Learn more about the latest security and privacy threats
Back

AI Act transparency obligations: deepfake and AI disclosure rules apply from 2 August 2026

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Published July 9, 2026 Reviewed by Charlene Wang
Editorial illustration for the article "AI Act transparency obligations: deepfake and AI disclosure rules apply from 2 August 2026".

The EU AI Act transparency obligations apply from 2 August 2026, forcing deepfake and AI chat disclosure. Here is what changes for KYC and identity teams.

Table of contents

The EU AI Act transparency obligations take effect on 2 August 2026, requiring providers and deployers to label AI chatbots, mark AI-generated content, and disclose deepfakes. They reshape how identity and onboarding teams document AI use, but they do not stop fraudsters from weaponising unlabelled deepfakes.

  • Article 50 of Regulation (EU) 2024/1689, the AI Act, becomes applicable across the EU on 2 August 2026.
  • Article 50 covers four duties: disclosing AI interaction, marking synthetic output, informing people exposed to biometric categorisation, and disclosing deepfakes.
  • Breaches sit in the middle penalty tier: up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher.
  • The rules are a labelling regime, not a fraud control. A deepfake built to defeat onboarding will never be labelled by its author.
  • Identity vendors that run AI-driven liveness, face matching, or attribute inference may fall directly inside the disclosure duties.

What do the AI Act transparency obligations require?

The AI Act transparency obligations sit in Article 50 of Regulation (EU) 2024/1689 and impose four distinct duties on providers and deployers of certain AI systems. They target systems that interact with people, generate synthetic media, categorise people biometrically, or produce deepfakes. Each duty attaches to a different actor and a different trigger.

Paragraph 1 tells providers to ensure people are informed they are interacting with an AI system, unless that is obvious. Paragraph 2 tells providers of generative systems to mark outputs so they are machine-readable and detectable as synthetic. Paragraph 3 tells deployers of emotion recognition or biometric categorisation systems to inform the natural persons exposed. Paragraph 4 is the deepfake rule: a deployer must, in the words of Article 50(4), "disclose that the content has been artificially generated or manipulated."

Article 50 dutyWho it bindsTriggerCore action
50(1)ProviderAI system interacts with a personInform the user they are dealing with an AI, unless obvious
50(2)ProviderSystem generates synthetic audio, image, video or textMark output as machine-readable and detectable
50(3)DeployerEmotion recognition or biometric categorisationInform the natural persons exposed; comply with GDPR
50(4)DeployerContent is a deepfakeDisclose that it is artificially generated or manipulated

Carve-outs exist for law enforcement and for evidently artistic or satirical work, and AI-written news text is exempt where a human retains editorial responsibility. None of those carve-outs help a bank or a fintech running AI in a live onboarding flow.

When do the rules apply and how are they enforced?

The AI Act transparency obligations apply from 2 August 2026, exactly two years after the Regulation entered into force. That date is the general application milestone for most of the Act, so Article 50 lands alongside the bulk of the rulebook rather than as a standalone deadline. National market surveillance authorities supervise compliance.

The Act phases in over several years, which is why the transparency duties arrive now while high-risk product rules wait another year. The timeline below sets the sequence.

DateWhat applies
1 August 2024AI Act enters into force
2 February 2025Prohibited practices and AI literacy duties
2 August 2025General-purpose AI model obligations and governance
2 August 2026Transparency obligations under Article 50 and most of the Act
2 August 2027High-risk rules for regulated products in Annex I

Penalties for breaching Article 50 fall in the middle band of Article 99. A deployer or provider that ignores the duties faces up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. For small firms and start-ups the cap is instead the lower of those two figures, a deliberate concession for smaller operators. To ease the transition, the European Commission published a voluntary Code of Practice on transparency of AI-generated content on 10 June 2026; signatories can rely on it to demonstrate they meet the marking and labelling duties.

What changes for your KYC and onboarding obligations?

For KYC and onboarding teams, the AI Act transparency obligations bite hardest where AI already sits in the verification stack. The duties are specific, and mapping them to your controls is more useful than generic readiness advice. Three of the four paragraphs can touch an identity workflow directly.

If your onboarding journey uses an AI agent or chatbot to collect data or answer applicants, Article 50(1) requires a clear disclosure that the applicant is dealing with an AI, and that disclosure belongs in your consent and audit record. If your fraud or liveness tooling performs biometric categorisation or emotion recognition, Article 50(3) requires you to inform the person exposed, and it explicitly runs without prejudice to the GDPR, so your Article 9 special-category basis and your data protection impact assessment still apply. If you generate synthetic media or documents, for example to train models or to test cases, Article 50(2) and 50(4) pull you into the marking and disclosure duties as a provider or deployer. The overlap is sharpest in high-risk onboarding such as crypto and VASP verification, where AI-driven checks and biometric processing are common.

None of this changes your core anti-money laundering duties. Customer due diligence, enhanced due diligence, sanctions and politically exposed person screening, and suspicious activity reporting are untouched by Article 50. What changes is the evidence layer around any AI you deploy inside those processes: you now have to show, on demand, that AI interaction was disclosed and that synthetic content was marked. Data minimisation helps here, because a verification design that never ingests a face image has less biometric processing to disclose and defend in the first place.

What is still uncertain about the transparency rules?

Plenty is still contested weeks before the deadline. Even though the Commission finalised its voluntary Code of Practice in June 2026, its interpretive Article 50 guidelines remain in draft, published on 8 May 2026 with consultation having closed on 3 June 2026, so deployers are interpreting scope terms such as "deepfake" and "biometric categorisation" without final guidance. Enforcement readiness across member states is uneven, and penalty regimes are set nationally.

The deeper problem for identity teams is that Article 50 is a transparency regime, not an anti-fraud control. It obliges honest actors to label their own AI output. It does nothing to a criminal who builds a deepfake to open a fraudulent account, because that person will never mark the file. Machine-readable marks can also be stripped or degraded, so even lawful labels offer limited downstream assurance. Liability is a further open question: providers must mark outputs while deployers must disclose deepfakes, and it is not settled who answers when a marked output is re-used elsewhere and the mark is gone. Treat the rule as a documentation duty, not a shield against onboarding fraud.

How do deepfakes threaten identity verification?

Deepfakes threaten identity verification because cheap generative tools now defeat the checks many onboarding flows still rely on. Generative tools now produce synthetic identity documents and face swaps cheaply and at scale, and the outputs are good enough to pass a selfie-plus-document flow. Static image uploads are the weak point, and a labelling law does not close it.

This is where the architecture of verification matters more than the paperwork around it. A flow that reads the cryptographically signed chip inside a passport or identity card to ICAO 9303 and eIDAS standards is checking a signature a generative model cannot forge, not a picture it can. Pairing that chip read with two-step liveness, and never uploading a raw face image, removes the surface that most deepfake attacks target. The transparency rules will make legitimate AI use visible, but the fraud they are often invoked against is defeated at the verification layer, by reading the chip rather than trusting the image. It is the same logic behind the EUDI wallet making its biometric portrait optional: the less raw biometric data a system holds, the less there is to fake or leak.

How should compliance teams respond?

Start with an inventory. Map every place AI touches your onboarding and monitoring, then classify each against the four Article 50 duties and record the disclosure you will show. Update consent language and privacy notices where an AI agent, liveness check, or attribute-inference tool interacts with applicants, and confirm your GDPR basis for any biometric categorisation. Decide whether to sign the Commission's Code of Practice to simplify the marking obligation, and give your market surveillance evidence pack an owner before 2 August. Re-test your onboarding against synthetic-document and face-swap attacks, because disclosure duties do nothing about them.

Zyphe was built for the fraud problem the labelling rules leave open. Verification runs on an NFC chip read to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, so there is no face photo to deepfake and no central honeypot to breach. Personal data is sharded across a decentralised network under a threshold scheme with a customer-held key, which keeps biometric processing minimal and your audit trail exportable per region. If the AI Act transparency obligations have you reviewing your onboarding stack, book a demo.

The bottom line

The AI Act transparency obligations make AI use visible: they force disclosure of chatbots, marking of synthetic media, and labelling of deepfakes from 2 August 2026, under a penalty band reaching 3 percent of worldwide turnover. For KYC and identity teams the work is largely documentary, mapping AI in the stack to the four Article 50 duties and evidencing each disclosure. The risk the rules do not touch is the one that matters most at onboarding, because the deepfakes used to open fraudulent accounts are never labelled by their authors. Transparency is a compliance duty. Deepfake-resistant verification is the control that actually protects the front door.

Cited sources

Michelangelo Frigo Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.

Frequently Asked Questions

The transparency obligations in Article 50 of the AI Act, Regulation (EU) 2024/1689, apply across the European Union from 2 August 2026. That is the general application date for most of the Act, two years after it entered into force on 1 August 2024. National market surveillance authorities supervise compliance from that date.

Article 50 treats a deepfake as AI-generated or manipulated image, audio, or video that resembles real persons, objects, places, or events and would falsely appear authentic. A deployer that creates such content must disclose that it was artificially generated or manipulated. Evidently artistic or satirical work carries a lighter disclosure duty.

Non-compliance with the Article 50 transparency duties sits in the middle penalty band of the AI Act. Fines can reach 15 million euros or 3 percent of total worldwide annual turnover for the preceding year, whichever is higher. For small and medium enterprises and start-ups, the cap is the lower of those two figures.

No. Article 50 is a transparency and labelling regime that binds legitimate providers and deployers. A criminal generating a deepfake to open a fraudulent account will not label it, so the rules do not reduce onboarding fraud. Defending onboarding still depends on verification that deepfakes cannot fake, such as a signed chip read.

It can. A vendor running emotion recognition or biometric categorisation must inform the people exposed under Article 50(3), and that duty runs alongside the GDPR rather than replacing it. A vendor whose system interacts with users as an AI, or generates synthetic content, may also fall under the disclosure and marking duties in paragraphs 1, 2, and 4.

See privacy-first KYC in action

Verify identity without storing a single document. Reusable credentials, an exportable audit trail, and a 15-minute integration.

Book a demo