
EU AI Act Article 50, August 2: What the Privacy and Transparency Deadline Actually Requires (and What the Omnibus Delayed)
The conference-circuit version of the EU AI Act timeline goes something like this: "deadlines got pushed back, relax." That version is wrong — or at best, dangerously incomplete. The privacy and transparency obligations under Article 50 hit on August 2, 2026, on schedule, and they apply to essentially every business deploying generative AI that touches a European user. What the Omnibus actually delayed is a different set of requirements entirely. If your compliance team read a headline and stood down, you have a problem.
Key Takeaways
- Article 50 transparency obligations — chatbot disclosure, deepfake labeling, synthetic-content marking — become enforceable on August 2, 2026. The Omnibus did not delay them.
- What the Omnibus did delay: the compliance deadline for stand-alone high-risk AI systems under Annex III, pushed from August 2, 2026 to December 2, 2027. Embedded high-risk AI (medical devices, machinery) gets until August 2, 2028.
- The only Article 50 carve-out: systems already deployed before August 2 get a four-month reprieve — until December 2, 2026 — on the specific watermarking requirement. Everything else is live.
- Non-compliance fines reach up to €15 million or 3% of worldwide annual turnover, whichever is higher.
- The voluntary Code of Practice on AI-generated content transparency published June 10, 2026. Signing it shifts the burden of proof — authorities must prove non-compliance, rather than you proving compliance. The signatory deadline was July 22, 2026.
What Does Article 50 Actually Require on August 2?
Article 50 imposes four distinct transparency obligations, none of which are contingent on a system being classified as "high-risk." They apply to any AI system used in the four situations the article covers — which, in practice, means most generative AI deployments. Here is what each requires.
Article 50(1): Chatbot and Direct-Interaction Disclosure
If your AI system is designed to interact directly with natural persons — chatbots, voice assistants, AI companions, social media bots — you must design the system so that users are informed they are interacting with AI, not a human. The obligation is on the provider to bake this into the system's design, not bolt it on at deployment. There is a narrow exception: if the AI nature of the interaction is "obvious to a reasonably well-informed, observant and circumspect person." That phrasing is doing a lot of work, and the Commission's draft Guidelines — still not finalized as of this writing — are expected to clarify it. Don't count on the exception saving you.
Article 50(2): Watermarking and Machine-Readable Marking of AI-Generated Content
Providers of AI systems that generate synthetic audio, image, video, or text must mark that output in a machine-readable format. This is the watermarking requirement. It is the only Article 50 obligation that received any reprieve from the Omnibus — and only for systems already deployed before August 2, which get until December 2, 2026. New deployments on or after August 2 must comply immediately.
A downstream deadline most teams miss: by February 2, 2027, providers must have a watermark-detection interoperability solution in place. If your roadmap doesn't account for that, start now.
Article 50(3): Deepfake Labeling
Deployers — not just providers — who use AI to generate or manipulate image, audio, or video content that constitutes a "deep fake" must disclose that the content was artificially generated or manipulated. This is a deployer obligation, meaning it falls on whoever publishes or distributes the content, not just whoever built the model.
Article 50(4): Labeling AI-Generated Text on Matters of Public Interest
If an AI system generates or manipulates text that is published for the purpose of informing the public on matters of public interest, the deployer must disclose the artificial origin. News synthesis, automated policy summaries, AI-generated editorial content — all in scope.
What Did the Omnibus Actually Delay?
The Digital Omnibus simplification package — which received final Council approval on June 29, 2026 — pushed back the compliance deadline for high-risk AI systems under Annex III. Stand-alone high-risk systems: from August 2, 2026 to December 2, 2027. Embedded high-risk AI in regulated products like medical devices and machinery: from August 2, 2026 to August 2, 2028.
That is a meaningful delay for companies building, say, AI-based hiring tools or credit-scoring systems classified as high-risk under Annex III. It is entirely irrelevant to Article 50. The transparency obligations proceed on the original calendar.
The Omnibus also introduced a new Article 5 prohibition — banning AI systems that generate non-consensual intimate imagery or CSAM — effective December 2026. That is new law, not a delay.
Why Are So Many Teams Confused About What Was Delayed?
Because the original AI Act set August 2, 2026 as the enforcement date for both the high-risk system obligations and the transparency obligations. When headlines reported "EU AI Act deadlines delayed," compliance teams that didn't read past the headline assumed everything shifted. It did not. The high-risk deadlines moved. Article 50 did not. This is a textbook case of compliance-by-headline — and it's going to cost some organizations real money.
The fine structure makes the cost concrete: up to €15 million or 3% of total worldwide annual turnover, whichever is higher. As of August 2, the AI Office and national authorities can impose these fines for breaches of provider and deployer obligations, including Article 50.
What Is the Code of Practice on Transparency of AI-Generated Content?
The European Commission published the final Code of Practice on June 10, 2026 — just under two months before enforcement. The Code was developed through a multi-stakeholder process launched in September 2025, involving over 187 participants from industry, academia, civil society, rightsholders, and EU Member States.
It is voluntary. But "voluntary" understates its legal significance.
Why Does Signing the Code of Practice Matter?
Signing shifts the burden of proof. When a provider or deployer signs the Code, enforcement authorities must prove non-compliance — the signatory does not have to affirmatively prove it did comply. That is a structurally significant legal advantage. If you have worked with SOC 2 or ISO 27001 attestations, the mechanic is familiar: the certification creates a presumption that authorities have to overcome, rather than leaving you to build a defense from scratch every time someone asks.
The deadline to submit a signatory form for inclusion on the initial published list was July 22, 2026, at 18:00 CEST. The list of signatories was published in July 2026, ahead of the August 2 enforcement date. If you missed that window, you can still sign — you just won't be on the first published list.
What Does the Code of Practice Actually Demand Technically?
The Code specifies a layered approach to content provenance. It is not just slapping an "AI-generated" banner on output. The technical requirements include machine-readable metadata and provenance information embedded following recognized standards — with C2PA/Content Credentials as the reference implementation. That means cryptographic provenance, not cosmetic labels.
This is where "compliance theater" and actual engineering diverge sharply. A visible label that says "Made with AI" satisfies the cosmetic reading. Machine-readable metadata embedded in the file, signed with a provenance chain, satisfies the technical reading. The Code clearly points toward the latter. If you are building for durability, build for the technical reading.
How Does This Affect Founders Building AI Products?
If your product deploys an AI system that interacts directly with users in the EU, you need chatbot disclosure live by August 2. If your product generates synthetic text, image, audio, or video, you need machine-readable provenance marking — immediately for new deployments, by December 2 for systems already in production before August 2.
A few specifics worth internalizing:
- The obligation follows the system, not the model. You don't get to externalize this to your model provider. If you deploy a chatbot built on a frontier model, you are the provider or deployer with the Article 50 obligation. The model vendor's compliance (or lack thereof) doesn't discharge yours.
- Deployer obligations are real. Article 50(3) and 50(4) — deepfake labeling and public-interest text labeling — are deployer obligations. If you are consuming someone else's API to generate content and publishing that content, you are the deployer. You own the disclosure requirement.
- The "obviousness" exception is not a safe harbor. The exception for interactions where the AI nature is "obvious to a reasonably well-informed, observant and circumspect person" is narrow and untested. The Commission's draft Guidelines on this are still pending finalization. Building your compliance strategy around an ambiguous exception is a gamble.
What Should a Practical Compliance Checklist Look Like?
Start with a system inventory. For each AI system you operate or deploy in the EU, determine which Article 50 paragraph applies — it may be more than one. Then work through this:
- Direct-interaction systems (50(1)): Implement a clear, upfront disclosure that the user is interacting with AI. Design-level, not a footer link. The regulation says "designed … so that" — this is an architectural obligation, not a UX footnote.
- Content-generating systems (50(2)): Implement machine-readable marking. If you can adopt C2PA/Content Credentials, do so — it is the recognized standard the Code of Practice points to. If your system was deployed before August 2, you have until December 2, 2026 for the watermarking piece specifically.
- Deepfake-capable deployments (50(3)): If your system can generate or manipulate realistic image/audio/video of real persons, you need disclosure at the point of publication. This is a deployer obligation.
- Public-interest text generation (50(4)): If your system generates text published to inform the public on matters of public interest, label it. Deployer obligation.
- Code of Practice: Evaluate whether signing is worth the burden-of-proof shift. For most providers and deployers of generative AI, it is. The signing process is open.
- Watermark interoperability (downstream): By February 2, 2027, you need a watermark-detection interoperability solution. Plan for it now.
How Does Privacy-by-Design Relate to Transparency Compliance?
They are the same engineering discipline wearing different regulatory hats. Cryptographic content provenance — signing generated output with metadata about its origin — is structurally identical to the privacy-by-design principle of building data-handling controls into architecture rather than policy documents. Both require you to make commitments at the system-design level that are auditable, tamper-evident, and defensible without relying on after-the-fact documentation.
If you already build with privacy as an architectural constraint — encrypted data at rest, minimal data collection, short retention windows for operational metadata, clear deletion semantics — then adding content provenance marking is an incremental engineering task, not a rearchitecture. If you don't, Article 50 compliance is going to feel like bolting a fire escape onto a building that was never designed with fire exits.
We think about this constantly at Selina. Our memory is encrypted at rest — though it is NOT end-to-end encrypted, because a slice of each request reaches a frontier provider at inference. Files and transfers via SelinaSEND are end-to-end encrypted. We maintain a short retention window for non-content operational metadata, not zero retention. These are design choices made early, not compliance patches applied late. The same engineering posture — decide what you can and cannot see, then prove it architecturally — is exactly what Article 50 demands for content provenance. Build the controls into the system. Don't bolt them on.
What Happens If You Treat the Delay as a Blanket Reprieve?
You get fined. Specifically: you get fined under a provision that was never delayed, while your competitors who read past the headline are compliant and — if they signed the Code of Practice — enjoy a favorable burden-of-proof posture you don't have.
The pattern is worth naming plainly. Regulatory timelines shift. They always shift. The Omnibus moved the high-risk deadlines by 16 months. Future amendments will move other dates. If your compliance architecture is indexed to specific enforcement dates, you will spend every cycle re-scoping, re-prioritizing, and explaining to your board why the thing you said was deferred is suddenly live again.
The alternative: build once for the strictest plausible interpretation. Disclosure plus provenance plus audit trail. If a deadline moves later, you are early. If it moves earlier — or, as with Article 50, never moves at all — you are ready. This is not idealism. It is the only approach that scales across jurisdictions without re-litigating compliance per feature launch.
What Interpretive Uncertainty Remains?
Several material questions are still open as of late June 2026:
- Agentic AI: The draft Guidelines are expected to address how Article 50(1) applies to AI agents that act autonomously on behalf of users — initiating contact with third parties, making decisions, executing tasks. The final Guidelines have not landed yet.
- The "obviousness" threshold: When is AI interaction "obvious" enough to exempt a provider from disclosure? The standard — a "reasonably well-informed, observant and circumspect person" — is borrowed from consumer-protection law, but its application to AI interfaces is untested.
- Watermark robustness: The Code of Practice references C2PA, but watermark robustness against adversarial removal or format conversion is an active research problem, not a solved one. The February 2027 interoperability deadline will force this question.
- Cross-border enforcement coordination: National authorities and the AI Office both have enforcement power. How they coordinate — or don't — on Article 50 cases remains to be seen.
Honest assessment: the regulatory text is clear on what is required. The ambiguity lives in the edges — what counts as "obvious," how robust a watermark must be, how agentic systems fit. The Commission's Guidelines, when finalized, will narrow some of this. They will not eliminate it. Build for the center of the target, not the edges.
What Are the Dates That Actually Matter?
A flat timeline, stripped of narrative:
- June 10, 2026: Final Code of Practice on transparency of AI-generated content published.
- June 29, 2026: Council gives final approval to the Digital Omnibus, confirming the high-risk AI deadline delay.
- July 22, 2026: Deadline to submit Code of Practice signatory form for inclusion on the first published list.
- August 2, 2026: Article 50 transparency obligations become enforceable. Fines applicable.
- December 2, 2026: Watermarking reprieve ends for systems deployed before August 2. New Article 5 prohibition on AI-generated non-consensual intimate imagery takes effect.
- February 2, 2027: Watermark-detection interoperability solution required.
- December 2, 2027: Delayed deadline for stand-alone high-risk AI systems under Annex III.
- August 2, 2028: Delayed deadline for embedded high-risk AI in regulated products.
If you are building a generative AI product that serves EU users, the date that matters most is the one that didn't move: August 2, 2026.
If you want an AI assistant that was built with privacy architecture from day one — not patched in after the regulation arrived — start a free 7-day trial, no card required.
Frequently Asked Questions
Did the EU AI Act's Omnibus delay the Article 50 transparency rules?
No. The Omnibus only delayed the compliance deadline for stand-alone high-risk AI systems (to December 2, 2027) and embedded high-risk AI (to August 2, 2028). Article 50's transparency obligations still take effect on August 2, 2026.
What does Article 50 actually require businesses to do?
It requires four things: disclosing to users when they're interacting with AI (chatbots, voice assistants), machine-readable watermarking of AI-generated audio/image/video/text, deepfake labeling by deployers, and disclosure when AI-generated text is published on matters of public interest.
Is there any exception or grace period within Article 50?
Yes, but it's narrow: only the watermarking requirement gets a reprieve, and only for systems already deployed before August 2, 2026, which have until December 2, 2026 to comply. New deployments on or after August 2 must comply immediately.
What is the Code of Practice on AI-generated content, and is it mandatory?
It's a voluntary code published by the European Commission on June 10, 2026, specifying technical standards like machine-readable metadata and provenance marking (with C2PA/Content Credentials as reference). While voluntary, signing it shifts the burden of proof so authorities must prove non-compliance rather than the signatory proving compliance.
What happens if a company fails to comply with Article 50 by August 2, 2026?
Non-compliance can result in fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher, enforceable by the AI Office and national authorities for breaches of provider and deployer obligations.
Sources & References
- Code of Practice on Transparency of AI-Generated Content
- The EU AI Act’s Transparency Rules: A Practical Guide to Article 50 | EU Artificial Intelligence Act
- Article 50: Transparency Obligations for Providers and Deployers of Certain AI Systems | EU Artificial Intelligence Act
- EU AI Act Transparency Obligations: Preparing for Compliance by 2 August 2026 | Data Matters Privacy Blog
- EU AI Act Chatbot Disclosure and Deepfake Labeling: July 22 Signatory Deadline
- The EU's AI Transparency Code of Practice, Explained | TechPolicy.Press
- What Actually Comes Due on August 2, 2026: EU AI Act Article 50 Transparency and the Digital Omnibus Reset | ComplianceHub.Wiki
- One Month to Go: EU AI Act Transparency Compliance
- EU AI Act Aug 2: Chatbot & Deepfake Transparency | Pebblous
- EU AI Act Transparency Obligations: Preparing for Compliance by 2 August 2026 - Lexology
- The Digital AI Omnibus: Proposed deferral of high risk AI obligations under the AI Act (update) - DLA Piper GENIE
- EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes - Gibson Dunn
- Artificial Intelligence: Council and Parliament agree to simplify and streamline rules - Consilium
- AI Act rules on high-risk AI delayed as AI Digital Omnibus agreed - Winston Taylor
- Artificial Intelligence: Council gives final green light to simplify and streamline rules - Consilium
- EU legislators agree to delay for high-risk AI rules
- EU agrees to delay key AI Act compliance deadlines | Travers Smith
- EU AI Act omnibus: what changed on 7 May 2026 and what ...
- EU AI Act High-Risk Deadline Pushed to December 2027 – Lab Space
- EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions
- How to sign the Code of Practice on transparency of AI-generated content | Shaping Europe’s digital future
- Signing the Code of Practice on transparency of AI-generated content | Shaping Europe’s digital future
- Code of Practice on Transparency of AI-Generated Content | Shaping Europe’s digital future
- Want the Presumption of Conformity? You Have Until July 22 to Sign the Code of Practice | ActReady
- How to sign the Code of Practice on transparency of AI-generated content | Better Regulation
- The Final Code of Practice on AI Content Marking Is Here — What's Actually In It | ActReady
- Taking the EU AI Act to Practice The Final Transparency Code of Practice - Bird & Bird
- The Code Before the Guidelines: Article 50 AI Act Transparency Between Voluntary Adherence and a Conditional Architecture | NicFab Blog
- Code of Conduct on transparency of AI-generated content - Lexology
