Article 50 of the EU AI Act sets out transparency and disclosure obligations for AI systems serving EU users, with a primary enforcement date of August 2, 2026. Most coverage treats this as a single watermarking requirement that either has or hasn’t been pushed back by the Digital Omnibus.
It’s more complicated than that. The Digital Omnibus provisional agreement, reached on 7 May 2026, moved Article 50(2) machine-readable marking — and only that obligation — to December 2, 2026. Article 50(1), 50(3), and 50(4) are still on August 2. Annex III high-risk AI systems are on a completely separate track: December 2, 2027.
So in this article we’re going to cover what Article 50 actually requires, which deadline applies to which obligation, what the Digital Omnibus really changed, who is in scope, and how California SB 942 fits if you’re a US-based company. This guide is part of our comprehensive AI content authenticity and watermarking mandate series, where we explore the full regulatory, technical, and implementation landscape.
Let’s get into it.
What does EU AI Act Article 50 actually mandate on AI-generated content?
Article 50 creates four separate obligations. Different actors carry different ones — and they cover different types of AI interactions.
Article 50(1) applies to providers of interactive AI systems — chatbots, voice assistants, agentic AI. The obligation is to tell users they’re dealing with an AI at the point of interaction. Not buried in terms of service. There’s an exception where it’s obvious from context, but a natural-language customer service chatbot doesn’t automatically qualify.
Article 50(2) applies to providers of AI systems generating synthetic audio, images, video, or text. The obligation is to implement machine-readable marking — embedded provenance data that downstream systems can detect as AI-generated. The regulation is specific: the marking must be interoperable, detectable, and robust. A visible “AI-generated” label doesn’t satisfy Article 50(2).
Article 50(3) applies to deployers of emotion recognition or biometric categorisation systems. They need to tell individuals when such a system is processing them.
Article 50(4) applies to deployers who publish deepfakes or AI-generated text on matters of public interest. The obligation is disclosure of the artificial origin at publication. The Act defines deepfakes broadly under Article 3(60): AI-generated or AI-manipulated image, audio, or video depicting existing or non-existing persons, places, or events that would falsely appear authentic. A synthetic video of a non-existent person can trigger Article 50(4).
One thing worth getting straight: “watermarking” gets used loosely in most coverage. The legal obligation in Article 50(2) is machine-readable marking. Watermarking is one technical method among several — alongside metadata embedding (XMP/IPTC) and cryptographic provenance via C2PA.
What are the August 2 and December 2, 2026 deadlines and which obligations fall on each date?
Three of the four Article 50 obligations land on August 2, 2026: Article 50(1) interactive AI disclosure, Article 50(3) emotion recognition transparency, and Article 50(4) deepfake and public-interest text disclosure. That date has not changed. The Digital Omnibus didn’t touch it.
Article 50(2) — machine-readable marking — is the one obligation that got transitional relief. Under the Digital Omnibus provisional agreement, the planning date moves to December 2, 2026.
There’s a planning risk here worth flagging. The Digital Omnibus is a provisional political agreement as of June 2026 — not formally adopted, not yet published in the Official Journal. Gibson Dunn reports formal adoption is expected before August 2, but it isn’t done. If adoption is delayed past August 2, Article 50(2) reverts to the August 2 baseline. Keep an eye on formal adoption status if you’re relying on the December date.
The Annex III high-risk AI deadline — December 2, 2027 — is a completely separate track. A system can trigger Article 50 obligations without being an Annex III high-risk system, and vice versa.
Here’s the deadline split in plain terms:
- Article 50(1) interactive AI disclosure: August 2, 2026
- Article 50(2) machine-readable marking: December 2, 2026 (Digital Omnibus, if formally adopted; otherwise August 2)
- Article 50(3) emotion recognition transparency: August 2, 2026
- Article 50(4) deepfake and public-interest text disclosure: August 2, 2026
- Annex III high-risk AI systems: December 2, 2027 (separate track)
What did the Digital Omnibus agreement change about the EU AI Act — and what did it not change?
Trilogue negotiations wrapped up on 7 May 2026, with Council confirmation on 13 May. Formal adoption and publication in the Official Journal are still pending as of June 2026.
What changed: targeted transitional relief for Article 50(2) machine-readable marking specifically. The planning date moves from August 2 to December 2, 2026, provided formal adoption happens in time.
What didn’t change: Article 50(1), 50(3), and 50(4) remain on August 2, 2026. Chatbot identification, emotion recognition transparency, and deepfake disclosure are not deferred. Business press has widely reported the Digital Omnibus as a general AI Act extension — that framing is incorrect. The majority of Article 50 obligations are unaffected.
The Annex III high-risk AI changes are also part of the Digital Omnibus — enforcement is pushed back to December 2, 2027, a 16-month delay. Significant for many organisations. But again, it’s a separate track from Article 50.
Two things drove the Article 50(2) change. No harmonised technical standards existed for machine-readable marking, and pressure from member states — Germany cited as a key driver — pushed for workable timelines before enforcement kicked in.
The practical takeaway: keep Article 50 readiness work moving for August 2 obligations while tracking the December date separately for Article 50(2). For a structured implementation approach, see the 12-week implementation timeline for organisations in scope.
Which organisations are in scope for Article 50 obligations?
Scope comes down to two things: whether you’re a provider or deployer under the Act, and whether your AI systems generate or process the content types each sub-obligation covers.
The EU AI Act has extraterritorial reach. Article 2(1) covers providers placing AI systems on the EU market regardless of where they’re headquartered, deployers within the EU, and providers or deployers in third countries where AI system output is used in the EU. Where your customers are located matters as much as where you’re based.
A provider develops or places an AI system on the market under its own name or trademark. Providers carry Article 50(1) and Article 50(2) obligations — chatbot disclosure and machine-readable marking.
A deployer uses an AI system built by someone else, under its own authority, to serve users. Deployers carry Article 50(3) and Article 50(4) obligations — emotion recognition transparency and deepfake disclosure at publication. A business can be both simultaneously.
The common blind spot is API integrators. If you’re building on GPT-4, Claude, or Gemini, you’re typically a deployer. You can’t assume the GPAI provider’s capabilities satisfy your deployer obligations. If you control the user experience and decide how AI outputs are presented, you carry deployer obligations — full stop.
The quick scope check: Does your system generate synthetic audio, image, video, or text for EU users? Does it interact with EU users as a chatbot or voice assistant? Does it publish AI-generated content on public interest matters? Does it process emotion recognition or biometric categorisation data? If yes to any of these, you’re in scope. For the broader compliance picture, see our watermarking mandate overview.
What does Article 50(2) require versus Article 50(4) — machine-readable marking versus deepfake disclosure?
These are different obligations for different actors, and both can apply to the same organisation.
Article 50(2) is a provider obligation: build machine-readable marking into the AI system itself. The regulation doesn’t prescribe a specific technical standard, but the marking must be “effective, interoperable, robust, and reliable.”
Three main technical approaches can satisfy this. Metadata embedding (XMP, IPTC formats) is the most mature, already widely deployed in photography and publishing. Invisible watermarks are imperceptible to humans but detectable by specialised tools. Cryptographic provenance via C2PA creates a tamper-evident chain of custody — adoption is accelerating at the hardware level, with Samsung Galaxy S25 and Google Pixel 10 signing content natively at capture.
For a technical comparison, see which technical approach satisfies Article 50(2). And it’s worth understanding first why detection alone cannot satisfy the mandate.
Article 50(4) is a deployer obligation. When you publish deepfakes or AI-generated text on matters of public interest, you disclose the artificial origin at publication — a clearly visible label. The “public interest” scope is broader than most assume: it covers public administration, fundamental rights, health, the environment, and economic, political, scientific, or cultural developments.
There’s an editorial review exception: if AI-generated public interest text has undergone genuine, substantive human editorial review with clearly attributable editorial responsibility, disclosure isn’t required. But the exception is narrow. A cursory check before publishing doesn’t qualify. Marketing copy gets no exception.
Most organisations subject to both obligations need both: a machine-readable provenance mechanism for Article 50(2), and a user-facing disclosure for Article 50(4).
How does California SB 942 compare to EU AI Act Article 50 for US-based companies serving EU users?
If your company is headquartered in the US and serves EU users, you’re dealing with two separate frameworks.
California SB 942 (AI Transparency Act), as amended by AB 853, became operative on August 2, 2026 — deliberately aligned with the EU AI Act’s enforcement date. SB 942 applies to “covered providers” with more than one million monthly users in California. It requires a free publicly accessible AI detection tool, visible labelling options, and latent disclosure in all AI-generated image, video, or audio.
The key difference is scope. SB 942 targets providers only — it doesn’t impose independent obligations on deployers. The EU AI Act targets both providers and deployers independently.
As one analysis puts it: “Where California focuses on consumer-facing transparency as a rights mechanism, the EU AI Act focuses on technical transparency as a compliance mechanism.” SB 942 compliance doesn’t satisfy Article 50. The obligation holders differ, the technical forms differ, and the standards differ.
SB 942 penalties are $5,000 per violation per day. EU AI Act Article 50 violations sit at EUR 15 million or 3% of global annual turnover, whichever is higher.
One common planning mistake worth calling out: treating SB 942 as the full picture of California AI transparency. It covers only large GenAI providers — it doesn’t govern automated decision-making, employment AI, or CPPA ADMT obligations. Audit each framework separately.
What are the consequences of missing the EU AI Act Article 50 compliance deadline?
Article 99(4)(g) puts Article 50 transparency violations in the maximum fine tier: EUR 15 million or 3% of total worldwide annual turnover, whichever is higher. Same tier as GDPR maximum fines.
Enforcement sits with national market surveillance authorities in EU member states. Beyond fines, they can order non-compliant systems withdrawn from the market.
There’s also a documentation risk. If your organisation can’t demonstrate when and how it implemented disclosure mechanisms, regulators default to the assumption of non-compliance. The practical mitigation is a Transparency Decisions Register: record for each AI system the disclosure mechanism, implementation date, approver, and rationale for any exception claims. Start that now.
The Article 50 Code of Practice on marking and labelling is voluntary — second draft published March 5, 2026. Adherence doesn’t substitute for legal compliance, but signatories get a recognised compliance pathway and a lighter evidentiary burden.
If you haven’t started Article 50 preparation, here are the priorities: determine whether you’re a provider, deployer, or both; identify which AI systems generate synthetic content for EU users or interact with EU users; confirm which August 2 obligations apply. For a structured implementation approach, see the 12-week implementation timeline for organisations in scope.
Frequently Asked Questions
Does the Digital Omnibus move the watermarking deadline to December 2, 2026?
Partially. The Digital Omnibus provisional agreement targets only Article 50(2) machine-readable marking — moving its planning date to December 2, 2026. Article 50(1), 50(3), and 50(4) remain on August 2, 2026. The Digital Omnibus is a provisional political agreement as of June 2026 — not yet formally enacted. If adoption is delayed past August 2, Article 50(2) reverts to the August 2 baseline.
Do I need to comply with Article 50 if my company is based outside the EU?
Yes. The EU AI Act has extraterritorial reach. Any provider or deployer placing AI systems on the EU market or operating AI systems for EU users must comply regardless of where the company is incorporated. Even free-tier SaaS products accessible to EU residents trigger obligations.
Does Article 50 apply to general-purpose AI integrations like ChatGPT or Claude?
GPAI model providers (OpenAI, Anthropic) carry their own Article 50(2) obligation to build marking support into their API outputs. Companies integrating GPAI APIs are typically deployers — they carry Article 50(4) obligations independently. Deployers cannot assume their GPAI provider’s compliance satisfies their own obligations.
Is a visible “AI-generated” label enough, or do I need a machine-readable marker?
Both obligations exist. Article 50(4) requires disclosure at publication — a visible label can satisfy this. Article 50(2) requires machine-readable marking embedded in the content — a visible label alone does not satisfy it. Most organisations subject to both need both.
What is the difference between the Article 50 deadline and the Annex III deadline?
Article 50 transparency: August 2, 2026 for most obligations; December 2, 2026 for Article 50(2) under the Digital Omnibus. Annex III high-risk AI: December 2, 2027 — a completely separate track. A system can trigger Article 50 obligations without being an Annex III high-risk system.
What exactly is a “deepfake” under the EU AI Act?
Article 3(60) defines deepfakes as AI-generated or AI-manipulated image, audio, or video depicting existing or non-existing persons, places, objects, or events that would falsely appear authentic. The definition is broader than common usage — a synthetic video of a non-existent person could trigger Article 50(4). Content that is clearly unrealistic falls outside the definition.
Does the editorial review exception mean AI-generated articles do not need labelling?
Only in narrow circumstances. The exception requires genuine, substantive human editorial review with clearly attributable editorial responsibility. Cursory review or automated quality checks don’t qualify. Marketing copy and product descriptions get no exception.
How do I determine whether I am a provider or a deployer for Article 50 purposes?
Provider: you develop the AI system or place it on the market under your own name or trademark. Deployer: you use an AI system built by someone else, under your own authority, to serve users. API integrators building on GPAI models are typically deployers. If you control the user experience and decide how AI outputs are presented to end users, you carry deployer obligations.
What is the Article 50 Code of Practice and does adherence substitute for compliance?
The Code of Practice is a voluntary multi-stakeholder instrument facilitated by the EU AI Office. Adherence does not substitute for legal compliance — but signatories benefit from a recognised compliance pathway and lighter evidentiary burden.
How does the Article 50 compliance obligation interact with the GDPR?
GDPR and Article 50 are independent obligations. Compliance with one does not satisfy the other. Both may apply simultaneously if your AI system processes personal data of EU users. Coordinate Article 50 disclosures with GDPR transparency notices to avoid inconsistency.
What should I do now if I have not started Article 50 preparation?
Three priorities: determine whether you’re a provider, deployer, or both; identify which AI systems generate synthetic content for EU users or interact with EU users; confirm which August 2 obligations apply. For Article 50(2), you have until December 2, 2026 under the Digital Omnibus — but monitor formal adoption. Start a Transparency Decisions Register now. See the 12-week implementation timeline for organisations in scope for a structured approach.
Does California SB 942 compliance satisfy my EU Article 50(2) obligations?
No. SB 942 requires large GenAI providers to make watermarking tools available. Article 50(2) requires actual implementation of machine-readable marking. SB 942 compliance does not cover your independent obligations as a deployer under Article 50.
For a complete overview of the regulatory, technical, and vendor landscape — including how the detection accuracy ceiling affects compliance strategy and how to evaluate technical approaches against Article 50(2) requirements — see the complete guide to AI watermarking compliance.
