Transparency Obligations Taking Effect 2 August 2026
The EU AI Act is no longer a distant regulatory milestone. You may have read that some obligations were pushed to next year, but there are significant changes arriving in a few weeks. With transparency obligations under Article 50 applicable from 2 August 2026, enterprises that develop, deploy, or use AI systems interacting with or producing content for people in the EU are now firmly in scope, regardless of whether their AI is classified as "high risk."
|
Timeline
|
What Applies
|
|---|---|
|
2 February 2025
|
Prohibited AI practices banned; AI literacy obligations in force
|
|
2 August 2025
|
GPAI model obligations enforceable; GPAI fines begin
|
|
2 August 2026
|
Article 50 transparency obligations in force for all in-scope systems
|
|
2 December 2026
|
Machine-readable marking for pre-August 2026 GenAI systems
|
|
2 December 2027
|
High-risk Annex III system requirements enforceable (extended under Omnibus)
|
|
2 August 2028
|
High-risk AI embedded in regulated products enforceable
|
The EU AI Act is not something that only concerns legal teams. The legislation touches product, data, communications, procurement, and the C-suite in equal measure. Organisations that are not ready could face fines of up to €15 million or 3% of global annual turnover for transparency breaches alone. Importantly, the regulations are not only applicable to EU-based firms but any company that interacts with EU citizens.
This below checklist walks through the 5 steps every enterprise should complete before the 2 August deadline.
What 2 August 2026 Requires
Before any action can be planned, it is worth understanding what switches on at this deadline. The EU AI Act operates on a phased timeline. Prohibited AI practices and AI literacy obligations took effect in February 2025. General-purpose AI (GPAI) model obligations became applicable in August 2025. What 2 August 2026 activates is the core transparency framework under Article 50, which applies to any AI system used in 4 situations:
- AI that interacts directly with people, including chatbots, virtual assistants, automated phone systems and AI agents
- AI that generates synthetic content, meaning text, images, audio or video produced by GenAI systems
- AI used for emotion recognition or biometric categorisation, covering systems that assess sentiment, demographics or stress
- AI that creates deepfakes or AI-generated content on matters of public interest
Any enterprise with no high-risk AI use cases may still have obligations because it deploys a customer-facing chatbot or uses a GenAI tool to produce content for publication. Data from the EU AI Act Compliance Checker indicates transparency obligations affect approximately 1 in 3 organisations assessed, making this 2nd most common compliance trigger after AI literacy requirements.
With that context set, here is the readiness checklist in 5 steps.
Step 1: Build Your AI System Inventory
You cannot govern what you cannot see. The starting point for any AI Act compliance programme is a complete, structured inventory of all AI systems in use across the organisation. This means not only main platforms, but also embedded tools, third-party integrations and point solutions used across departments.
What to capture for each system:
- System name, vendor and version
- Functional description and intended use
- Where it is deployed and who interacts with it
- Whether it generates outputs (text, images, audio, video) consumed by humans
- Whether it interacts directly with users in a conversational or decision-facing way
- Whether it processes biometric or emotional data
- Whether its outputs are published externally or inform public-interest communications
This inventory is the foundation for every subsequent step. Without it, risk classification is guesswork and gap analysis is impossible.
Practical tip: Involve IT, procurement, legal, HR, marketing and operations in this exercise. AI systems frequently enter organisations through individual teams without central visibility. Subscription SaaS tools, browser extensions and embedded features in enterprise software all count.
Step 2: Classify Each System Against Article 50
Once the inventory is in place, the next step is mapping each system to Article 50's disclosure scenarios. The key question for each system is not whether it is high-risk, but whether it falls within 1 of the 4 situations below.
Situation 1: Direct Human Interaction
Does the system engage in dialogue with users, customers or employees? Chatbots, virtual assistants, AI agents and automated response systems are all in scope. AI agents fall within this situation even when the interaction is indirect or unpredictable. Systems should be designed to disclose their AI nature whenever human interaction is possible.
Situation 2: Synthetic Content Generation
Does the system generate audio, images, video or text that will be used or published? This covers GenAI tools producing marketing copy, reports, summaries, visuals or audio. The exception applies only where the AI performs a purely assistive function (such as grammar correction) that does not substantially alter the meaning of the input.
Situation 3: Emotion Recognition or Biometric Categorisation
Does the system assess emotions, demographic characteristics or stress levels of individuals? This obligation applies to deployers and is distinct from the already-enforced prohibition on emotion recognition in workplaces. Disclosure is required when these systems are used.
Situation 4: Deepfakes and AI-Generated Public Interest Content
Does the system produce image, audio or video content depicting real people, objects or events in a way that could appear authentic? Or does it generate text published to inform the public on matters of public interest? Both carry disclosure obligations on the deployer.
The output of this step should be a clear classification: each system tagged as in-scope for Article 50 (with the specific situation noted), out-of-scope, or requiring further assessment.
Step 3: Design and Implement Your Disclosure Mechanisms
Classification from step 2 should be reflected in design. For each in-scope system, enterprises must implement the appropriate disclosure mechanism.
For Systems Interacting with People (Article 50.1)
Providers must build systems so that users are informed at or before first interaction that they are engaging with AI. This disclosure must be clear and accessible, not buried in terms of service. The "obvious AI" exception exists but should not be over-relied upon.
For Generative AI Systems (Article 50.2)
Providers must ensure that AI-generated outputs are marked in a machine-readable format and are detectable as AI-generated. Enterprises providing or deploying GenAI tools should monitor these standards closely.
For Emotion Recognition and Biometric Categorisation (Article 50.3)
Deployers must inform individuals exposed to these systems in a clear and distinguishable way, prior to or at the point of processing. This requirement should be integrated into the UX design of the relevant workflow and must comply with GDPR obligations in parallel.
For Deepfakes and Public Interest AI-Generated Text (Article 50.4)
Deployers must label content as AI-generated in a clear, visible and distinguishable manner. For AI-generated text published to inform the public, the requirement is waived only where the content has been subject to genuine human editorial review and the publisher takes editorial responsibility. Organisations publishing AI-assisted content should review their editorial processes carefully to determine whether this exemption genuinely applies to them.
Step 4: Assess and Train Your People
The EU AI Act does not treat compliance as solely a technical or legal function. AI literacy obligations (already in force since February 2025) require organisations to ensure sufficient AI understanding among staff who work with or make decisions about AI systems. This extends to external staff and contractors.
For Article 50 compliance specifically, the following training priorities apply.
Awareness Training for All Staff
Employees should understand what AI systems the organisation uses, which fall within Article 50 scope, and what disclosure obligations apply. This is particularly important for teams in communications, product, marketing, and customer service who regularly use or publish AI-generated outputs.
Operational Training for Deployers
Staff who deploy or operate in-scope systems, whether customer-facing chatbots, GenAI content tools or analytical systems, need hands-on training on disclosure mechanisms and on what to do when a system behaves unexpectedly.
Governance Training for Decision-Makers
Leaders, product owners and procurement teams need to understand how AI Act obligations flow through vendor relationships, what to require in contracts, what due diligence to perform, and how to escalate potential compliance risks.
Documentation of Training
Regulators will expect evidence of AI literacy programmes. Training records, completion rates and the content of training materials should be documented and retained.
Step 5: Review Vendor Contracts
A significant share of enterprise AI exposure sits not in internally built systems but in third-party tools and platforms. The EU AI Act allocates obligations between providers (those who build and place AI on the market) and deployers (those who use it professionally).
Vendor Due Diligence Checklist
- Does the vendor's system fall within Article 50 scope?
- Has the vendor implemented the required disclosure and marking mechanisms?
- Does the vendor's documentation confirm Article 50 compliance?
- Are there contractual commitments around compliance, notification of regulatory changes and audit rights?
Establishing Ongoing Oversight
Article 50 compliance is not a one-time exercise. Enterprises should build governance structures that can monitor the AI landscape as it evolves. This means designating clear ownership across the organisation: who is responsible for maintaining the AI inventory, monitoring for new in-scope systems, managing vendor compliance and responding to regulatory inquiries? For many enterprises, this will sit within a cross-functional AI governance function spanning legal, IT, compliance and operations. After 2 August 2026, regulators will expect organisations to cooperate with supervisory authorities, report incidents promptly and update processes as guidance evolves.
Where Most Organisations Are Falling Short
Several patterns of risk emerge from the current state of the industry:
- Assuming high-risk is the only threshold that matters. Many enterprises have concentrated compliance energy on high-risk classification, overlooking that Article 50 applies to a far broader set of AI uses. If your organisation interacts with people or publishes AI-generated content, you are almost certainly in scope.
- Incomplete inventories. Most organisations underestimate the breadth of AI in use. Shadow AI, meaning tools adopted by individual teams without central procurement, creates compliance blind spots that are difficult to detect until an incident forces the issue.
- Over-relying on vendors. Deployers cannot simply assume that because a vendor built the AI, all compliance obligations rest with that vendor. Deployer-specific obligations around labelling deepfakes and AI-generated public interest content rest with the organisation publishing or using the content.
- Treating disclosure as a legal footnote. Effective disclosure under Article 50 must be designed into the UX, not appended as fine print. Regulators will assess whether disclosure is genuinely informative, not merely present.
What This Means in Practice
August is only weeks away. For enterprises that use conversational AI, deploy GenAI tools or publish AI-assisted content, meaning most large organisations operating today, Article 50 creates real, enforceable obligations that require operational action, not just legal awareness.
This is the kind of challenge that requires the ability to map AI systems across complex enterprise environments, translate legal requirements into operational processes, and build governance frameworks that hold up under scrutiny. At Evalueserve, we work with organisations navigating this intersection of domain expertise, data governance and regulatory change. Whether the task is building the AI inventory, structuring a vendor due diligence programme or designing the governance model that sustains compliance beyond a single deadline, our teams bring the analytical rigor and domain depth that these programmes require.
The checklist above is a practical starting point. But the organisations best positioned for 2 August 2026 are those that have treated compliance not as a one-time sprint but as a governance capability, with clear ownership, documented processes and the cross-functional alignment to sustain it as the regulatory landscape continues to evolve.
The EU AI Act is not going away. The organisations that build compliance infrastructure now will be better positioned not just for 2 August 2026, but for the additional deadlines arriving through 2027 and 2028.
This blog is intended as a general informational guide and does not constitute legal advice. Enterprises should consult qualified legal counsel to assess their specific compliance obligations under the EU AI Act.
Talk to One of Our Experts
Get in touch today to find out about how Evalueserve can help you improve your processes, making you better, faster and more efficient.


