Your chatbot went live in March. Your deepfake ad went live last quarter. And on 2 August 2026 27 days from when I wrote this the four transparency clauses in EU AI Act Article 50 stop being theoretical and start being enforceable. Fines for Article 50 violations land at the lower tier of the EU’s AI penalty regime: up to €15 million, or 3% of total worldwide annual turnover, whichever is higher, under Article 99(4)(g).
Most marketing teams I talk to think Article 50 is a “providers” problem. It isn’t.
The European Commission’s plain-language explainer is blunt: the transparency obligations “apply to any AI system used in the four situations the Article covers” including a chatbot you bought from a vendor, a script that auto-generates social copy, and a deepfake clip your agency produced for a campaign. If a natural person in the EU interacts with it or sees its output, Article 50 reaches it.
That’s the part nobody’s pricing into the Q3 forecast.
Why “after August” is not a real plan
The clock is louder than it looks. On 2 August 2026, Article 50 obligations apply that’s law, not guidance. On the same day, market surveillance authorities in 27 member states wake up with new investigative powers and a brand-new Code of Practice (published 10 June 2026, PDF and signing form live now) that lays out exactly what “compliant” looks like.
And here’s the panic button: the May 2026 AI Omnibus political agreement gave generative AI systems already on the market before 2 August an extra four months until 2 December 2026 only for the machine-readable marking requirement in Article 50(2). The other three obligations start on schedule. ([Source: FLI Practical Guide to Article 50, 14 May 2026.])
So if your stack is shipping AI content today, you’re not getting a grace period on chatbot disclosure, deepfake labelling, or the AI-text-on-public-interest rule. You’re getting one on the watermark.
What Article 50 actually requires (the four situations, no fluff)
The full text on EUR-Lex and the FLI-mirrored Article 50 page read like a regulation. Strip it down and there are exactly four obligations:
1. You must tell people they’re talking to an AI. Article 50(1). This hits every customer-facing chatbot, voice agent, and AI agent you deploy. The “obviously AI” carve-out is narrow the draft Commission Guidelines require a two-step test on the target audience before you can rely on it.
2. You must mark synthetic outputs in a machine-readable format. Article 50(2). This is the one with the December extension. Audio, image, video, and text generated by AI (including general-purpose AI systems) need both a watermark and metadata so detection tools can verify provenance. The EU’s free icon set Basic, Fully AI-Generated, Partially AI-Modified shipped 10 June 2026.
3. You must disclose emotion recognition and biometric categorisation at the point of exposure. Article 50(3). Notice the difference from Article 5: emotion recognition in workplaces and education is banned outright since 2 February 2025. Outside those settings, Article 50(3) just requires signage.
4. You must label deepfakes and AI-generated public-interest text. Article 50(4). Persistent visual labels for video, audible warnings for audio, visible labels for images, and disclosure for AI-written text that’s published “with the purpose of informing the public on matters of public interest.” There’s a narrow human-review-and-editorial-responsibility carve-out but only if the review is substantive. ([Per the FLI Practical Guide and Code of Practice Section 2.])
That’s it. Four situations. But each one touches a different team product, legal, content, and the vendor you bought the model from.
The thesis: Article 50 is mostly a logging problem, not a rewrite problem
I keep watching teams spend six figures rebuilding model stacks they didn’t need to touch. The disclosure surface is upstream of the model, not inside it. The metadata is added by the API client or the CMS, not by retraining.
The OECD AI Principles have been telling us since 2019 that transparency is a governance obligation, not an engineering one. NIST’s AI Risk Management Framework, now in active revision with a Generative AI Profile (NIST AI 600-1) released in July 2024, makes the same call: transparency is a Govern function, not a Measure or Manage function. You’re not re-training anything. You’re logging, labelling, and surfacing.
That’s why 14 days is enough.
The 14-day checklist (steal this, ignore the rest)
Days 1–2 Map every AI surface. Open a shared spreadsheet. List every AI system that touches an EU user. Chatbots. AI email subject lines. Auto-generated ad creative. AI voiceovers. Influencer deepfakes you commissioned. The AI that writes your investor-update summaries. Be brutal: if a regulator asked tomorrow “where does AI appear in your stack,” you should be able to answer in 90 seconds. (FLI’s SME Guide and the Compliance Checker dataset where ~33% of respondents flagged transparency as their top trigger are good reference templates.)
Days 3–4 Inventory obligations per surface. Each row gets a tag: 50(1) chatbot, 50(2) generator, 50(3) emotion/biometric, 50(4) deepfake or public-interest text. Most marketing stacks will land 70% in 50(1) and 50(2). Press releases, financial commentary, and policy blog posts can trigger 50(4) text even when a human edited the draft. If you’re not sure whether your AI-assisted content counts as “informing the public on matters of public interest,” assume it does.
Day 5 Vendor paper-trail day. Pull contracts with OpenAI, Anthropic, Google, Mistral, Midjourney, ElevenLabs, Synthesia, HeyGen, Runway, Jasper, and every “AI-powered” SaaS in your MarTech graph. You’re looking for one clause: who owns the marking and labelling obligation for AI outputs? The Code of Practice is explicit if you deploy, you may be on the hook regardless of what your vendor promised. ([Code of Practice Section 2, European Commission.])
Days 6–8 Implement the disclosure UI. For chatbots: a persistent banner above the first message that says “You’re chatting with an AI.” For voice agents: a spoken disclosure in the first 15 seconds. For AI agents that may interact unpredictably: design to disclose in every interaction, per the draft Guidelines’ treatment of AI agents under 50(1). Footer links and buried T&Cs don’t qualify.
Days 9–11 Wire up the labelling pipeline. This is the heaviest lift. For images: embed C2PA provenance metadata at export. For video: a persistent on-screen label and a watermark. For audio: an audible disclosure at the start. For text: a visible label or an editorial-responsibility byline that names a real human. Download the EU’s icon set (SVG and PNG, free, no attribution required) and standardise on the three variants. If you’re a provider (you ship the model), add a machine-readable mark at the API layer this is your Article 50(2) obligation.
Days 12–13 Build the audit log. One immutable record, per disclosure, with: timestamp, surface, content hash, label version, and review status. This is what you’ll hand a market surveillance authority in 72 hours if they ask. It’s also what lets you prove the human-review-and-editorial-responsibility carve-out for 50(4) text.
Day 14 Sign the Code of Practice, file the AI Pact pledge, brief the C-suite. The Code is voluntary, but signatories get a presumption of compliance. If you’re a provider or a deployer of generative AI, signing takes an afternoon and removes a meaningful slice of enforcement risk. The AI Pact is the Commission’s voluntary early-mover programme public, reputation-positive, and useful when the press calls.
What “without rewriting your stack” actually means
You don’t need a new CDP. You don’t need a new LLM. You need three things bolted on:
1. A disclosure layer. A single component that prepends the right notice to the right surface. In practice this is a middleware flag in your CMS or conversation platform not a new product category. Most teams wire it up in a sprint.
2. A provenance and labelling library. C2PA for images (already supported by Adobe, Microsoft, OpenAI, Google, and Leica per the Coalition for Content Provenance and Authenticity), C2PA-style manifests for text and audio, plus the EU icons as the user-visible surface. If you ship the model, you add this to your inference endpoint.
3. An audit log. A write-only store append-only S3, a tamper-evident database, even a well-structured spreadsheet with version history. It’s unglamorous. It’s the only thing that saves you in an investigation.
Everything else risk-tier classification, AI literacy training under Article 4 (already in force since February 2025), high-risk conformity assessments is downstream and can wait. Article 50 is the front door. The 14 days is the front door.
The stance worth taking in front of your CEO
Every marketing team I’ve watched try to “boil the ocean” on AI Act compliance burned the budget and missed the deadline. The teams that passed Article 50 quietly did three things: they treated the regulation as a labelling and logging project, not a model project; they treated the Code of Practice as the de-facto standard and signed it; and they got the disclosure UI in front of users before the legal team finished debating the exact wording.
The remaining 27 days are not the time for a six-month governance overhaul. They’re the time to ship a banner, wire a watermark, and write a log entry.
That’s the whole game.