EU AI Act Article 50: AI Transparency Obligations for Limited-Risk Systems
Article 50 EU AI Act: chatbot disclosure, synthetic-content marking, deepfake rules, and emotion-recognition notices. Applies from 2 August 2026.
Article 50 of Regulation (EU) 2024/1689 is the Act's transparency tier for limited-risk AI systems — chatbots, synthetic-content generators, emotion-recognition deployments, and deepfakes. It does not impose the full high-risk compliance stack. What it does impose is a set of hard disclosure duties that apply from 2 August 2026 to a wide range of everyday AI products.
If you run a customer-facing chatbot, generate AI images or videos at scale, or deploy any system that infers emotions or produces deepfake-style content, Article 50 is your primary obligation. Missing it carries fines up to €15 million or 3% of worldwide annual turnover under Article 99(4) — the same ceiling as a breach of most high-risk obligations.
This guide walks through each paragraph of Article 50 in sequence, identifies who owes what, and translates the statutory text into practical steps.
What Article 50 Is — and Is Not
Article 50 sits in Chapter IV of the Act, which governs transparency for certain AI systems. The four risk tiers of the Act are: unacceptable risk (prohibited, Article 5), high risk (Articles 6–27 and 43–49), limited/transparency risk (Article 50), and minimal risk (no mandatory obligations). Article 50 is the entire limited-risk transparency regime in one provision.
It is important not to confuse it with two adjacent obligations that look similar:
- Article 13 (transparency and information to deployers of high-risk systems) requires providers of high-risk AI to furnish deployers with information about the system — its purpose, performance metrics, limitations, and how to interpret its output. That is a deployer-facing information duty for the high-risk tier, not Article 50.
- GPAI model obligations (Chapter V, Articles 53 and 55) require providers of general-purpose AI models to maintain technical documentation, publish summaries of training data, and — for systemic-risk models — conduct adversarial testing and report incidents. Those are model-level duties for a separate cross-cutting category.
Article 50(2) does apply to providers of AI systems that happen to be general-purpose AI systems (i.e., deployed products that generate synthetic content), but that is a transparency duty on the output, not the GPAI Chapter V model obligations. Keep these tracks separate.
Article 50(1): Chatbot Disclosure — Who Must Tell Users They Are Talking to AI
Who it targets: providers of AI systems intended to interact directly with natural persons.
The obligation is this: design the system so that users know they are interacting with an AI. The duty sits with the provider — the entity placing the system on the market or putting it into service under its own name. It is a design requirement, not a one-off notice. The provider must build the disclosure into the user experience so it activates at or before the first interaction.
Two carve-outs apply. First, disclosure is not required if it is obvious to a reasonably observant person from the context or circumstances that they are interacting with an AI. A text-to-code autocomplete tool integrated inside a developer IDE, where every user has knowingly installed an AI coding assistant, likely satisfies this. A support chat widget on a consumer retail site does not — many users will assume they are reaching a human agent.
Second, systems authorised by law for detecting, preventing, investigating, or prosecuting criminal offences are exempt from the disclosure requirement. This is a narrow exception for law enforcement and public-security contexts; it does not extend to fraud detection in commercial settings.
Worked example — support chatbot: A 60-person SaaS company deploys a third-party AI chatbot on its help portal. The company is the deployer; the chatbot vendor is the provider. The vendor must design the widget so that the opening message — or a persistent label visible from the first exchange — identifies it as an AI. A footer credit reading "AI assistant" visible only after scrolling down does not reliably satisfy the requirement. The vendor builds the compliant disclosure flow; the deployer must not switch it off.
Article 50(2): Synthetic Content Marking — Watermarks, Machine-Readable Labels, and Interoperability
Who it targets: providers of AI systems (including general-purpose AI systems) that generate synthetic audio, image, video, or text.
This is the most technically demanding provision in Article 50. Providers must ensure that outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. The marking must be effective, interoperable, robust, and reliable, to the extent technically feasible.
"Interoperable" matters. The Act contemplates that detection tools from different vendors need to be able to read the marking — meaning proprietary watermarking schemes that only your own tools can detect will not satisfy the requirement. The AI Office is tasked under Article 50(7) with facilitating codes of practice on the technical standards for detection and labelling. Until those codes are finalised, providers should implement standard watermarking approaches (e.g., C2PA cryptographic manifests, perceptual watermarks for images) and document their choice.
Two exceptions limit the scope of Article 50(2):
- Assistive function / standard editing: if the AI system performs an assistive function for standard editing operations — spell-check, basic image correction, colour grading, autocomplete — and does not substantially alter the input content, the marking obligation does not apply. A grammar-correction tool that fixes a comma does not trigger it. An AI that rewrites a paragraph, generates a face, or synthesises a voice does.
- Law enforcement authorisation: the same criminal-offence carve-out as in Article 50(1) applies.
Worked example — AI image generator: A European startup sells a subscription product that lets marketing teams generate product photography. Every image it produces must carry a machine-readable mark (e.g., a C2PA manifest) before it leaves the product. If the startup also exports a Photoshop plugin that tweaks brightness and contrast on user-uploaded photos without substantially altering them, that plugin is likely exempt. If the plugin can generate an entirely synthetic product background, that output needs the mark.
Note: the statutory language says the marking must be machine-readable and the output detectable as artificially generated "as far as technically feasible." This is a qualified duty, not an absolute one — but the burden is on the provider to show that a compliant marking technique was not technically feasible, not to assume the exception applies by default.
Article 50(3): Emotion-Recognition and Biometric-Categorisation Systems
Who it targets: deployers of emotion-recognition systems or biometric-categorisation systems.
Article 50(3) shifts the obligation from provider to deployer. When you deploy a system that infers emotional states (anger, distress, engagement, satisfaction) or that categorises people on the basis of biometric data (perceived gender, age, ethnicity), you must inform the natural persons exposed to that system. You must also comply with Regulation (EU) 2016/679 (GDPR) — a reminder that GDPR consent, legitimate-interest analysis, and data minimisation requirements apply in parallel.
The same law-enforcement carve-out applies. A police body legally authorised to use emotion-recognition in an interrogation context (subject to applicable national law) is exempt from the Article 50(3) notice requirement.
"Exposed to" is broader than "using." If a retail store deploys an AI system that analyses shoppers' facial expressions to gauge their emotional response to product displays, every person who walks past the camera — whether or not they are customers, whether or not they consented — is exposed. The deployer must inform them. In practice this will require visible signage at the point of entry, following the same logic as GDPR video-surveillance notices.
Worked example — HR sentiment tool: A 200-person company deploys a third-party tool that analyses employees' video-call expressions during performance review meetings to produce engagement scores. The company is the deployer. Before using the tool, it must inform employees that an emotion-recognition system is in operation during the call. The notice must be given before or at the moment of first exposure — not buried in an annual privacy notice update.
Article 50(4): Deepfake Disclosure and AI-Generated Text for Public Information
Who it targets: deployers who generate or manipulate content that constitutes a deepfake, and deployers who generate AI text for publication to the public on matters of public interest.
Article 50(4) splits into two distinct duties.
Deepfake disclosure. A deployer who generates or manipulates image, audio, or video content that constitutes a deepfake — realistic AI-generated or AI-altered content depicting real or fictional persons, places, or events — must clearly disclose that the content is artificially generated or manipulated. The disclosure must be visible or audible at the point of consumption.
One exception applies for artistic, creative, satirical, or fictional work. Where the content is clearly creative — a clearly labelled parody video, a stylised visual novel, an explicitly fictional AI-voiced character — the requirement limits how you must disclose (in a manner appropriate to the creative context), rather than eliminating disclosure entirely. The exception is not a blanket creative-sector exemption. A commercial advertisement that realistically depicts a celebrity endorsement using deepfake technology is not artistic work in this sense, and must carry the disclosure.
AI-generated public-interest text. A deployer who generates text published to inform the public on matters of public interest — news articles, political commentary, market analysis distributed to the public — must disclose that the text was AI-generated. The exception here is meaningful: disclosure is not required where the AI-generated text has been subject to human editorial review and where a natural person holds editorial responsibility for the published content. A journalist who prompts an AI for a draft, then substantially edits it and publishes under their byline with editorial oversight, is not required to disclose AI involvement. A system that auto-publishes AI-generated news summaries without human review is.
This distinction matters for media companies, compliance newsletters, investor-relations disclosures, and public-sector communications. If a human editor reviews and takes responsibility, no disclosure is mandatory. If the pipeline is automated, disclosure is.
Article 50(5): Timing and Accessibility of Disclosures
All information required under Article 50(1)–(4) must be provided clearly and distinguishably at the latest at the time of the first interaction or first exposure. Retroactive notice — informing users after the session ends, or disclosing deepfake content only in a footnote a week after publication — does not satisfy the requirement.
The disclosures must also comply with accessibility requirements. For deployers serving users with disabilities, disclosure mechanisms must be accessible in line with applicable accessibility standards (e.g., WCAG 2.1 for web interfaces). A disclosure conveyed only through on-screen text fails for users relying on audio interfaces; a disclosure only in an audio cue fails for deaf users.
The "clearly and distinguishably" standard means the disclosure must be prominent enough that a typical user will notice it during normal interaction. Requiring users to click through a legal disclosure tab, or placing an AI label in 8-point text in a corner of the interface, is unlikely to satisfy this.
How Article 50 Relates to the High-Risk Tier
Because many systems covered by Article 50 also touch areas listed in Annex III, it is worth clarifying the interaction. Biometric-categorisation systems are listed in Annex III point 1 as high-risk AI — but only when used in specific contexts (employment, law enforcement, migration, etc.) and only where they do not fall within the Article 6(3) filter. A biometric-categorisation system used in a retail emotion-measurement context may or may not be high-risk depending on that analysis.
The key point: Article 50 is the minimum baseline. If a system is both limited-risk under Article 50 and high-risk under Article 6, both sets of obligations apply. Article 50's transparency duties do not displace the high-risk requirements; they stack on top of them.
Conversely, many Article 50 systems are not high-risk at all — a standard AI chatbot, a synthetic-image tool for marketing, an AI text generator for internal drafts. These systems owe the Article 50 disclosures and nothing beyond that (assuming they are not prohibited under Article 5).
The Compliance Deadline: 2 August 2026
Article 50 applies from 2 August 2026. This is the general application date for the Act and is unchanged by the Digital Omnibus. The Digital Omnibus pushed back the high-risk Annex III obligations — stand-alone high-risk systems now apply from 2 December 2027; high-risk AI embedded in regulated products applies from 2 August 2028. Article 50 was not deferred. The 2 August 2026 deadline is firm.
That leaves just over a year from the date of this article. For a chatbot provider, the work is primarily UX and product design: does the interface reliably inform users at first interaction? For a synthetic-content provider, the work is technical: what watermarking or provenance-marking approach will you implement, and can external tools detect it? For a company deploying emotion-recognition or biometric-categorisation in any form, the work involves GDPR analysis and signage/notice design running in parallel.
Common Implementation Mistakes
Assuming "obvious context" is met. Many teams assume their users know they are talking to AI because the product is marketed as an AI product. The standard in Article 50(1) is what a "reasonably observant person" in the circumstances would notice — not what a well-informed power user already knows. If there is any realistic chance a user could believe they are reaching a human, disclosure is required.
Building disclosure into terms of service only. A reference to AI in the terms of service or a privacy policy does not satisfy the Article 50(1) or 50(4) requirement. The disclosure must be made at or before the first interaction, in the interaction channel itself.
Treating the creative exception in 50(4) as a full exemption. Deepfake content used in advertising, product demos, or corporate communications is not "clearly satirical or fictional" simply because it was produced by a creative team. Courts and regulators will look at whether a reasonable viewer would understand the content as AI-generated fiction. If there is doubt, disclose.
Marking only some outputs. An AI image generator that applies C2PA manifests to outputs from its web interface but strips them in the API response does not comply. The marking obligation follows the output, regardless of distribution channel.
Failing to update notification flows after system changes. A chatbot that adds emotion-analysis features post-launch triggers new Article 50(3) obligations for the deployer. Compliance reviews must cover system updates, not just initial deployment.
Penalties for Breach
Article 99(4) sets the fine for non-compliance with Article 50 obligations at €15,000,000 or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For companies and start-ups, Article 99(6) provides that fines are capped at the lower of the percentage or the fixed-amount ceiling — a proportionality protection, but not an exemption.
The fines are imposed by national market surveillance authorities (or, for systemic GPAI, the AI Office). Member States must also allow private enforcement and representative actions in some contexts. Reputational exposure — a regulator publicising that a company's chatbot deceived users about being AI — may matter as much as the fine itself.
How Confir Helps with Article 50
When you register an AI system in Confir, the AIRC (Risk Classification) assessment runs a transparency-trigger checklist that flags Article 50 obligations based on how you describe the system. If the system interacts with natural persons, generates synthetic content, or performs emotion recognition or biometric categorisation, Confir assigns the Article 50 duties and records the disclosure obligations in the system's compliance record.
The AITO (Transparency and Human Oversight) assessment captures the specific Article 50(1)–(4) obligations that apply, with guidance on what compliant disclosure looks like for each obligation type. The result is a documented record that a compliance team or external auditor can inspect — the transparency obligations, how you meet them, and when.
Both modules are part of Confir's rule-based, deterministic engine. The same system description produces the same Article 50 obligations every time — auditable, reproducible, no guesswork.
Article 50 Obligations at a Glance
| Paragraph | Obligation | Who owes it | Carve-outs |
|---|---|---|---|
| Art 50(1) | Inform users they are interacting with AI | Provider | Obvious context; law enforcement authorisation |
| Art 50(2) | Machine-readable marking of synthetic content | Provider | Assistive/standard editing without substantial alteration; law enforcement |
| Art 50(3) | Inform persons exposed to emotion-recognition or biometric-categorisation | Deployer | Law enforcement authorisation |
| Art 50(4)(a) | Disclose deepfake content as AI-generated/manipulated | Deployer | Creative/satirical work (manner of disclosure may adapt) |
| Art 50(4)(b) | Disclose AI-generated text published on public-interest matters | Deployer | Human editorial review with editorial responsibility |
| Art 50(5) | All disclosures at first interaction; clearly, distinguishably, accessibly | Both | — |
What to Do Before August 2026
Start with your AI system inventory. List every system your organisation provides or deploys that could fall under any paragraph of Article 50 — chatbots and virtual agents, image/video/audio generation tools, marketing or communications content generators, any system that analyses facial expressions or voice tone, any content generated for public publication. For each one, identify whether you are the provider or the deployer, because the obligations differ.
For chatbot and virtual-agent providers: audit the UI for a clear, first-interaction AI disclosure. Test it with users who have no prior knowledge of your product.
For synthetic-content providers: select a marking standard and implement it across all output channels. Document the technical approach and its limitations. Monitor the AI Office's work on codes of practice under Article 50(7).
For deployers using emotion-recognition or biometric categorisation: run a GDPR lawful-basis analysis alongside the Article 50(3) notice design. These are parallel, not sequential.
For deployers generating deepfakes or public-interest AI text: review every automated publishing pipeline and determine where human editorial review exists and where it does not. Where it does not, build the disclosure in.
The August 2026 deadline for Article 50 is fixed. It is the one transparency deadline that the Digital Omnibus did not touch.
Related guides
- EU AI Act compliance guide
- SMB compliance guide for GPAI
- Article 50 compliance software solutions
- Article 50 risk management tools
- transparency risk assessment methodology
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →