Last updated: 15 July 2026

From 2 August 2026, Article 50 of the EU AI Act requires specific transparency measures for certain AI systems and content. For UK businesses, the practical challenge is not simply adding an “AI-generated” badge. The regulation assigns different duties to a system provider and a professional deployer, and it distinguishes a human-facing disclosure from a machine-readable provenance mark.

A UK software company selling an AI content tool into the EU may be a provider. A UK publisher using a third-party model to make a deepfake for an EU audience may be a deployer. One organisation can occupy both roles for different systems or even the same service. Start with role and scope; choose the label only after that analysis.

Article 50 is broader than generative text.

It also covers direct interaction with AI, provider-side marking of synthetic audio, images and video, notices for emotion-recognition and biometric-categorisation systems, and deployer disclosure of deepfakes. A content-team-only project will miss systems owned by product, HR, customer service and security.

What Changes on 2 August 2026

Article 50(1) to (5) becomes applicable on 2 August 2026. The final Code of Practice on Transparency of AI-Generated Content was published on 10 June. On 8 and 9 July, the Commission and AI Board concluded that the code adequately covers the obligations in Article 50(2), (4) and (5) and facilitates implementation.

The code is voluntary; Article 50 is law. Adherence can provide a recognised route for demonstrating compliance, but the Commission’s opinion expressly says it is not conclusive evidence. An organisation that does not sign must still be able to show why its alternative measures are adequate.

Does Article 50 Apply to a UK Business?

Leaving the EU did not create a blanket exemption. Article 2 brings several cross-border situations into scope. Ask these questions for each system or use case:

  1. Are we placing an AI system or general-purpose AI model on the EU market? A provider can be in the UK or any other third country and still be in scope.
  2. Do we have an EU-established or EU-located entity deploying the system? That deployer is within territorial scope.
  3. Is output produced by our UK-based provider or deployer used in the EU? Article 2 expressly covers third-country providers and deployers in that situation.
  4. Is this activity excluded? The regulation contains exclusions and exceptions, including specified military, defence, national-security and pre-market research contexts. Do not assume an exclusion without recording its basis.

Record the result at system-and-use-case level. “We are a UK company” and “our vendor is compliant” are not scope assessments.

Article 50 Obligations at a Glance

Role and use Core obligation Important boundary Practical control
Provider of an AI system that directly interacts with people Design it so people are informed they are interacting with AI No notice is required where this is obvious to a reasonably well-informed, observant and circumspect person in context Persistent interface identity and a first-interaction notice tested with users
Provider of a system generating synthetic audio, image, video or text Mark outputs in a machine-readable format and make them detectable as AI-generated or manipulated Exception to the extent the system only assists standard editing or does not substantially alter the deployer’s input or its semantics Provenance metadata, watermark or other effective, interoperable and robust technical measure, with export testing
Deployer of emotion recognition or biometric categorisation Inform exposed people that the system operates and comply with applicable data-protection law Article 50 contains a narrow law-enforcement exception; other AI Act prohibitions and high-risk rules may also matter Notice before exposure, privacy review and a documented lawful-use decision
Deployer generating or manipulating a deepfake image, audio or video Disclose that the content was artificially generated or manipulated For evidently artistic, creative, satirical, fictional or analogous works, disclosure can be made appropriately without hampering enjoyment A clear visible or audible label at first exposure, retained when content is syndicated
Deployer publishing AI-generated or manipulated text to inform the public on a matter of public interest Disclose the artificial generation or manipulation Exception where human review or editorial control occurred and a person or organisation holds editorial responsibility CMS field for AI involvement, named accountable editor, review evidence and a publication rule

Across the duties, the required information must be clear and distinguishable, supplied no later than the first interaction or exposure, and conform to applicable accessibility requirements.

What Counts as a Deepfake?

The regulation defines a deepfake as AI-generated or manipulated image, audio or video content resembling existing persons, objects, places, entities or events that would falsely appear authentic or truthful to a person. A synthetic image is not automatically a deepfake merely because AI created it; resemblance and false appearance are part of the definition.

What Is a “Matter of Public Interest”?

The legal test is contextual. News, elections, public health, public policy, safety, the environment and information capable of shaping civic decisions are obvious areas to review, but teams should not invent a closed keyword list. Create an escalation route for borderline publications and record the decision.

Use a Two-Layer Transparency Model

The cleanest implementation separates two controls that serve different audiences:

  • Machine layer: provider-side marking that software can read and detection tools can identify. Article 50 says technical measures should be effective, interoperable, robust and reliable as far as technically feasible, considering the content type, implementation costs and state of the art.
  • Human layer: clear, distinguishable and accessible disclosure to the person interacting with the system or encountering in-scope content.

A visible caption does not by itself satisfy the provider’s machine-readable marking duty. Metadata alone does not satisfy a deployer’s duty to tell a person about a deepfake. Where your organisation is both provider and deployer, it may need both layers.

Usable Disclosure Patterns

Article 50 does not mandate one sentence for every context. Short labels should say what is artificial without hiding the information in terms and conditions. For example:

  • Chat interface: “You are chatting with an AI assistant.”
  • Synthetic customer-service voice: “This is an AI-generated voice.”
  • Deepfake training video: “AI-generated video: the person and speech shown are synthetic.”
  • Public-interest text where disclosure is required: “This text was generated or materially manipulated using AI.”

The EU has published a set of icons organisations may use for AI-generated content. Treat an icon as a visual aid, not a substitute for an intelligible, accessible notice or for the separate machine-readable requirement.

A 12-Control Article 50 Checklist

  1. Inventory systems and content flows. Include purchased tools, internal models, customer chat, voice agents, marketing workflows, publishing, HR and biometric tools.
  2. Assign the legal role. Record provider, deployer or both for each use, with the reasoning.
  3. Map EU touchpoints. Capture where systems are marketed, users are located and outputs are used.
  4. Classify the Article 50 trigger. Interactive system, synthetic-content provider, emotion/biometric deployer, deepfake deployer or public-interest text publisher.
  5. Document exceptions. Record why the “obvious interaction”, standard-editing or editorial-review exception applies; do not leave the basis implicit.
  6. Test provider marking. Check that machine-readable provenance survives download, resizing, transcoding, screenshots where relevant and downstream distribution.
  7. Design first-exposure notices. Put the disclosure where the person first interacts with or encounters the system or content.
  8. Check accessibility. Test screen readers, captions, contrast, audio alternatives and translated journeys for the audiences you serve.
  9. Build an editorial-control record. Where relying on the text exception, name the accountable editor and retain what was reviewed, changed and approved.
  10. Update contracts and vendor assurance. Require providers to explain marking, export behaviour, detection support and change notifications.
  11. Train by role. Product teams need provider controls; marketers and publishers need deployer rules; procurement and legal need evidence and escalation.
  12. Monitor releases. Re-test after model, interface, CMS, media-pipeline or vendor changes and review the Commission’s final guidance when published.
The highest-value evidence is a joined-up decision trail.

For each use case, retain the scope decision, role, Article 50 trigger, chosen technical and human measures, test result, owner and review date. A screenshot of a label cannot show whether the correct duty was identified or whether machine-readable marking survives distribution.

Should a UK Organisation Sign the Code of Practice?

Providers and deployers within Article 50(2) and/or (4) can sign the relevant section. Section 1 is for providers’ marking and detection measures. Section 2 is for deployers’ labelling of deepfakes and certain text. An organisation acting in both roles can sign both sections; it cannot select individual commitments within a section.

To appear on the initial signatory list, the form must reach the AI Office by 22 July 2026 at 18:00 CEST and be signed by a senior executive with authority to bind the organisation. Eligible providers and deployers can sign after that date too.

A sensible sign-or-not decision asks:

  • Are we clearly in scope as a provider or deployer under Article 50(2) or (4)?
  • Can we meet every commitment in the relevant section, rather than only selected measures?
  • Does an EU-wide recognised framework reduce duplicated assurance across our markets?
  • Do we have an executive owner and evidence process for continued adherence?

Not signing is not itself non-compliance. It does mean the organisation should be prepared to explain and document how its alternative measures satisfy Article 50, potentially through a detailed gap analysis against the code.

Why This Needs an Operational Owner

Article 99 places non-compliance with Article 50 in a penalty tier of up to €15 million or, for an undertaking, up to 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For SMEs, the relevant maximum is the lower of the fixed amount and percentage. Actual penalties must be proportionate and take account of factors including gravity, duration, size, cooperation and mitigation.

The useful management response is not fear-driven over-labelling. It is a controlled inventory, correct role assignment, tested provenance, accessible notices and people who know when to escalate. Pair this implementation work with Article 4 AI literacy preparation: a policy only works when the people publishing, procuring and configuring AI can apply it.

Frequently Asked Questions

Does EU AI Act Article 50 apply to UK businesses?

It can. UK providers placing systems or models on the EU market and UK providers or deployers whose AI output is used in the EU can fall within scope. EU-based deployers are also covered. Assess each system and use case rather than the company address alone.

When do the Article 50 transparency obligations apply?

Article 50(1) to (5) applies from 2 August 2026. The date covers the interactive-system, synthetic-content marking, emotion/biometric notice and deepfake or certain public-interest text disclosure duties.

Must every AI-assisted article or social post carry a label?

No. The deployer text rule is targeted at AI-generated or manipulated text intended to inform the public on matters of public interest, and includes an exception for human review or editorial control with a person or organisation holding editorial responsibility. Provider-side marking duties are separate.

Is signing the EU transparency Code of Practice mandatory?

No. The code is voluntary, while Article 50 is legally binding. Initial-list forms are due by 22 July 2026 at 18:00 CEST, and eligible organisations may sign later. Signatories still need to implement and evidence the relevant commitments.

Turn AI policy into repeatable team behaviour

TIQPlus helps organisations assign role-specific AI learning, record completion and keep implementation evidence connected to real work.

Book a demo

Sources & further reading

Share this guide