While most of the AI Act debate focuses on whether Annex III has been delayed, one obligation that no later regulation has touched affects far more businesses than people realise: Article 50, the duty of transparency towards the user when they interact with an AI system, receive artificially generated content, or are analysed by emotion recognition or biometric systems.
If your company runs a website chatbot, generates images or text with AI for marketing, or analyses the emotional tone of a customer call, Article 50 applies to you from 2 August 2026 — whether you have 3 employees or 300. You don't need to run a high-risk Annex III system to be in scope: Article 50 is horizontal, applying to any provider or deployer regardless of risk level.
In brief: Article 50 of Regulation (EU) 2024/1689 requires, from 2 August 2026, disclosure when a user talks to a chatbot (Art. 50(1)), technical machine-readable marking of AI-generated content (Art. 50(2)), labelling of deepfakes and AI-generated text on matters of public interest (Art. 50(4)), and disclosure when emotion recognition or biometric categorisation is used (Art. 50(3)). Non-compliance is fined up to €15M or 3% of global turnover — or the lower amount if the offender is an SME (Art. 99(6)). The Digital Omnibus does not delay this date. Check your case with the AI Act risk classifier.
Want the full picture of AI Act compliance for your business, not just Article 50? See the AI Act compliance service.What does Article 50 of the AI Act actually require?
Article 50 (EUR-Lex, consolidated text of the Regulation) sets out four distinct transparency duties, each tied to a specific use case. One, several, or all four may apply to you depending on which AI systems you use.
| Provision | Duty | Who | Main exception |
|---|---|---|---|
| Art. 50(1) | Disclose that a person is interacting with an AI (chatbots, voice assistants). | Providers. | When obvious to a reasonably informed user. |
| Art. 50(2) | Technically mark generated content (image, audio, video, text) as machine-readable. | Providers of the generative system. | Content with human review and editorial responsibility. |
| Art. 50(3) | Inform people exposed to emotion recognition or biometric categorisation. | Deployers. | Permitted uses within criminal investigation, with safeguards. |
| Art. 50(4) | Label deepfakes and AI-generated text on matters of public interest. | Deployers. | Evidently artistic/satirical work; text with editorial review. |
These duties sit alongside the AI Act's split of roles between provider, deployer, importer and distributor: which one you are in a given case determines which of the four rules applies to you.
Do I have to tell customers they're talking to a chatbot?
Yes, unless it's obviously AI. Article 50(1) requires the user to know, before or at the start of the conversation, that they're interacting with an AI system, in a clear format at the right moment — unless it's evident to a reasonably informed and attentive person. The grey area is what counts as "obvious": a bot that mimics a real person's tone with no visual cue that it's artificial needs disclosure, even for a simple task.
- E-commerce: the order-support chat must identify itself as AI in the first message.
- Healthcare: booking or symptom-triage bots must disclose they aren't clinical staff; the "obviousness" bar is narrower here.
- Banking and insurance: contracting or simulation assistants must be explicit, since users make financial decisions in that interaction.
Compliance is technically simple: a sentence at the start of the conversation, or a persistent UI indicator. A generic legal notice a user never reads before interacting does not count.
What AI-generated content must be marked as such?
Article 50(2) requires providers of generative systems — text, image, audio, video — to mark their outputs in a machine-readable, detectable format: metadata, digital watermark or cryptographic fingerprint that lets third parties identify artificial origin automatically.
The European Commission published the Code of Practice on Transparency of AI-Generated Content (10 June 2026), and on 8 July 2026 concluded it adequately covers Articles 50(2), 50(4) and 50(5). Signing this voluntary code is the most practical route for an SME to demonstrate compliance without building its own marking system, especially when using tools that already support provenance standards like C2PA.
For an SME, the operational task isn't building the marking system — that's the generative tool provider's job — but verifying it survives publication: if you generate images with C2PA metadata and a later editing step strips it, traceability can still be your responsibility as deployer.
Not sure your generative AI tools keep the required technical marking? Let's review it together.How do I label a deepfake or AI-manipulated video?
Article 50(4) covers deepfakes — image, audio or video generated or manipulated to resemble real people, places or events in a way that could mislead — and AI-generated text published to inform the public on matters of general interest. The duty falls on the deployer: whoever publishes the content, not necessarily who generated it.
Two exceptions apply, and neither is a full exemption:
- Evidently artistic, satirical or fictional work: no intrusive on-screen warning is required, but the existence of generated content must still be disclosed appropriately (credits, description). The exception relaxes the format, not the duty itself.
- Text with genuine editorial review: if a person assumes editorial responsibility for the publication, labelling is not required.
- Marketing: videos with synthetic actors or cloned voices must disclose AI generation, unless framed as evident advertising fiction.
- Media: AI-assisted articles with genuine editorial review are exempt from labelling.
Do I need to disclose emotion recognition or biometric use?
Article 50(3) requires informing people exposed to emotion recognition or biometric categorisation (classification by age, sex or ethnicity inferred from biometric data), individually, without prejudice to GDPR.
Don't confuse this with the Article 5 prohibitions, in force since February 2025: emotion recognition in the workplace and in education is banned (with narrow medical or safety exceptions), not merely subject to disclosure. Article 50(3) governs the permitted uses — certain commercial or private-security contexts outside work and education — and requires informing the exposed person for those permitted cases.
- Physical retail: cameras with emotional analytics must disclose their presence at the point of sale.
- Contact centres: analysing call tone requires informing the customer, in addition to GDPR call-recording rules.
To check whether your case falls under Art. 50(3), an Article 5 prohibition, or neither, the AI Act risk classifier gives a first read in two minutes; for broader questions on which rules apply — AI Act, GDPR, or both — use the "which regulation applies to me?" wizard.
What happens if I don't comply? Fines and enforcement
Breach of Article 50 is sanctioned under Article 99(4), in the mid tier: up to €15 million or 3% of global annual turnover, whichever is higher. Same tier as other provider/deployer obligations — not the top tier of €35M/7% reserved for Article 5 prohibited practices, nor the €7.5M/1% tier for giving incorrect information to authorities.
For SMEs, Article 99(6) reverses the rule: the lower of the two amounts applies, factoring in company size and economic capacity. That reduces exposure, but doesn't exempt from compliance.
In Spain, the authority with sanctioning power from 2 August 2026 is AESIA (Spanish AI Supervision Agency), created by Royal Decree 729/2023, based in A Coruña. Full detail in the AI Act penalties and AESIA guide.
Has the Digital Omnibus delayed Article 50?
No. This is the most common misreading right now. The Digital Omnibus on AI — trilogue agreement 7 May 2026, Parliament vote 16 June, Council adoption 29 June, signed 8 July 2026 — postpones Annex III high-risk systems to December 2027 and Annex I to August 2028. It does not touch the Article 5 prohibitions or Article 50 transparency duties, which remain at 2 August 2026.
One nuance: the Omnibus does provide a four-month grace period (until 2 December 2026) solely for the Article 50(2) technical marking duty on systems already on the market before 2 August 2026 — not for the rest of Article 50, and not for new systems. And while the Omnibus remains unpublished in the EU Official Journal, even that grace period isn't applicable law yet: the date that binds today, without exception, is 2 August 2026.
Full AI Act timeline with the real effect of the Omnibus on each annex, in the calendar and Digital Omnibus guide.
Article 50 compliance checklist: 8 steps
- Inventory every AI conversational touchpoint: website, WhatsApp Business, apps, phone systems.
- Add the AI disclosure to the first message of every chatbot.
- Check whether your generative tools keep technical marking or are signed up to the Commission's Code of Practice.
- Define a labelling protocol for AI-generated marketing video, image and audio.
- Identify emotion recognition or biometric use, first checking it isn't an Article 5 prohibition.
- Draft an internal AI-content policy: what gets labelled, how, who reviews it.
- Train marketing, customer service and HR — the teams most likely to use conversational or generative AI outside compliance oversight.
- Document your classification decisions: which systems you identified and what you did about them, as evidence for an AESIA inspection.
If your system also turns out to be high-risk under Annex III, obligations don't stop at Article 50: the risk classification and Annex III guide confirms it, and if you act as a provider of a GPAI system embedded in your product, the GPAI obligations guide completes the picture.
Frequently asked questions about AI Act Article 50
Do I have to tell customers they are talking to a chatbot?
Yes, unless it is obvious to a reasonably informed user. Article 50(1) requires any AI system that interacts directly with people to disclose, before or at the start of the interaction, that it is AI. A message at the start of the conversation ("I'm [company]'s virtual assistant, an AI") is enough in most cases. This obligation takes effect on 2 August 2026 and has not been delayed.
Do I need to label AI-generated content on my website or in marketing?
It depends on the content type and human review. Text with genuine human editorial review is exempt from Article 50(4) labelling. Images, audio and video that could be mistaken for real content must be disclosed as artificial, unless part of an evidently artistic or satirical work, where a non-intrusive disclosure (e.g. in credits) is enough. Providers of generative tools must also technically mark their outputs (Article 50(2)).
Has Article 50 been delayed by the Digital Omnibus?
No. The Digital Omnibus, signed on 8 July 2026 and still pending publication in the Official Journal of the EU, postpones Annex III (to December 2027) and Annex I (to August 2028), but does not touch Article 50, which remains enforceable from 2 August 2026. It does provide a four-month grace period (until 2 December 2026) only for the technical marking duty under Article 50(2) on systems already on the market, but until it is published, even that grace period is not yet applicable law.
What fine can Spain's AESIA impose for breaching Article 50?
Up to €15 million or 3% of worldwide annual turnover (Article 99(4)), whichever is higher. If the offender is an SME, Article 99(6) reverses the rule and applies the lower amount, factoring in the company's size and economic capacity. In Spain, the competent authority is AESIA, with sanctioning power from 2 August 2026.
Does Article 50 apply even if my AI system is not high-risk?
Yes. It is a horizontal obligation, independent of the Annex III risk classification. A customer-service chatbot or an image generator for social media is usually limited or minimal risk, and is still subject to Article 50 if it falls under any of its four scenarios. Check your system's risk level with the AI Act risk classifier.
Official sources
- EUR-Lex · Regulation (EU) 2024/1689, Article 50 and Article 99
- AI Act Service Desk (European Commission) · Article 50: transparency obligations
- AI Act Service Desk (European Commission) · Article 99: penalties
- European Commission · Code of Practice on Transparency of AI-Generated Content
- AESIA · Spanish AI Supervision Agency
- AEPD · Spanish Data Protection Agency
Author: Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.