AI Act transparency obligations: the EU’s draft guidelines and the UK’s sector duties
In short: AI Act transparency obligations apply from 2 August 2026 under Article 50 of Regulation (EU) 2024/1689. The European Commission published draft guidelines on 8 May 2026 explaining who must disclose chatbots, mark synthetic content and label deep fakes. Penalties reach €15 million or 3% of worldwide turnover. UK businesses serving EU users are in scope.
The AI Act transparency obligations ask one thing of any business putting AI in front of people in the EU: say so. A chatbot has to identify itself as a machine. Synthetic audio, images, video and text have to be marked as artificially generated. Deep fakes and AI-written news content have to be labelled. The duties apply from 2 August 2026, and they reach businesses wherever they are established, so a UK provider or deployer serving EU users is caught.
The European Commission published draft guidelines on the AI Act transparency obligations on 8 May 2026, the first Commission instrument to interpret Article 50 of Regulation (EU) 2024/1689 across its full scope. A targeted consultation closed on 3 June 2026. The UK has no equivalent statute, but Ofcom, the ICO and the FCA each apply existing sector duties to the same conduct, and that contrast is the practical point for UK boards.
The four AI Act transparency obligations under Article 50
Article 50 imposes four duties. Providers of AI systems that interact directly with people must design them so the people concerned know they are dealing with AI (Article 50(1)). Providers of generative AI systems must ensure outputs are marked in a machine-readable format and detectable as artificially generated (Article 50(2)). Deployers of emotion recognition or biometric categorisation systems must inform the people exposed to them (Article 50(3)). Deployers must disclose deep fakes, and AI-generated or manipulated text published to inform the public on matters of public interest (Article 50(4)).
Article 50(5) sets the horizontal standard: the information must be clear and distinguishable, and given at the latest at the first interaction or exposure. The four duties can apply cumulatively to a single system, and different actors in the same chain can hold different duties at the same time. Breach can attract fines of up to €15 million or, for an undertaking, up to 3% of total worldwide annual turnover for the preceding financial year, whichever is higher.
What the draft guidelines clarify
The draft guidelines are non-binding, issued under Article 96(1)(d) of the Act, and open the first Commission reading of every element of Article 50. On role allocation, the deployer is the legal person under whose authority the system is used, not the individual employee operating it, and actors that merely disseminate AI-generated content created by third parties, including online platforms, are not deployers at all. On disclosure quality, a statement buried in terms and conditions, a metadata watermark on its own, or a vague reference to an “assistant” does not satisfy the chatbot disclosure duty in Article 50(1); the information has to be perceivable in the interaction itself. The exceptions are narrow. The draft guidelines test the “obvious interaction” carve-out in Article 50(1) against a reasonably well-informed, observant and circumspect person drawn from the actual audience, with a lower threshold where children, elderly people or persons with disabilities are part of it. Deep fakes that are evidently artistic, creative, satirical or fictional attract an attenuated disclosure duty rather than an exemption, and AI-assisted text escapes labelling only where it has undergone human review or editorial control and a person holds editorial responsibility for the publication. Timing relief is in prospect but not law: the draft guidelines record that the AI Omnibus proposal now before the EU co-legislators would give providers of generative AI systems already on the market a transitional period for the Article 50(2) marking duty.
AI Act transparency obligations for UK businesses
The Act applies to providers placing AI systems on the EU market wherever they are established, and to providers and deployers in third countries where the output of the system is used in the EU. The draft guidelines give worked examples: a third-country provider of a generative AI system is subject to the marking duty where the system’s outputs are intended for use in the EU, and a third-country advertiser using an AI-generated deep fake of a celebrity in an advertisement displayed in the EU is a deployer within scope. For a UK business the mapping is direct: a customer-service chatbot serving EU customers engages Article 50(1), and a marketing function generating synthetic content for EU campaigns engages Article 50(2) and, where existing people are depicted, the deep fake labelling duty in Article 50(4).
The Commission prepared the draft guidelines alongside the Code of Practice on marking and labelling of AI-generated content, publishing the second draft on 3 March 2026 with the final version expected around mid-2026. Adhering to a code the AI Office assesses as adequate is, in the Commission’s words, a straightforward way of demonstrating compliance with Article 50(2) and (4); non-signatories can expect more information requests and will need to explain their alternative measures, for instance through a gap analysis against the code. The AI and data governance advice page sets out the standard scope for an instruction on this work.
The UK answer: sector duties for telecoms, data and payments
The UK has no equivalent of the AI Act transparency obligations and no horizontal labelling duty; four UK regulators are building AI consumer protection through existing powers. For data controllers, Article 13 UK GDPR and Article 14 require transparency wherever personal data is processed, the automated decision-making regime in Articles 22A to 22D inserted by the Data (Use and Access) Act 2025 governs significant automated decisions (our analysis of the ICO’s draft guidance sets out the safeguards), and the ICO’s safe AI innovation plan maps the regulator’s 2026 programme. For telecoms operators, AI deployed in networks sits inside the security duty in section 105A of the Communications Act 2003, and Ofcom’s AI strategy for 2026/27 confirms there is no AI licence and no AI approval, only continuing duties on how the technology is used. Online services face duties for illegal synthetic content under the Online Safety Act 2023. For payments firms, the FCA pairs no new AI rules with supervised engagement: the Consumer Duty and the SM&CR govern AI in UK financial services.
| Question | EU position from 2 August 2026 | UK position |
|---|---|---|
| Chatbot disclosure | Providers must design interactive AI systems so people know they are dealing with AI (Article 50(1)) | No single duty; UK GDPR Articles 13 and 14 transparency applies where personal data is processed |
| Marking AI-generated content | Providers must mark synthetic audio, image, video and text outputs in machine-readable form (Article 50(2)) | No equivalent marking duty; Online Safety Act 2023 duties address illegal synthetic content on user-to-user services |
| Deep fake labelling | Deployers must disclose artificially generated or manipulated content (Article 50(4)) | No general labelling duty; data protection, intellectual property and online safety law catch specific harms |
| Who enforces | Member State market surveillance authorities, the AI Office and the EDPS | Ofcom, the ICO and the FCA within existing sector remits |
| Maximum penalties | €15 million or 3% of total worldwide annual turnover | UK GDPR: £17.5 million or 4% of turnover; Online Safety Act 2023: £18 million or 10% of qualifying worldwide revenue |
Viewpoint
I read the role-allocation sections as the most useful part of the draft: they put the deployer duty on the contracting party, not the operator, and that is where compliance work starts. The hard work under the AI Act transparency obligations is deciding who is the provider and who is the deployer at each link in the supply chain, not the labelling technology. Contracts signed before 2 August 2026 need to say which party holds each duty, alongside the data protection impact assessment and transparency work the UK regime already requires. Article 50 and UK GDPR are independent obligations; satisfying one does not discharge the other, and a UK business serving EU users has to clear both bars. In our experience advising on data protection for AI-enabled products, the duplication cost sits with businesses that run the EU and UK regimes as separate workstreams; the UK divergence sits in the statutory hook, not in the underlying analysis, so one AI governance programme can serve both. The Commission expects to finalise the guidelines and the parallel code of practice before the rules take effect in August 2026, and if the AI Omnibus proposal recorded in the draft guidelines advances, the marking duty for generative systems already on the market will arrive more gently than the current text of Article 50(2) implies.
Frequently asked questions
When do the AI Act transparency obligations apply?
The AI Act transparency obligations apply from 2 August 2026, under Article 113 of Regulation (EU) 2024/1689. The duties apply to all in-scope AI systems placed on the market or put into service in the EU, regardless of when they were placed on the market. Content generated and made available before that date does not need retrospective labelling.
Do the EU AI Act transparency rules apply to UK companies?
Yes, where they touch the EU market. Providers established outside the EU are in scope where they place AI systems on the EU market or where the system’s output is used in the EU. Deployers established outside the EU are in scope where the output is used in the EU. A UK chatbot serving EU customers, or UK-made synthetic content shown to EU users, is caught.
Are the draft guidelines binding?
No. The Commission issued the draft under Article 96(1)(d) of the Act as practical guidance for competent authorities, providers and deployers, and it remains consultation text. Only the Court of Justice of the European Union can give an authoritative interpretation of the Act. The consultation closed on 3 June 2026; no final version had been adopted as at 12 June 2026.
What are the penalties for breaching Article 50 of the AI Act?
Fines of up to €15 million or, where the offender is an undertaking, up to 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. EU institutions face fines of up to €750,000. Adherence to an adequate code of practice can be taken into account as a mitigating factor when fines are set.
For advice on the AI Act transparency obligations, data protection for AI-enabled products, or the duties on AI across UK telecoms, data and payments regulation, contact Rob Bratby at Bratby Law.
