EU AI Act
EU AI Act Article 50: every obligation, date, and penalty, explained
Article 50 of the EU AI Act obliges providers of generative AI systems to mark synthetic audio, image, video, and text output in a machine-readable format, and obliges deployers to visibly disclose deepfakes and AI-generated text published on matters of public interest. The obligations apply from 2 August 2026, with one carve-out: generative AI systems already on the market before that date get until 2 December 2026 to implement machine-readable marking, under the AI Omnibus adopted in June 2026. Non-compliance is punishable by administrative fines of up to EUR 15 million or 3 percent of total worldwide annual turnover, whichever is higher.
This page is the reference version of that answer: every obligation, the exact timeline, the penalty structure, and who carries which duty, with links to the primary legal text throughout. For the engineering side (what a compliant marking system actually looks like per modality), see what EU AI Act watermarking requires in practice. For the human-facing labeling side, see AI content disclosure requirements.
What Article 50 is
Article 50 sits in Chapter IV of Regulation (EU) 2024/1689, the AI Act, under the heading “Transparency obligations for providers and deployers of certain AI systems.” It is the part of the AI Act that governs AI-generated content specifically. Unlike the high-risk regime in Chapter III, Article 50 does not depend on what the AI system is used for. If a system generates synthetic content or interacts with people, Article 50 applies regardless of risk classification.
The full text of Article 50 contains five distinct obligations. It is worth separating them precisely, because they fall on different parties and require different work.
The five obligations at a glance
| Paragraph | Obligation | Who carries it | What it requires |
|---|---|---|---|
| Art. 50(1) | Chatbot disclosure | Provider | AI systems that interact directly with natural persons must be designed so people know they are interacting with AI, unless this is obvious to a reasonably well-informed person |
| Art. 50(2) | Machine-readable marking | Provider | Synthetic audio, image, video, and text output must be marked in a machine-readable format and detectable as artificially generated or manipulated |
| Art. 50(3) | Emotion recognition and biometric categorisation notice | Deployer | People exposed to emotion recognition or biometric categorisation systems must be informed of the system’s operation |
| Art. 50(4) | Deepfake and public-interest text disclosure | Deployer | Deepfakes must be disclosed as artificially generated or manipulated; AI-generated text published to inform the public on matters of public interest must be disclosed, unless it has undergone human review with editorial responsibility |
| Art. 50(5) | Timing and form | Both | Disclosures must be clear, distinguishable, provided at the latest at the first interaction or exposure, and conform to accessibility requirements |
Two of these dominate compliance planning for most companies: the machine-readable marking duty in 50(2) and the human-facing disclosure duty in 50(4). They are frequently conflated and should not be. Marking is a technical property of the content itself (a watermark, embedded metadata, a cryptographic provenance manifest). Disclosure is something a human can see (a label, a caption, an on-screen notice). A compliant system usually needs both, built as separate layers. The distinction is unpacked in detail in machine-readable marking vs disclosure.
The timeline: what applies when
The AI Act entered into force on 1 August 2024 and phases in over several years. The 2026 AI Omnibus (the amending regulation politically agreed on 7 May 2026 and formally adopted by the Council on 29 June 2026) postponed the high-risk deadlines substantially but left Article 50 essentially on schedule, adding only a narrow four-month grace window for marking by legacy systems.
| Date | What happens |
|---|---|
| 1 August 2024 | AI Act enters into force |
| 2 February 2025 | Prohibited practices (Article 5) apply |
| 2 August 2025 | General-purpose AI model obligations apply; governance and penalties framework in place |
| 17 December 2025 | AI Office publishes first draft Code of Practice on Transparency of AI-Generated Content (Jones Day summary) |
| 7 May 2026 | Political agreement on the AI Omnibus; high-risk deadlines postponed, Article 50 marking grace window agreed (Gibson Dunn analysis) |
| 29 June 2026 | Council formally adopts the AI Omnibus |
| 2 August 2026 | Article 50 applies: chatbot disclosure, deployer disclosure duties, and marking for systems newly placed on the market |
| 2 December 2026 | End of the grace window: generative AI systems placed on the market before 2 August 2026 must now also comply with the Article 50(2) marking obligation |
| 2 December 2027 | Postponed application date for standalone high-risk AI systems (Annex III) |
| 2 August 2028 | Postponed application date for high-risk AI embedded in regulated products (Annex I) |
Three points about this timeline deserve emphasis, because they are the ones companies most often get wrong.
First, the grace window is narrow. As William Fry’s analysis of the Omnibus deal notes, the compromise landed between the Commission’s proposed six-month postponement and Parliament’s three months. It covers only the Article 50(2) machine-readable marking mechanism, and only for generative AI systems already on the market before 2 August 2026. It does not delay chatbot disclosure, does not delay deployer disclosure of deepfakes, and gives nothing to systems launched on or after 2 August 2026, which must mark from day one.
Second, Article 50 was not postponed with the high-risk rules. The Omnibus moved the Chapter III high-risk deadlines by over a year, and some coverage created the impression that “the AI Act was delayed.” For content transparency it was not. Sidley’s compliance guide from June 2026 is unambiguous that the transparency obligations remain due on 2 August 2026.
Third, enforcement capacity arrives with the obligation. Member State market surveillance authorities can impose Article 99 fines for Article 50 breaches from the moment the obligation applies. There is no separate enforcement ramp-up date to wait for.
Penalties: what non-compliance costs
Penalties for AI Act violations are set out in Article 99. Article 50 breaches sit in the middle tier: Article 99(4)(g) covers “transparency obligations for providers and deployers pursuant to Article 50” and sets the maximum at EUR 15 million or 3 percent of total worldwide annual turnover for the preceding financial year, whichever is higher. The AI Omnibus did not lower this tier.
| Violation | Maximum fine | Legal basis |
|---|---|---|
| Prohibited AI practices (Article 5) | EUR 35,000,000 or 7% of total worldwide annual turnover, whichever is higher | Art. 99(3) |
| Non-compliance with operator obligations, including Article 50 transparency | EUR 15,000,000 or 3% of total worldwide annual turnover, whichever is higher | Art. 99(4) |
| Supplying incorrect, incomplete, or misleading information to authorities | EUR 7,500,000 or 1% of total worldwide annual turnover, whichever is higher | Art. 99(5) |
For SMEs, including startups, Article 99(6) softens the formula: each fine is capped at the percentage or the fixed amount, whichever of the two is lower. Fines must also be effective, proportionate, and dissuasive in each case, and authorities weigh factors such as the nature and duration of the infringement, whether it was intentional or negligent, and any remedial action taken.
A fine is not the only exposure. Market surveillance authorities can order corrective measures, and for consumer-facing products a public finding of undisclosed synthetic content carries reputational cost that routinely exceeds the administrative penalty. The practical takeaway: for any undertaking with meaningful turnover, the 3 percent figure is the number to plan against.
Provider duties vs deployer duties
The AI Act divides the world into providers (who develop an AI system or have it developed and place it on the market under their own name) and deployers (who use an AI system under their authority in a professional context). Article 50 splits its obligations along that line, and knowing which side of it you sit on is the first compliance question. The full decision tree, including how a company can be both at once, is on who must comply with the EU AI Act.
Providers carry the design-time duties:
- Article 50(1): build conversational systems so users know they are talking to AI, unless it is obvious from context to a reasonably well-informed, observant, and circumspect person.
- Article 50(2): ensure generated audio, image, video, and text output “are marked in a machine-readable format and detectable as artificially generated or manipulated.” The Act requires technical solutions that are “effective, interoperable, robust and reliable as far as this is technically feasible,” taking into account the specificities of content types, implementation costs, and the generally acknowledged state of the art.
Deployers carry the use-time duties:
- Article 50(3): inform people exposed to emotion recognition or biometric categorisation systems.
- Article 50(4): disclose deepfakes as artificially generated or manipulated, and disclose AI-generated text published with the purpose of informing the public on matters of public interest, unless the text has undergone human review and a natural or legal person holds editorial responsibility for it.
The exemptions are as important as the rules. The marking duty in 50(2) does not apply to AI systems that perform an assistive function for standard editing, or that do not substantially alter the input data or its meaning (Recital 133 frames this as a proportionality safeguard). Both 50(2) and 50(4) carry law-enforcement carve-outs. And for content that is part of an evidently artistic, creative, satirical, fictional, or analogous work, the deepfake disclosure in 50(4) is limited to disclosing the existence of the generated content in a way that does not hamper display or enjoyment of the work.
Machine-readable marking vs human-facing disclosure
Because this distinction structures the entire compliance program, it deserves its own summary.
Machine-readable marking (Article 50(2)) is embedded in the content and addressed to software, not people. Recital 133 lists the acceptable technique families: watermarks, metadata identifications, cryptographic methods for proving provenance and authenticity of content, logging methods, and fingerprints, alone or in combination. The recital also allows the marking to be implemented at the AI system level or at the model level, which matters for anyone building on a general-purpose model: an upstream watermark (such as a model-level output watermark) can carry part of the downstream provider’s burden. What this means in engineering terms per modality is covered in EU AI Act watermarking in practice.
Human-facing disclosure (Article 50(4)) is a label a person can perceive. It applies to a narrower set of content (deepfakes, and public-interest text) but demands visible, clear, accessible presentation at first exposure. Concrete UI patterns and where each applies are covered in AI content disclosure requirements.
A system can satisfy one and violate the other. An image with a pristine C2PA manifest but no visible label is still a disclosure breach when it is a deepfake published by a deployer. A video with a burned-in “AI-generated” caption but no machine-readable mark leaves its provider exposed on 50(2).
The Code of Practice and the AI icons
Article 50(7) instructs the AI Office to facilitate codes of practice for the effective implementation of detection and labelling duties, and lets the Commission approve them via implementing acts or impose common rules if the codes fall short.
That process is well underway. The AI Office published the first draft Code of Practice on Transparency of AI-Generated Content on 17 December 2025, with feedback due 23 January 2026 (Jones Day). A second draft followed in March 2026. The drafts propose a standardised EU label for AI-generated content, with an interim two-letter icon scheme (“AI” in English, “KI” in German, “IA” in French) until a uniform EU-wide icon is finalised, and they distinguish fully AI-generated from AI-assisted content with differentiated requirements. Signing the code is voluntary, but as with the GPAI code before it, it is expected to function as the benchmark for what authorities consider adequate compliance.
For engineering teams the message is: do not wait for the final code to start. The technique families are fixed in the Act itself, the leading open standards (C2PA for provenance metadata, model-level watermarking for raw outputs) are stable, and the code will shape presentation details more than architecture.
What compliance actually involves
Reduced to a checklist, an Article 50 program has four workstreams:
- Scoping: determine for each product whether you are provider, deployer, or both, and which paragraphs of Article 50 attach. Start with the provider vs deployer decision tree.
- Marking: implement machine-readable marking for every generated modality, robust and interoperable to the technically feasible state of the art. See the per-modality engineering requirements.
- Disclosure: design and ship the human-facing labels for chatbots, deepfakes, and public-interest text, meeting the clarity, timing, and accessibility bar of Article 50(5). See disclosure requirements and label patterns.
- Evidence: document the techniques used, their robustness testing, and the disclosure logic, so you can demonstrate compliance to a market surveillance authority on request.
This page is guidance, not legal advice; for decisions about your specific exposure, involve counsel qualified in EU law. The dates and figures above are current as of 15 July 2026 and are sourced to the primary text and the adopted AI Omnibus.
Webisoft builds the technical half of this: watermarking pipelines, C2PA provenance infrastructure, and detection tooling that make Article 50 compliance a property of your product rather than a policy document.
Frequently asked questions
When does Article 50 of the EU AI Act apply?
Article 50 applies from 2 August 2026. Under the AI Omnibus adopted in June 2026, generative AI systems placed on the market before 2 August 2026 have until 2 December 2026 to comply with the machine-readable marking obligation in Article 50(2). Systems placed on the market on or after 2 August 2026 must comply from day one.
What is the penalty for violating Article 50?
Non-compliance with Article 50 is subject to administrative fines of up to EUR 15 million or, for an undertaking, up to 3 percent of its total worldwide annual turnover for the preceding financial year, whichever is higher, under Article 99(4)(g). For SMEs and startups the applicable cap is whichever of those two amounts is lower.
Does Article 50 apply to companies outside the EU?
Yes. Under Article 2(1), the AI Act covers providers placing AI systems on the EU market regardless of where they are established, and providers and deployers located in third countries where the output produced by the AI system is used in the EU. A US or Canadian SaaS whose generative output reaches EU users is in scope.
Is watermarking the same as disclosure under Article 50?
No. Article 50(2) requires machine-readable marking of synthetic output, a technical duty on providers. Article 50(4) requires human-facing disclosure of deepfakes and certain AI-generated text, a duty on deployers. Most organizations need both, implemented separately.