§ AI Act · GDPR · DSA BRIEFING

How the AI Act actually regulates deepfakes — Article 50(4) disclosure, Article 99 penalty, and four edges that catch publishers in 2026.

Thirteen Article 50 obligations in Fontvera's structured corpus. The deepfake rules are narrower than the press coverage suggests, and the penalty tier is exact.

Summary

The AI Act regulates deepfakes through one article — Article 50 — across three different actors. Providers must mark synthetic output. Deployers must disclose. Platforms hosting deepfake content sit at the intersection of Article 50 and the Digital Services Act.

The headline rule ("you must label deepfakes") is correct as far as it goes. Below it sit four edges that catch publishers, marketers and journalists most often: the artistic carve-out, the public-interest text rule, the GDPR overlay, and the DSA platform layer. Each has a defined article and a defined penalty.

Who this applies to

Providers of generative AI systems producing synthetic image/audio/video, deployers using such systems to publish content, platforms hosting AI-generated media, journalists, marketing agencies and content studios.

Compliance deadline

Article 50 transparency obligations: 2 August 2026 (unchanged). Article 50(2) machine-readable marking moves to 2 December 2026 under the Digital Omnibus provisional agreement, pending formal adoption.

§ Key articles

What the law says

AI Act Article 3(60)

Definition of deep fake — AI-generated or manipulated content resembling existing persons, objects, places or events that would falsely appear authentic.

AI Act Article 50(2)

Provider must mark synthetic outputs in machine-readable format detectable as AI-generated.

AI Act Article 50(4) first paragraph

Deployer of AI generating or manipulating image/audio/video constituting a deep fake must disclose the content is artificially generated or manipulated.

AI Act Article 50(4) artistic carve-out

Where deep fake content forms part of an evidently artistic, creative, satirical, fictional or analogous work, transparency is limited to disclosure of AI origin only.

AI Act Article 50(4) text rule

Deployer of AI generating text published to inform the public on matters of public interest must disclose the content is artificially generated.

AI Act Article 99(2)

Up to €15,000,000 or 3% of worldwide turnover for breach of Article 50 transparency obligations.

§ Detail

In depth

The legal definition

Article 3(60) of Regulation (EU) 2024/1689 defines a deep fake as "AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful." Source: Article 3(60), Regulation (EU) 2024/1689.

Two parts of that definition are load-bearing:

"resembles existing persons, objects, places, entities or events" — fully synthetic content with no real-world referent (a fictional character, an entirely invented scene) is not a deep fake under the Act, even if it is AI-generated. It still falls under Article 50(2) machine-readable marking, but not under Article 50(4) deployer disclosure.
"would falsely appear to be authentic" — content that is obviously stylised (Studio Ghibli aesthetic, manga, cartoon) is generally not a deep fake on its face. Photorealistic synthetic media that could be mistaken for a recording of real events is.

Who has to do what — three actors, three obligations

Actor	Article	Obligation
Provider of the generative AI system	Art 50(2)	Mark output in a machine-readable format detectable as AI-generated. Watermarking, C2PA/Content Credentials manifest, or equivalent. Must be effective, interoperable, robust and reliable as far as technically feasible (Art 50(3)).
Deployer publishing the deep fake	Art 50(4)	Disclose that the content has been artificially generated or manipulated. The disclosure must be clear and distinguishable, provided to natural persons concerned at the latest at the time of first interaction (Art 50(5)).
Platform hosting deep fake content	DSA Art 35 + AI Act Art 50	Very Large Online Platforms must mitigate systemic risk including coordinated inauthentic behaviour. Where the platform is also the deployer of the AI generating the content, both regimes apply.

The four edges that catch publishers

Edge 1: the artistic / satirical / fictional carve-out

Article 50(4) softens the disclosure for deep fake content that "forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme." In those cases, transparency is limited to disclosing the existence of AI generation in an appropriate manner that does not hamper the display or enjoyment of the work.

The edge: "evidently" is doing the heavy lifting. A deep fake of a sitting head of state in a satirical sketch is covered. A deep fake of the same head of state in a news-adjacent advertising spot is not — the carve-out turns on whether the artistic intent is unambiguous to a reasonable viewer, not on the deployer's self-classification.

Edge 2: AI-generated text on matters of public interest

Article 50(4) extends to AI-generated text "published with the purpose of informing the public on matters of public interest." Disclosure is required unless the content has undergone human review or editorial control and a natural or legal person holds editorial responsibility for the publication.

The edge: a newsroom pipeline that uses GPT to draft and a human editor to review meets the editorial-control test. An AI-generated press release published by a marketing automation tool without human review does not. The exemption hinges on a documentable editorial process, not on the publisher's job title.

Edge 3: GDPR overlay on biometric likeness

A deep fake of an identifiable real person processes their biometric data. GDPR Articles 5 and 9 apply in parallel with AI Act Article 50. Fontvera has mapped the cross-reference: even with full Article 50(4) disclosure, processing a recognisable face or voice without legal basis under GDPR Article 6 (and, for special categories, Article 9) is a separate breach. The disclosure label does not cure the lack of consent. Source: Regulation (EU) 2016/679 (GDPR).

Edge 4: machine-readable marking is the provider's job, not the deployer's

If your generative AI vendor does not implement Article 50(2) machine-readable marking, your downstream Article 50(4) disclosure is not enough — the provider is in breach. Procurement contracts written before 2 August 2026 should require provable C2PA Content Credentials or equivalent in writing, with audit rights. Under the Digital Omnibus provisional agreement of 7 May 2026, the Article 50(2) marking obligation moves to 2 December 2026, pending formal adoption; the other Article 50 duties on this page still apply from 2 August 2026.

Penalty tier — exact numbers from Article 99

Article 99(2) sets the ceiling for Article 50 violations at €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. This applies to both providers (failure to mark machine-readable) and deployers (failure to disclose). Source: Article 99(2), Regulation (EU) 2024/1689.

Stacking is real. If the same deep fake also breaches GDPR (no legal basis for biometric processing), GDPR adds up to €20M / 4% under its Article 83(5). For VLOPs, DSA Article 74 adds up to 6% of worldwide turnover for systemic risk failures. A single coordinated deep fake campaign on a large platform without the right contracts and disclosures could in theory trigger all three ceilings simultaneously.

Real numbers Fontvera tracks

13 distinct Article 50 obligations in Fontvera's structured corpus, covering provider marking duties, deployer disclosure for emotion/biometric/deepfake/text, accessibility, and the AI Office code of practice mandate.
743 AI Act obligations mapped in total; 22 AI Act overlaps with other EU regimes — including 4 with GDPR and 3 with DSA — directly relevant to deep fake publication.
312,758 current EU regulatory documents — including AI Office guidance drafts, EDPB GDPR opinions on biometric processing, and DSA enforcement decisions — feed the cross-reference graph.

What good looks like before 2 August 2026

Procurement. Generative AI vendor contracts must guarantee Article 50(2) machine-readable marking. Without it, the deployer cannot rely on the marking even if they disclose perfectly.
Editorial workflow. Document the human-review step for any AI-generated text on public-interest matters. Without a documented editorial process, every AI-drafted public-affairs post is a disclosure obligation.
Disclosure UX. "Clear and distinguishable" under Article 50(5) is interpreted as visible at first interaction, not buried in a footer. The label must be readable on mobile and accessible per Article 50(6).
Likeness consent. If the deep fake depicts a real person, secure the GDPR Article 6 (or Article 9 for special categories) basis before publication. Disclosure does not substitute for consent.
Platform integration. If you publish to a VLOP, expect the platform to enforce Article 50(2) marking at upload. Content without machine-readable provenance will be downranked or removed regardless of what your disclosure says.

Run your free AI Act compliance diagnostic

If your team uses generative AI for image, audio, video or text published to the public, the diagnostic returns whether Article 50(4) applies and which obligations attach.

→ Run the AI Act diagnostic

§ Action items

Practical steps

Update generative AI vendor contracts to require Article 50(2) machine-readable marking with audit rights — before procurement, not after deployment.

Map every AI-generated text channel against the public-interest test in Article 50(4). Document the human-review step or attach disclosure.

For any deep fake of an identifiable person, secure GDPR Article 6 / Article 9 basis. Disclosure does not cure missing consent.

Build the disclosure UX into the upload pipeline so it is visible at first interaction (Article 50(5)) and accessible (Article 50(6)).

If you publish to a VLOP, validate the platform accepts and surfaces your C2PA / Content Credentials manifest.

§ What Fontvera found

Documents in our corpus

ai_office EU Fetched 2026-06

AI Act: AI i den offentlige sektor — krav til kommuner og regioner

ai_office EU Fetched 2026-06

AI Act: Transparency obligations for AI systems (Articles 50, 52)

ai_office EU Fetched 2026-06

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence

imy SE Fetched 2026-06

IMY: Vägledning om konsekvensbedömning (DPIA)

imy SE Fetched 2026-06

IMY: Vägledning om AI och dataskydd

imy SE Fetched 2026-06

IMY: Capio S:t Görans sjukhus — sanktionsavgift 30 miljoner SEK

imy SE Fetched 2026-06

IMY: Google — sanktionsavgift 50 miljoner SEK för brister i rätten att bli glömd

imy SE Fetched 2026-06

IMY: SL (Storstockholms Lokaltrafik) — sanktionsavgift 8 miljoner SEK

§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?

Search Fontvera ↵ Run the AI Act diagnostic

AI Act Article 50 transparency

50 days

until 2026-08-02, when Article 50 transparency obligations apply (unchanged). Annex III high-risk obligations move provisionally to 2 December 2027 under the Digital Omnibus agreement of 7 May 2026, pending formal adoption.

Preparing for 2 August 2026? Read the EU AI Act August 2026 deadline requirements checklist.