SELINA.ai
Sign in

EU AI Act Article 50, August 2: What the Privacy and Transparency Deadline Actually Requires (and What the Omnibus Delayed)

The conference-circuit version of the EU AI Act timeline goes something like this: "deadlines got pushed back, relax." That version is wrong — or at best, dangerously incomplete. The privacy and transparency obligations under Article 50 hit on August 2, 2026, on schedule, and they apply to essentially every business deploying generative AI that touches a European user. What the Omnibus actually delayed is a different set of requirements entirely. If your compliance team read a headline and stood down, you have a problem.

Key Takeaways

What Does Article 50 Actually Require on August 2?

Article 50 imposes four distinct transparency obligations, none of which are contingent on a system being classified as "high-risk." They apply to any AI system used in the four situations the article covers — which, in practice, means most generative AI deployments. Here is what each requires.

Article 50(1): Chatbot and Direct-Interaction Disclosure

If your AI system is designed to interact directly with natural persons — chatbots, voice assistants, AI companions, social media bots — you must design the system so that users are informed they are interacting with AI, not a human. The obligation is on the provider to bake this into the system's design, not bolt it on at deployment. There is a narrow exception: if the AI nature of the interaction is "obvious to a reasonably well-informed, observant and circumspect person." That phrasing is doing a lot of work, and the Commission's draft Guidelines — still not finalized as of this writing — are expected to clarify it. Don't count on the exception saving you.

Article 50(2): Watermarking and Machine-Readable Marking of AI-Generated Content

Providers of AI systems that generate synthetic audio, image, video, or text must mark that output in a machine-readable format. This is the watermarking requirement. It is the only Article 50 obligation that received any reprieve from the Omnibus — and only for systems already deployed before August 2, which get until December 2, 2026. New deployments on or after August 2 must comply immediately.

A downstream deadline most teams miss: by February 2, 2027, providers must have a watermark-detection interoperability solution in place. If your roadmap doesn't account for that, start now.

Article 50(3): Deepfake Labeling

Deployers — not just providers — who use AI to generate or manipulate image, audio, or video content that constitutes a "deep fake" must disclose that the content was artificially generated or manipulated. This is a deployer obligation, meaning it falls on whoever publishes or distributes the content, not just whoever built the model.

Article 50(4): Labeling AI-Generated Text on Matters of Public Interest

If an AI system generates or manipulates text that is published for the purpose of informing the public on matters of public interest, the deployer must disclose the artificial origin. News synthesis, automated policy summaries, AI-generated editorial content — all in scope.

What Did the Omnibus Actually Delay?

The Digital Omnibus simplification package — which received final Council approval on June 29, 2026 — pushed back the compliance deadline for high-risk AI systems under Annex III. Stand-alone high-risk systems: from August 2, 2026 to December 2, 2027. Embedded high-risk AI in regulated products like medical devices and machinery: from August 2, 2026 to August 2, 2028.

That is a meaningful delay for companies building, say, AI-based hiring tools or credit-scoring systems classified as high-risk under Annex III. It is entirely irrelevant to Article 50. The transparency obligations proceed on the original calendar.

The Omnibus also introduced a new Article 5 prohibition — banning AI systems that generate non-consensual intimate imagery or CSAM — effective December 2026. That is new law, not a delay.

Why Are So Many Teams Confused About What Was Delayed?

Because the original AI Act set August 2, 2026 as the enforcement date for both the high-risk system obligations and the transparency obligations. When headlines reported "EU AI Act deadlines delayed," compliance teams that didn't read past the headline assumed everything shifted. It did not. The high-risk deadlines moved. Article 50 did not. This is a textbook case of compliance-by-headline — and it's going to cost some organizations real money.

The fine structure makes the cost concrete: up to €15 million or 3% of total worldwide annual turnover, whichever is higher. As of August 2, the AI Office and national authorities can impose these fines for breaches of provider and deployer obligations, including Article 50.

What Is the Code of Practice on Transparency of AI-Generated Content?

The European Commission published the final Code of Practice on June 10, 2026 — just under two months before enforcement. The Code was developed through a multi-stakeholder process launched in September 2025, involving over 187 participants from industry, academia, civil society, rightsholders, and EU Member States.

It is voluntary. But "voluntary" understates its legal significance.

Why Does Signing the Code of Practice Matter?

Signing shifts the burden of proof. When a provider or deployer signs the Code, enforcement authorities must prove non-compliance — the signatory does not have to affirmatively prove it did comply. That is a structurally significant legal advantage. If you have worked with SOC 2 or ISO 27001 attestations, the mechanic is familiar: the certification creates a presumption that authorities have to overcome, rather than leaving you to build a defense from scratch every time someone asks.

The deadline to submit a signatory form for inclusion on the initial published list was July 22, 2026, at 18:00 CEST. The list of signatories was published in July 2026, ahead of the August 2 enforcement date. If you missed that window, you can still sign — you just won't be on the first published list.

What Does the Code of Practice Actually Demand Technically?

The Code specifies a layered approach to content provenance. It is not just slapping an "AI-generated" banner on output. The technical requirements include machine-readable metadata and provenance information embedded following recognized standards — with C2PA/Content Credentials as the reference implementation. That means cryptographic provenance, not cosmetic labels.

This is where "compliance theater" and actual engineering diverge sharply. A visible label that says "Made with AI" satisfies the cosmetic reading. Machine-readable metadata embedded in the file, signed with a provenance chain, satisfies the technical reading. The Code clearly points toward the latter. If you are building for durability, build for the technical reading.

How Does This Affect Founders Building AI Products?

If your product deploys an AI system that interacts directly with users in the EU, you need chatbot disclosure live by August 2. If your product generates synthetic text, image, audio, or video, you need machine-readable provenance marking — immediately for new deployments, by December 2 for systems already in production before August 2.

A few specifics worth internalizing:

What Should a Practical Compliance Checklist Look Like?

Start with a system inventory. For each AI system you operate or deploy in the EU, determine which Article 50 paragraph applies — it may be more than one. Then work through this:

  1. Direct-interaction systems (50(1)): Implement a clear, upfront disclosure that the user is interacting with AI. Design-level, not a footer link. The regulation says "designed … so that" — this is an architectural obligation, not a UX footnote.
  2. Content-generating systems (50(2)): Implement machine-readable marking. If you can adopt C2PA/Content Credentials, do so — it is the recognized standard the Code of Practice points to. If your system was deployed before August 2, you have until December 2, 2026 for the watermarking piece specifically.
  3. Deepfake-capable deployments (50(3)): If your system can generate or manipulate realistic image/audio/video of real persons, you need disclosure at the point of publication. This is a deployer obligation.
  4. Public-interest text generation (50(4)): If your system generates text published to inform the public on matters of public interest, label it. Deployer obligation.
  5. Code of Practice: Evaluate whether signing is worth the burden-of-proof shift. For most providers and deployers of generative AI, it is. The signing process is open.
  6. Watermark interoperability (downstream): By February 2, 2027, you need a watermark-detection interoperability solution. Plan for it now.

How Does Privacy-by-Design Relate to Transparency Compliance?

They are the same engineering discipline wearing different regulatory hats. Cryptographic content provenance — signing generated output with metadata about its origin — is structurally identical to the privacy-by-design principle of building data-handling controls into architecture rather than policy documents. Both require you to make commitments at the system-design level that are auditable, tamper-evident, and defensible without relying on after-the-fact documentation.

If you already build with privacy as an architectural constraint — encrypted data at rest, minimal data collection, short retention windows for operational metadata, clear deletion semantics — then adding content provenance marking is an incremental engineering task, not a rearchitecture. If you don't, Article 50 compliance is going to feel like bolting a fire escape onto a building that was never designed with fire exits.

We think about this constantly at Selina. Our memory is encrypted at rest — though it is NOT end-to-end encrypted, because a slice of each request reaches a frontier provider at inference. Files and transfers via SelinaSEND are end-to-end encrypted. We maintain a short retention window for non-content operational metadata, not zero retention. These are design choices made early, not compliance patches applied late. The same engineering posture — decide what you can and cannot see, then prove it architecturally — is exactly what Article 50 demands for content provenance. Build the controls into the system. Don't bolt them on.

What Happens If You Treat the Delay as a Blanket Reprieve?

You get fined. Specifically: you get fined under a provision that was never delayed, while your competitors who read past the headline are compliant and — if they signed the Code of Practice — enjoy a favorable burden-of-proof posture you don't have.

The pattern is worth naming plainly. Regulatory timelines shift. They always shift. The Omnibus moved the high-risk deadlines by 16 months. Future amendments will move other dates. If your compliance architecture is indexed to specific enforcement dates, you will spend every cycle re-scoping, re-prioritizing, and explaining to your board why the thing you said was deferred is suddenly live again.

The alternative: build once for the strictest plausible interpretation. Disclosure plus provenance plus audit trail. If a deadline moves later, you are early. If it moves earlier — or, as with Article 50, never moves at all — you are ready. This is not idealism. It is the only approach that scales across jurisdictions without re-litigating compliance per feature launch.

What Interpretive Uncertainty Remains?

Several material questions are still open as of late June 2026:

Honest assessment: the regulatory text is clear on what is required. The ambiguity lives in the edges — what counts as "obvious," how robust a watermark must be, how agentic systems fit. The Commission's Guidelines, when finalized, will narrow some of this. They will not eliminate it. Build for the center of the target, not the edges.

What Are the Dates That Actually Matter?

A flat timeline, stripped of narrative:

If you are building a generative AI product that serves EU users, the date that matters most is the one that didn't move: August 2, 2026.

If you want an AI assistant that was built with privacy architecture from day one — not patched in after the regulation arrived — start a free 7-day trial, no card required.

Frequently Asked Questions

Did the EU AI Act's Omnibus delay the Article 50 transparency rules?

No. The Omnibus only delayed the compliance deadline for stand-alone high-risk AI systems (to December 2, 2027) and embedded high-risk AI (to August 2, 2028). Article 50's transparency obligations still take effect on August 2, 2026.

What does Article 50 actually require businesses to do?

It requires four things: disclosing to users when they're interacting with AI (chatbots, voice assistants), machine-readable watermarking of AI-generated audio/image/video/text, deepfake labeling by deployers, and disclosure when AI-generated text is published on matters of public interest.

Is there any exception or grace period within Article 50?

Yes, but it's narrow: only the watermarking requirement gets a reprieve, and only for systems already deployed before August 2, 2026, which have until December 2, 2026 to comply. New deployments on or after August 2 must comply immediately.

What is the Code of Practice on AI-generated content, and is it mandatory?

It's a voluntary code published by the European Commission on June 10, 2026, specifying technical standards like machine-readable metadata and provenance marking (with C2PA/Content Credentials as reference). While voluntary, signing it shifts the burden of proof so authorities must prove non-compliance rather than the signatory proving compliance.

What happens if a company fails to comply with Article 50 by August 2, 2026?

Non-compliance can result in fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher, enforceable by the AI Office and national authorities for breaches of provider and deployer obligations.

Sources & References

Michael C.

Michael C.

Founder & Principal Engineer, Selina Labs

Michael builds Selina, a privacy-first AI that remembers you across conversations. He ships security-sensitive AI in production — real attacks, real fixes, measured in minutes and dollars — and writes about privacy, security, and LLMs from that seat. Top Rated Plus and expert-verified on Upwork.

Learn more about Selina.ai