How to Build an AI Transparency Notice Under the EU AI Act
Step-by-step: determine Article 50 duties, map provider vs deployer obligations, draft notice content, apply placement rules. Applies 2 August 2026.
Building an AI transparency notice is not a one-page copywriting task. The right notice depends on which legal obligations you actually owe — and those obligations differ by system type, by who you are in the supply chain, and by who is on the receiving end of the disclosure. Get the scoping wrong and you either miss a required disclosure or spend effort drafting notices you do not need.
This guide walks through the five steps: determine which transparency duties apply to each of your AI systems, identify the responsible party for each duty, draft the notice content, apply the placement and timing rules, and build the maintenance and evidence process. Where you need finished example wording — copy-adaptable text for each Article 50 scenario — see the companion page Article 50 Transparency Notices: Ready-to-Use Disclosure Wording.
Step 1: Determine Which Transparency Duties You Owe
Two articles create transparency obligations under Regulation (EU) 2024/1689: Article 50 and Article 13. They operate in different directions and at different layers.
Article 50 — Disclosure to End Users and Affected Persons
Article 50 applies from 2 August 2026 and sits in the limited-risk tier. It does not require a risk classification, a conformity assessment, or registration. It targets five interaction scenarios:
Article 50(1) — AI system interacting with a natural person. Any chatbot, virtual assistant, or conversational AI system that interacts directly with people must disclose that the interaction involves AI. The obligation falls on the deployer — the organisation operating the system in a professional context. The exception is narrow: where it is obvious from context that the person is interacting with an AI (e.g., a clearly branded, clearly synthetic interface that no reasonable person would mistake for a human). Don't rely on this exception without legal advice.
Article 50(2) — AI system generating synthetic audio, images, video, or text. Providers of AI systems that produce synthetic content must ensure outputs carry a machine-readable mark identifying them as AI-generated. This is a technical obligation, not just a visible label. Deployers who publish AI-generated content must also ensure a human-readable disclosure accompanies it. Exception: AI-generated text that has been substantively reviewed and published under the editorial responsibility of a natural person.
Article 50(3) — AI system performing emotion recognition or biometric categorisation. Deployers of systems that identify or infer emotions, engagement states, or sensitive biometric categories (race, religion, sexual orientation) must inform the exposed persons. Before you reach this duty, however, check whether your use case is lawful at all. Emotion recognition in the workplace and in educational institutions is prohibited under Article 5(1)(f). Biometric categorisation using sensitive attributes is prohibited under Article 5(1)(g). No disclosure notice cures a prohibition.
Article 50(4) — Deepfakes and AI-generated text on matters of public interest. Anyone generating or disseminating deepfake content — AI-generated or manipulated images, audio, or video depicting real persons, places, or events — must disclose that the content has been artificially created. Operators of online platforms that generate AI text on public-interest topics have the same obligation unless a human reviewer takes editorial responsibility for the published text.
Article 50(5) — Timing and accessibility. Every Article 50 disclosure must be made at the latest at the moment of first interaction or first exposure. It must be clear and accessible to the persons concerned. This is not a separate duty — it governs how all the above obligations must be discharged.
Article 50(6) — Without-prejudice clause. Article 50 does not displace the GDPR, sector-specific transparency obligations, or GDPR Article 22 (solely automated decisions with legal effects on individuals). Where both apply, you need both disclosures.
Article 13 — Instructions for Use to Deployers
Article 13 applies only if you are a provider of a high-risk AI system — that is, a system that falls within Annex III (stand-alone high-risk systems) or Article 6(1) (AI systems as safety components of regulated products under Annex I). The application date for stand-alone Annex III systems is 2 December 2027 under the Digital Omnibus agreed in May 2026 (the original 2 August 2026 date is now deferred). For Annex I product-embedded systems, the date is 2 August 2028.
Article 13 is not a public-facing disclosure. It is documentation that a provider must supply to the deployer, in written or electronic form, before the deployer puts the system to use. Its purpose is to give the deployer everything it needs to fulfil its own Article 26 obligations — particularly the obligation to implement human oversight. Article 13(3) sets out what the instructions must contain: the identity and contact details of the provider; a description of the system's capabilities, level of accuracy, and performance across population groups; the characteristics, capabilities, and limitations of the data the system requires; and the recommended human oversight measures and technical means of human override.
The distinction from Article 50 is direct: Article 50 = disclosure to natural persons and affected persons (the end users, customers, employees, or subjects of an AI system). Article 13 = documentation to professional deployers who need to understand what they are running so they can run it responsibly.
Step 2: Map Each Duty to Who Owes It and Where
Run each AI system in your portfolio against the table below. Assign the obligation to the right actor before drafting anything.
| Transparency duty | Applies when | Who owes it |
|---|---|---|
| Art 50(1): chatbot disclosure | System interacts directly with natural persons | Deployer |
| Art 50(2): synthetic-content marking (machine-readable) | System generates synthetic audio, image, video, or text | Provider |
| Art 50(2): synthetic-content disclosure (visible/human-readable) | Deployer publishes AI-generated content | Deployer |
| Art 50(3): emotion/biometric notice | System identifies or infers emotions or sensitive biometric categories | Deployer |
| Art 50(4): deepfake disclosure | AI-generated or manipulated content depicting real persons or events | Person generating/disseminating; platform operator for public-interest AI text |
| Art 13: instructions for use | System is high-risk (Annex III or Art 6(1)); provider places it on the market | Provider |
For most organisations deploying third-party AI products, the primary obligations are Art 50(1) (chatbot) and, where applicable, Art 50(3) (emotion/biometric). Providers of AI systems additionally owe the Art 50(2) technical marking obligation and, for high-risk systems, the Art 13 instructions.
One common role-confusion: a company that builds a product on top of an API (Azure OpenAI, an open-source model, a third-party foundation model) and ships it under its own name becomes the provider of that system under Article 25. The Art 50(2) machine-readable marking obligation and — for high-risk uses — the Art 13 instructions obligation both land on that company, not on the underlying model vendor.
Step 3: Draft the Notice Content
Article 50 Notices — What They Must Contain
There is no prescribed template in the Act, but Article 50(5)'s "clear manner" standard sets a floor. A notice must enable the person to understand, before engaging, that they are dealing with an AI system, what it is doing, and what that means for them.
For chatbot disclosures (Art 50(1)), the notice needs at minimum: a statement that this is an AI, not a human; what the system does; and how to reach a human if needed. In regulated sectors (healthcare, financial advice, legal) or where users may be vulnerable, add a sector-specific disclaimer.
For emotion-recognition or biometric-categorisation disclosures (Art 50(3)), the notice must specify what is being detected (vocal tone, facial expressions, gait, etc.); for what purpose; what happens with the output; and how the person can exercise their rights. "This area uses AI" is not adequate. The notice must be specific enough for the person to understand what is happening to them.
For synthetic-content disclosures (Art 50(2) and Art 50(4)), the label must identify the content as AI-generated or AI-manipulated, and for deepfakes, must make clear that the depicted events or persons are not real.
For Article 13 instructions, the structural requirements are in Article 13(3). A usable instructions-for-use document should cover: system identity and provider contact; intended purpose (defined precisely under Article 3(12)); performance metrics, including disaggregated results by population group; input data requirements and known limitations; human oversight arrangements and override mechanisms; change notification procedures; and serious-incident reporting contacts.
Do not use the Article 13 instructions as a marketing document. The law requires you to disclose known limitations and performance disparities. Omitting those creates provider liability. A deployer who cannot implement meaningful oversight because the provider withheld key limitations has a contract claim — and the provider has a compliance problem.
Step 4: Placement and Timing
Article 50(5) — The Timing Rule
Every Article 50 disclosure must appear at the latest at the moment of first interaction or first exposure. This is not negotiable. A disclosure buried in a privacy policy does not comply. A footer link does not comply. A disclosure that triggers only after the user has sent their first message does not comply — they have already interacted.
In practice:
- Chatbots: a system message at session open, or a persistent UI label, displayed before the user's first input. The label must be legible and remain visible — not a banner that disappears after two seconds.
- Synthetic content: the disclosure label must accompany the content, not appear separately on a linked page. For images, a caption or overlay. For audio and video, a pre-play notice or persistent label.
- Emotion-recognition systems: a physical notice at the point of entry to the space, a screen notice before the session begins, or a direct notification delivered before the analysis starts. On-premises systems in retail or event environments should post the notice at the door.
- Deepfakes and AI text: the disclosure must be integrated into the content presentation — headline, caption, or an immediately visible note — not tucked away in a site-wide disclosure page.
The "clear and accessible" requirement in Article 50(5) is a substance test, not just a placement test. A technically present disclosure in 8-point grey text that a typical user would not notice fails the standard.
Article 13 — Timing for Providers
Providers must supply Article 13 instructions before the high-risk system is placed on the market or put into service. For deployers, this means the instructions must arrive before deployment begins — not after. Build the receipt of Article 13 instructions into your procurement process as a condition for go-live. If a provider cannot supply compliant instructions, that is a red flag, not a minor paperwork issue.
Step 5: Keep Notices Current and Evidence Them
Maintenance
Article 50 notices need to stay current with what your systems actually do. If you retrain a model, expand its scope, change the data it processes, or alter how it interacts with users, review whether the existing disclosure still accurately describes the system. A notice that was true at launch but is no longer accurate after a system update is a liability.
For Article 13 instructions, providers must update and re-issue the instructions whenever a change affects capabilities, accuracy, known limitations, or oversight requirements. Article 16 — the general provider obligations — imposes a continuing obligation to keep documentation accurate. Deployers who received instructions for version 1.0 must be notified of material changes in version 1.1.
Evidence
Keep a record that you have your notices in place. For Article 50, this means documentation of: the notice text and version; where and how it is displayed; the date it was implemented and any subsequent changes; and, for any claimed exceptions (the "obvious from context" exception for chatbots; the "editorial review" exception for AI text), a written record of the basis for the exception.
For Article 13, maintain: a copy of the instructions as issued; evidence of delivery to each deployer; and the version history. Article 16 providers may be required to demonstrate to a market surveillance authority that they supplied adequate instructions.
How Confir Helps
Confir flags Article 50 and Article 13 transparency triggers as part of each AI system's assessment. The rule-based classification engine — deterministic, not AI-generated — applies the Article 50 criteria directly to the intake answers: does the system interact with natural persons? does it generate synthetic content? does it perform emotion or biometric analysis? For each trigger identified, Confir surfaces the specific obligation, the responsible party (provider or deployer), and the relevant system attributes needed to draft the notice.
For high-risk systems, Confir's AITO module (Transparency and Human Oversight, covering Articles 13, 14, 27, and 50) tracks the Article 13 instructions requirements alongside the Article 14 human-oversight arrangements — both are needed before deployment. The classification is rule-based and reproducible: the same system description produces the same obligation mapping every time.
Start your assessment at confir.eu →
Frequently Asked Questions
What is the difference between Article 50 and Article 13 under the EU AI Act?
Article 50 requires transparency disclosures to end users and affected persons — the people who interact with or are subject to an AI system. Article 13 requires providers of high-risk AI systems to supply written instructions for use to the professional deployers who will operate those systems. Article 50 applies from 2 August 2026 and covers all limited-risk scenarios regardless of whether a system is high-risk. Article 13 applies only to high-risk systems and does not involve end users.
Does a company using a third-party chatbot need to issue its own Article 50(1) notice?
Yes. Article 50(1) places the chatbot disclosure obligation on the deployer — the organisation operating the chatbot in a professional context. The provider of the underlying technology is not responsible for delivering the end-user disclosure; the organisation running it in front of users is. Review the terms of your chatbot provider contract to ensure the technical capability to display a disclosure notice is available.
We operate both a chatbot and an emotion-recognition system in our customer service centre. Do we need separate notices?
Yes, in the sense that each duty has its own timing and content requirement. Article 50(1) requires a disclosure when the chatbot interaction begins. Article 50(3) requires a separate notice about the emotion analysis, before or at the moment the person is exposed to it. In practice, you may be able to present both in a single screen at session open, provided each element is clearly explained and the notice meets the "clear and accessible" standard of Article 50(5).
Can we rely on our GDPR privacy notice to satisfy Article 50?
Only partially. Article 50(6) confirms that the Act does not override the GDPR — both sets of obligations apply where relevant. Your GDPR privacy notice may contain much of the factual substance needed, but it cannot satisfy the timing requirement in Article 50(5). A privacy policy linked from a website footer, available to the user before or after the interaction but not delivered at the moment of first interaction, does not meet the Article 50 standard. You need a disclosure at the interaction point, cross-referencing the fuller privacy notice for detail.
What does "machine-readable marking" mean in practice for AI-generated images?
The Act requires outputs of AI systems that generate synthetic content to be marked in a machine-readable format. The most widely adopted standard as of mid-2026 is C2PA (Coalition for Content Provenance and Authenticity) content credentials — a cryptographic manifest attached to the image file declaring its AI origin. Metadata tagging (e.g., IPTC DigitalSourceType fields) is another approach, though these tags are more easily stripped. A visible human-readable label is required in addition to the machine-readable layer, not instead of it.
When does the Article 13 instructions-for-use obligation apply?
Article 13 applies to providers of high-risk AI systems. For stand-alone high-risk systems on the Annex III list (recruitment, credit scoring, biometrics, etc.), obligations apply from 2 December 2027 under the Digital Omnibus agreed in May 2026. For high-risk AI systems embedded as safety components in regulated products under Annex I (medical devices, machinery, vehicles), the date is 2 August 2028. The original 2 August 2026 deadline was deferred by the Digital Omnibus.
Related guides
- Article 13 transparency obligations
- EU AI Act explained simply
- Article 50 limited-risk transparency obligations
- limited risk system transparency
- Article 5 prohibited practices
- Article 5 compliance guide
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →