. For every touchpoint, record whether someone communicates directly with AI; whether the system produces text, audio, images, or video; whether the output is generated or manipulated; whether published text concerns a matter of public interest; and whether human review, editorial control, and identifiable editorial responsibility are present.
Ownership matters too. Record who controls the interface, content template, technical integration, and route to publication. These details give the organisation’s legal adviser something concrete to classify. A note saying that “the vendor handles compliance” does not explain what happens once an output enters the company’s own workflow.
Follow the output through the full workflow
The voluntary Code of Practice on Transparency of AI-Generated Content has two sections. Its provider section covers machine-readable marking and the detection of generated or manipulated content. Its deployer section covers the labelling of deepfakes and certain generated or manipulated text.
On 8 July 2026, the Commission concluded that the code adequately covers the obligations in Article 50(2), (4), and (5). The associated Commission opinion was published on 9 July, and the AI Board adopted its adequacy assessment the following day. The Commission presents the code as a voluntary, EU-wide way to demonstrate compliance, while stressing that signing it is not conclusive evidence of compliance.
The scope is important. The code concentrates on generated content. The direct-interaction duty for bots under Article 50(1), along with the emotion-recognition and biometric-categorisation duty in Article 50(3), remains a separate part of the work. A project focused only on synthetic-content labels could leave other affected uses untouched.
It is also worth testing the published result, not merely the provider’s original output. A provider may support a marking technique, but the file or text can then pass through editing, optimisation, conversion, a CMS, and several distribution channels. End-to-end testing shows whether the machine-readable signal is still detectable in the version the public receives. If it disappears, both the workflow and the legal implications need review.
Make disclosure work at first contact
The timing and accessibility requirements should shape the implementation. A chatbot may need an introductory message or interface element that remains perceivable on desktop, mobile, and embedded versions. Generated media may need a disclosure shown with the content. Public-interest text may be better handled through a structured CMS field and publication rule than by asking each editor to improvise the wording.
Exceptions need the same discipline. Whether an AI interaction is obvious depends on context. The exception for public-interest text requires the relevant human review or editorial control, plus an identifiable person or organisation with editorial responsibility. For evidently artistic, creative, satirical, fictional, or analogous works, deepfake disclosure is limited to an appropriate form that does not hamper display or enjoyment.
Documenting these decisions makes them usable. Product and publishing teams need a repeatable rule, not a fresh interpretation every time content goes live.
Connect the GDPR work without merging it
Article 50 does not replace data-protection obligations. This is especially relevant when an AI initiative uses web scraping for development or training. The EDPB states that the GDPR applies when scraping involves operations on personal data, including collection, storage, organisation, and retrieval.
The EDPB’s July 2026 material highlights legal basis, special-category data, purpose limitation, transparency, accuracy, and data minimisation. It also recommends measures such as using reliable sources, recording timestamps, and validating scraped data before training. An AI notice on a website or a mark on generated output does not settle those questions.
The sensible connection point is the evidence. An AI inventory can flag systems that involve scraping or personal-data processing, so privacy specialists can assess those flows alongside the Article 50 work while keeping the two legal analyses distinct.
What to do before 2 August
Start with externally visible and higher-impact uses: public bots, synthetic media, automated publication, public-interest content, deepfakes, and emotion-recognition or biometric-categorisation systems. Give every touchpoint a business owner and a technical owner. Record its provisional provider-deployer classification, current disclosure status, marking capability, exception assessment, and remediation decision.
Then put the agreed controls where they will actually operate: chat components, CMS fields and templates, media pipelines, API contracts, editorial checklists, and release tests. Keep evidence of vendor capabilities, legal decisions, accessibility checks, and representative end-to-end tests.
This work tends to cross several organisational boundaries. A digital project manager can keep legal advisers, vendors, designers, developers, privacy specialists, and publishing teams working from the same inventory and decisions. Greg can lead that coordination and turn the agreed requirements into a delivery plan across the relevant digital touchpoints.
The useful outcome is a traceable process: the right disclosure or technical measure reaches the right interaction or piece of content at the required time.
Related on GrN.dk
- AI images need a media-library audit before they reach clients
- Background AI Tasks Need Queues, Not Just Longer API Calls
- AI disclosure rules belong in the CMS, not a spreadsheet
Need help with this kind of work?
Map your AI touchpoints before August Get in touch with Greg.