The map — three actors, six triggers
| Trigger | Actor | What must happen | Article |
|---|---|---|---|
| AI system interacts directly with natural persons | Provider | System designed so users are informed they are interacting with AI, unless obvious from context. | 50(1) |
| AI generates synthetic image, audio, video or text content | Provider | Output marked in a machine-readable format and detectable as artificially generated. Solution must be effective, interoperable, robust, reliable. | 50(2)–(3) |
| Emotion-recognition or biometric-categorisation system in use | Deployer | Inform exposed natural persons of operation. Process personal data per GDPR / Law Enforcement Directive. | 50(4) first sub-paragraph |
| AI generates image / audio / video constituting a deep fake | Deployer | Disclose content has been artificially generated or manipulated. Limited exception for evidently artistic, creative, satirical or fictional work. | 50(4) second sub-paragraph |
| AI generates text published to inform the public on matters of public interest | Deployer | Disclose content is artificially generated, unless content has undergone human review or editorial control with editorial responsibility. | 50(4) third sub-paragraph |
| Any of the above | Both | Information clear and distinguishable, at the latest at the time of first interaction or exposure. Conform to accessibility requirements. | 50(5)–(6) |
Source: Article 50 of Regulation (EU) 2024/1689.
Three actors and what each must do
Providers of generative or interactive AI
Two duties sit upstream of any deployment: the system must be designed to inform users they are interacting with AI (50(1)), and the synthetic output must be marked machine-readable (50(2)) using a method that is effective, interoperable, robust and reliable (50(3)). Effectively, this is a procurement requirement — your generative-AI vendor either ships C2PA Content Credentials or an equivalent watermark, or you cannot deploy without breaching Article 50 yourself.
Deployers publishing AI output
Deployer obligations under 50(4) split four ways:
- Operating an emotion-recognition or biometric-categorisation system: notify the exposed natural persons before exposure (or at the latest at first interaction).
- Publishing an AI-generated deepfake: disclose. The artistic/satirical carve-out softens disclosure to "existence of AI generation" only.
- Publishing AI-generated text on public-interest matters: disclose, unless the text has undergone human review with editorial responsibility.
- All three: clear, distinguishable, accessible, no later than first interaction.
Platforms hosting AI-generated content
The AI Act does not directly bind platforms in Article 50, but the DSA does. Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) under DSA Article 35 must mitigate systemic risks including coordinated inauthentic behaviour. Where the platform is itself the deployer (auto-generated summaries, AI-driven recommendations, on-platform GenAI tools), Article 50 attaches alongside DSA — both apply.
The "obvious from context" exception — narrower than it reads
Article 50(1) softens the AI-interaction disclosure where it is "obvious from the circumstances and the context of use." This is meant to cover scenarios where any reasonable user would already know they are interacting with AI — for example, a clearly-labelled "AI Assistant" branded interface inside an enterprise SaaS product.
The edge: the exception turns on what is obvious to a reasonable user, not on what is obvious to a sophisticated one. Voice cloning in a customer-support call, AI-driven recommendations packaged as a human curator, or chatbots branded with a human first-name and headshot do not meet the obviousness threshold. The exception is narrow.
The artistic / satirical carve-out for deepfakes
Article 50(4) limits the disclosure for deepfake content forming part of "an evidently artistic, creative, satirical, fictional or analogous work or programme" to disclosure of the existence of AI generation in an appropriate manner that does not impair the display or enjoyment of the work.
"Evidently" is doing the work. A satirical sketch with deepfaked political figures in an obviously comedic setting is covered. A near-identical deepfake in a marketing context that imitates news framing is not — the carve-out hangs on whether the artistic intent is unambiguous to a reasonable viewer, not on the deployer's self-classification.
The public-interest text exception
AI-generated text published to inform the public on matters of public interest must be disclosed as AI-generated, unless the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication.
This is the cleanest workflow rule in the regulation. Newsroom pipelines that use a model to draft and a human editor to review meet the editorial-control test. Marketing-automation pipelines that publish AI-generated press releases without human review do not — disclosure is mandatory. The exception attaches to process, not to the publisher's job title.
The GDPR overlay — disclosure does not cure consent
Every Article 50 trigger that processes personal data is also a GDPR trigger. Fontvera's cross-reference graph maps four AI Act ↔ GDPR overlaps and two conflicts; Article 50 transparency sits inside that cluster. Concretely:
- A deepfake of an identifiable real person processes their biometric data. GDPR Article 9 requires a special-category basis. Article 50(4) disclosure does not cure missing consent or another Article 9(2) basis.
- Emotion-recognition systems by deployers under Article 50(4) must process personal data per GDPR — the AI Act explicitly cross-references this.
- The AI-generated text rule at 50(4) overlaps with GDPR transparency obligations under Articles 13–14 where the text concerns identifiable individuals.
Source: Regulation (EU) 2016/679 (GDPR).
Real numbers Fontvera tracks
- 13 distinct Article 50 obligations in Fontvera's structured corpus, covering provider design duties, generative marking, deployer disclosure across all six triggers, accessibility, and the AI Office code-of-practice mandate at 50(7).
- 743 AI Act obligations in total — Article 50 sits between Article 5 (8 prohibitions) and the Annex III high-risk regime as a horizontal transparency band.
- AI Act ↔ GDPR cross-references: 8 collisions in the corpus, with Article 50 transparency the densest meeting point.
Penalty exposure
Article 99(2) sets the ceiling for Article 50 violations at €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. Both providers (50(1)–(3)) and deployers (50(4)) carry their own breach. Stacking with GDPR (€20M / 4%) and DSA (6% for VLOPs) is real.
What good looks like before 2 August 2026
- Procurement: require Article 50(2) machine-readable marking from every generative-AI vendor in writing, with audit rights. Without it the deployer downstream is exposed.
- Editorial workflow: document the human-review-with-editorial-responsibility step for AI-generated text on public-interest matters. Without documentation, every AI-drafted public-affairs post triggers disclosure.
- Disclosure UX: visible at first interaction (50(5)), accessible per 50(6), readable on mobile. Footer-only disclosures do not meet the standard.
- Likeness consent: for deepfakes of identifiable persons, secure GDPR Article 6/9 basis before publication. Article 50 disclosure is not a substitute.
- Platform integration: if you publish to a VLOP, validate the platform accepts and surfaces your provenance manifest.
Run your free AI Act compliance diagnostic
If your team uses generative AI for image, audio, video, text, emotion recognition or biometric categorisation, the diagnostic returns whether Article 50 applies and which sub-paragraph attaches.