Executive Summary

On August 2, 2026, the transparency provisions of the EU AI Act (Article 50) take full effect. From that day, a chatbot has to tell users in the first exchange that it is an AI rather than a person, and AI-generated deepfakes and synthetic media have to carry a mark stating that they were "artificially generated or manipulated." This applies even when the system is not high-risk, even when your company's system falls outside that category. This article lays out who that duty reaches, when, and what it asks for, from the vantage point of Korean and US companies.

Many companies heard about the AI Omnibus deal struck in May and relaxed, assuming "the regulation has been pushed back." To be precise, only the high-risk AI obligations were extended to December 2027; chatbot disclosure and deepfake labeling still arrive on August 2. And before that, on July 22, comes the deadline to sign the Code of Practice. A company that signs is presumed to have met its transparency duties, which shifts the burden of proof onto the authorities.

One survey found that 78% of the organizations in scope have not yet begun any meaningful compliance work. Flip that number around and it also means a company that spends these six weeks well can get ahead in the procurement race for the EU market. This is a moment for a check-up, not for alarm.

Aug 2

Article 50 in full effect

Chatbot & deepfake duties, excluded from the AI Omnibus delay

Jul 22

Code of Practice signing deadline

Early-signatory list + presumption of conformity

1.5%

Transparency penalty cap

Of global turnover, or €7.5M — whichever is higher

78%

Organizations not yet compliant

A six-week window open to early movers

1

August 2: What Changes and What Stays

The EU AI Act entered into force on August 1, 2024, and its obligations were designed to switch on in phases by risk tier. Prohibited AI practices and AI literacy duties came first in February 2025, followed by the obligations for general-purpose AI (GPAI) model providers that August. August 2, 2026 is the next stage — the day the transparency provisions and the high-risk AI obligations were both due to apply.

Then, on May 7, 2026, the EU Council, Parliament, and Commission reached political agreement on a simplification package known as the "AI Omnibus." To ease the compliance burden on companies, it pushed back some of the deadlines. As that news spread, simplified into "the EU AI Act is delayed," a misunderstanding took hold. Telling apart what was postponed from what was not is where this article begins.

1.1Extended: High-Risk AI

The core of what the AI Omnibus pushed back is high-risk AI. For AI used in areas with a major impact on people's rights — hiring, credit scoring, educational assessment, and the like (Annex III) — the obligations were delayed 16 months, from August 2026 to December 2027. High-risk AI embedded in products such as medical devices and machinery (Annex I) was pushed back a year, from August 2027 to August 2028. That buys companies more time to prepare the heavy duties: explainability, recordkeeping, human oversight, and data governance.

1.2Unchanged: Transparency

Conversely, chatbot AI disclosure (Art. 50(1)), deepfake labeling (Art. 50(4)), and the notice for emotion recognition and biometric categorization (Art. 50(3)) were not part of the AI Omnibus extension. They switch on as planned on August 2. Only one duty got a partial grace period: Art. 50(2), which requires machine-readable marks on synthetic content. Systems already on the market before August 2 get four months of breathing room, until December 2, 2026. Systems newly launched after August 2 are covered from the start.

In short, the heavy obligations were postponed and the seemingly lighter ones arrived first. Yet it is precisely these "lighter-looking" transparency duties that reach almost every company using an ordinary chatbot or content-generation service. The table below shows where the line falls.

Date Obligation AI Omnibus impact
2026-07-22 Code of Practice signing deadline (18:00 CEST) New date — voluntary
2026-08-02 Chatbot AI disclosure (Art. 50(1)) No change
2026-08-02 Deepfake labeling (Art. 50(4)) No change
2026-08-02 Emotion-recognition / biometric notice (Art. 50(3)) No change
2026-12-02 Machine-readable marking of synthetic content (Art. 50(2)) 4-month grace for existing systems only
2027-12-02 High-risk AI obligations (Annex III) Extended 16 months
2028-08-02 High-risk AI obligations (Annex I products) Extended 12 months
Jul 22 CoP signing deadline Aug 2 Transparency duties active Dec 2 Synthetic marking grace ends Dec 2027 High-risk AI (Annex III) Aug 2028 High-risk AI (Annex I) On schedule Extended by AI Omnibus
▲ EU AI Act key implementation dates (Pebblous original diagram) | Source: artificialintelligenceact.eu

As of June 23, when this article was written, the AI Omnibus is at the political-agreement stage reached on May 7, 2026. Formal adoption is expected in June–July, so the package has not yet entered into force. The extended dates may shift slightly in the final text.

2

Article 50 — The Four Obligations That Reach Your Company

Article 50 splits the transparency duties — which apply regardless of an AI system's risk tier — into four branches. Providers (those who build a system and put it on the market) and deployers (those who use that system in their operations) each carry different duties. Let's work through them one item at a time to see where your own service lands.

Art. 50(1) · Provider

Conversational AI — "You Are Talking to an AI"

AI that interacts directly with people — chatbots, virtual assistants, autonomous agents — has to tell the user it is an AI the moment they first encounter it. Fine print buried in the terms of service or a footnote will not do. The disclosure has to be immediate, accessible, and clear.

There are two exceptions: cases where it is obvious to anyone that they are dealing with an AI, and systems used for law-enforcement purposes. This duty switches on as planned on August 2 and is not part of the AI Omnibus extension.

Art. 50(2) · Provider

Synthetic Content — A Machine-Readable Mark of Origin

AI-generated audio, images, video, and text have to carry a machine-readable "AI-generated" mark so they can be detected automatically. The standard the Code of Practice recommends is to use C2PA cryptographically signed metadata together with invisible watermarking such as SynthID. Either one alone struggles to meet the legal requirements of being effective, interoperable, robust, and reliable.

Assistive editing features such as grammar correction, and criminal-detection systems, are exempt. Systems already on the market get a grace period until December 2, but newly launched systems are covered from August 2.

The technical implementation of C2PA signing and watermarking, and the details of tracing data provenance, are covered in Pebblous's earlier piece on labeling AI-generated content and provenance. This article focuses on the business obligations and the timeline.

Art. 50(3) · Deployer

Emotion Recognition & Biometric Categorization — Notify the People Exposed

If you run a system that reads emotions from facial expression or voice, or that categorizes people using biometric data, you have to inform the people exposed to it. GDPR compliance comes along with it. Tools like call-center voice emotion analysis and in-store customer reaction measurement fall in here.

Law-enforcement systems are exempt. The effective date is August 2.

Art. 50(4) · Deployer

Deepfakes and Public-Interest Text — "This Was Artificially Made"

If an AI-generated or AI-manipulated image, audio, or video looks real, you have to disclose that it was "artificially generated or manipulated." The key point is that this applies even without intent to deceive and even when it does not depict a specific real person. Obvious fantasy, such as a dragon or a flying human, is out of scope, and artistic or satirical works can carry the mark in a way that does not spoil the experience.

The disclosure duty also attaches when AI-generated text on matters of public interest is published to the public. The editorial-review exception is narrower than it sounds. It holds only where there is substantive human editing and clear editorial responsibility; a spell-check pass does not earn the exemption. The effective date is August 2.

The one fact running through all four duties is that this is not "high-risk AI regulation." A single ordinary customer chatbot, a single AI image for marketing, is enough to trigger it. If a company sails past August 2 on the grounds that its AI is not high-risk, it ends up missing the very duties that do reach it.

3

"Does This Apply to Us?" — Extraterritorial Reach

The most common question is, "We don't even have an entity in the EU — why us?" The EU AI Act works like the GDPR: it looks not at where a company sits but at whether the AI system and its outputs are used inside the EU. If any one of the four conditions below applies, you are in scope.

  • You commercially launch or supply an AI system to the EU market.
  • You provide an AI service to users located in the EU.
  • The AI output is used within the EU (regardless of where the company sits).
  • You supply indirectly through a deployer or importer inside the EU.
Korean Company No EU entity US Company No EU entity Service / output reaches EU users same as GDPR EU AI Act Extraterritorial Regardless of company location — applies when AI output is used within the EU
▲ EU AI Act extraterritorial reach — location is irrelevant; what matters is where the AI output lands (Pebblous original diagram)

3.1For Korean Companies

The example CMS Law gives is intuitive. Say a Korean company offers a personal AI photo-synthesis service on an online marketplace. The moment a user living in the EU uploads their own photo to be used in the synthesis, the EU AI Act applies. With no separate EU go-to-market strategy at all, a single global app is enough to bring you into scope.

3.2For US Companies

The structure is the same. Even with headquarters in California or Texas and no EU subsidiary, you are in scope once the service reaches EU users. It is exactly how the GDPR has applied to US companies. For a company that already has GDPR experience, extraterritorial reach itself will not feel unfamiliar.

3.3Dual Compliance for Korean Companies

Korean companies have one more variable. Korea's AI Basic Act (the Framework Act on the Development of Artificial Intelligence and Establishment of a Foundation of Trust) took effect on January 22, 2026. It is a hybrid that blends an EU-style risk-based scheme with US-style innovation considerations — and unlike the EU, which divides duties by category, it places baseline duties on every AI system. Even a foreign company has to appoint a domestic representative if it has global revenue of at least 1 trillion won, domestic revenue of at least 10 billion won, or at least 1 million daily users. That is why you need a design that looks at both the EU and Korea at once.

3.4The Penalty Structure

Fines are based on global annual turnover. A breach of the transparency duties (Article 50) is €7.5 million or 1.5% of global turnover, whichever is higher. Prohibited AI practices are heavier still, at €35 million or 7%, and high-risk AI breaches at €15 million or 3%. Lower caps apply to SMEs and startups. What matters more than the size of the numbers is that the basis is "global turnover," not "EU turnover."

Relief mechanisms arrived alongside. The AI Omnibus widened the scope of what counts as an SME to include "small mid-caps" with up to 750 employees and €150 million in revenue. Falling within that scope brings benefits such as simplified forms, lower penalty floors, and access to regulatory sandboxes. Industrial and product AI already regulated under the Machinery Regulation is carved out of the EU AI Act. For a Korean or US mid-cap manufacturer or SaaS company, it pays to check first whether you fall within this relief scope before working through the obligations.

4

July 22 — The Biggest Defense You Can Mount in Four Weeks

There is one date that August 2 overshadows and that has gone underreported: 18:00 CEST on July 22, 2026, the signing deadline for the Code of Practice on the Transparency of AI-Generated Content. It is a voluntary code the EU AI Office created to help with compliance under Art. 50(2) and (4), finalized in June 2026. Signing is not itself a legal obligation, but whether you sign makes a large difference.

4.1Presumption of Conformity — the Burden of Proof Shifts

A company that signs receives a presumption of conformity with Art. 50(2) and (4). What that means is that when a problem arises, the company does not have to prove "we complied"; instead, the authorities have to prove "you did not." The burden of proof shifts wholesale. It is also weighed as a mitigating factor when penalties are set at the enforcement stage. A company that has not signed, by contrast, can expect more frequent information requests and investigations from the authorities.

4.2How to Sign

Submissions go to the European Commission AI Office's dedicated email (CNECT-AIOFFICE-CODE-OF-PRACTICE-TRANSPARENCY@ec.europa.eu). Signing is still possible after July 22, but you have to submit by that date to make the early-signatory list. That initial list is a market signal in its own right. The code's technical requirements, as noted above, treat the combined use of C2PA metadata and invisible watermarking as the minimum bar. As of 2026, more than 6,000 organizations had adopted C2PA, including Adobe, Google, Microsoft, and OpenAI.

Finishing every technical implementation by August 2 is tight. But signing on July 22 is an action you can decide on within four weeks, and that single signature shifts the burden of proof onto the authorities. The biggest tangible risk defense available in these six weeks is right here.

5

The Six-Week Checklist — Builders vs. Users

The obligations split depending on whether you are a provider or a deployer. First decide whether you are the side that builds and sells the AI service or the side that uses someone else's AI in its operations, then follow the list below. Many companies hold both roles.

Generative AI Service Provider

  • Have you added an AI disclosure at the first interaction in your chatbot or assistant (Art. 50(1))?
  • Have you applied C2PA metadata + watermarking to your AI-generated outputs (Art. 50(2))?
  • Have you reviewed and submitted your Code of Practice signature by July 22?
  • If you supply a GPAI model directly, do you have technical documentation, a training-data summary, and a copyright policy in place?

AI Service Deployer (Enterprise User)

  • Have you labeled the AI-generated images and video used in marketing and promotion as deepfakes (Art. 50(4))?
  • Have you added a disclosure to AI-generated text on public-interest matters, and is editorial responsibility clear?
  • If you use emotion-recognition or biometric-categorization tools, have you notified the people exposed (Art. 50(3))?
  • Do you have an inventory of which AI systems are used where (more than 50% in the survey have none)?

Korea AI Basic Act — Check in Parallel

  • Have you checked whether you meet the thresholds (revenue, user count) for appointing a domestic representative?
  • Have you designed the duty to mark generative-AI outputs against both EU and Korean standards together?
  • Since Korea places baseline duties on all AI, have you avoided resting easy on EU category classification alone?
6

Not a Cost, but an Opportunity

Compliance stories usually end at cost. Seeing the numbers — $8 million to $15 million in compliance costs for large companies, third-party certification starting at $50,000 per AI system — makes that understandable. Yet the fact that 78% of those in scope have not begun any meaningful action can be read another way. More than half do not even have a basic AI inventory. That gap is precisely the space for the companies that move first.

The GDPR went the same way. Companies that built data protection early pulled ahead in the European market with trust as their weapon. AI transparency follows the same path. B2B customers in regulated industries increasingly ask, as a procurement criterion, "How was your AI built, and what data was it trained on?" The companies that can prove compliance get picked first in those deals. That is why PwC and Deloitte advise treating the EU AI Act as a strategic priority rather than a regulation.

At the bottom of every transparency duty is data. Whether it is a chatbot disclosure, a content mark of origin, or a GPAI training-data summary, what is commonly required is the ability to trace and document where an output came from. When you have data governance in place to trace provenance and verify quality, the August 2 duties are not a new wall to build but one more line on top of a foundation already laid.

A Pebblous note. The data provenance tracing and quality verification that Pebblous has worked on in AI-Ready Data and DataClinic happen to sit in the same place as the technical foundation for the transparency Article 50 demands. Less a new market created by regulation than one instance of an old truth: companies that have handled their data properly are shaken less when the rules arrive.

R

References

Official Documents (EU / Legislation)

Legal & Industry Analysis

Compliance Guides