The EU AI Act transparency obligations apply from 2 August 2026, forcing deepfake and AI chat disclosure. Here is what changes for KYC and identity teams.
Table of contents
The EU AI Act transparency obligations take effect on 2 August 2026, requiring providers and deployers to label AI chatbots, mark AI-generated content, and disclose deepfakes. They reshape how identity and onboarding teams document AI use, but they do not stop fraudsters from weaponising unlabelled deepfakes.
- Article 50 of Regulation (EU) 2024/1689, the AI Act, becomes applicable across the EU on 2 August 2026.
- Article 50 covers four duties: disclosing AI interaction, marking synthetic output, informing people exposed to biometric categorisation, and disclosing deepfakes.
- Breaches sit in the middle penalty tier: up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher.
- The rules are a labelling regime, not a fraud control. A deepfake built to defeat onboarding will never be labelled by its author.
- Identity vendors that run AI-driven liveness, face matching, or attribute inference may fall directly inside the disclosure duties.
What do the AI Act transparency obligations require?
The AI Act transparency obligations sit in Article 50 of Regulation (EU) 2024/1689 and impose four distinct duties on providers and deployers of certain AI systems. They target systems that interact with people, generate synthetic media, categorise people biometrically, or produce deepfakes. Each duty attaches to a different actor and a different trigger.
Paragraph 1 tells providers to ensure people are informed they are interacting with an AI system, unless that is obvious. Paragraph 2 tells providers of generative systems to mark outputs so they are machine-readable and detectable as synthetic. Paragraph 3 tells deployers of emotion recognition or biometric categorisation systems to inform the natural persons exposed. Paragraph 4 is the deepfake rule: a deployer must, in the words of Article 50(4), "disclose that the content has been artificially generated or manipulated."
| Article 50 duty | Who it binds | Trigger | Core action |
|---|---|---|---|
| 50(1) | Provider | AI system interacts with a person | Inform the user they are dealing with an AI, unless obvious |
| 50(2) | Provider | System generates synthetic audio, image, video or text | Mark output as machine-readable and detectable |
| 50(3) | Deployer | Emotion recognition or biometric categorisation | Inform the natural persons exposed; comply with GDPR |
| 50(4) | Deployer | Content is a deepfake | Disclose that it is artificially generated or manipulated |
Carve-outs exist for law enforcement and for evidently artistic or satirical work, and AI-written news text is exempt where a human retains editorial responsibility. None of those carve-outs help a bank or a fintech running AI in a live onboarding flow.
When do the rules apply and how are they enforced?
The AI Act transparency obligations apply from 2 August 2026, exactly two years after the Regulation entered into force. That date is the general application milestone for most of the Act, so Article 50 lands alongside the bulk of the rulebook rather than as a standalone deadline. National market surveillance authorities supervise compliance.
The Act phases in over several years, which is why the transparency duties arrive now while high-risk product rules wait another year. The timeline below sets the sequence.
| Date | What applies |
|---|---|
| 1 August 2024 | AI Act enters into force |
| 2 February 2025 | Prohibited practices and AI literacy duties |
| 2 August 2025 | General-purpose AI model obligations and governance |
| 2 August 2026 | Transparency obligations under Article 50 and most of the Act |
| 2 August 2027 | High-risk rules for regulated products in Annex I |
Penalties for breaching Article 50 fall in the middle band of Article 99. A deployer or provider that ignores the duties faces up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. For small firms and start-ups the cap is instead the lower of those two figures, a deliberate concession for smaller operators. To ease the transition, the European Commission published a voluntary Code of Practice on transparency of AI-generated content on 10 June 2026; signatories can rely on it to demonstrate they meet the marking and labelling duties.
What changes for your KYC and onboarding obligations?
For KYC and onboarding teams, the AI Act transparency obligations bite hardest where AI already sits in the verification stack. The duties are specific, and mapping them to your controls is more useful than generic readiness advice. Three of the four paragraphs can touch an identity workflow directly.
If your onboarding journey uses an AI agent or chatbot to collect data or answer applicants, Article 50(1) requires a clear disclosure that the applicant is dealing with an AI, and that disclosure belongs in your consent and audit record. If your fraud or liveness tooling performs biometric categorisation or emotion recognition, Article 50(3) requires you to inform the person exposed, and it explicitly runs without prejudice to the GDPR, so your Article 9 special-category basis and your data protection impact assessment still apply. If you generate synthetic media or documents, for example to train models or to test cases, Article 50(2) and 50(4) pull you into the marking and disclosure duties as a provider or deployer. The overlap is sharpest in high-risk onboarding such as crypto and VASP verification, where AI-driven checks and biometric processing are common.
None of this changes your core anti-money laundering duties. Customer due diligence, enhanced due diligence, sanctions and politically exposed person screening, and suspicious activity reporting are untouched by Article 50. What changes is the evidence layer around any AI you deploy inside those processes: you now have to show, on demand, that AI interaction was disclosed and that synthetic content was marked. Data minimisation helps here, because a verification design that never ingests a face image has less biometric processing to disclose and defend in the first place.
What is still uncertain about the transparency rules?
Plenty is still contested weeks before the deadline. Even though the Commission finalised its voluntary Code of Practice in June 2026, its interpretive Article 50 guidelines remain in draft, published on 8 May 2026 with consultation having closed on 3 June 2026, so deployers are interpreting scope terms such as "deepfake" and "biometric categorisation" without final guidance. Enforcement readiness across member states is uneven, and penalty regimes are set nationally.
The deeper problem for identity teams is that Article 50 is a transparency regime, not an anti-fraud control. It obliges honest actors to label their own AI output. It does nothing to a criminal who builds a deepfake to open a fraudulent account, because that person will never mark the file. Machine-readable marks can also be stripped or degraded, so even lawful labels offer limited downstream assurance. Liability is a further open question: providers must mark outputs while deployers must disclose deepfakes, and it is not settled who answers when a marked output is re-used elsewhere and the mark is gone. Treat the rule as a documentation duty, not a shield against onboarding fraud.
How do deepfakes threaten identity verification?
Deepfakes threaten identity verification because cheap generative tools now defeat the checks many onboarding flows still rely on. Generative tools now produce synthetic identity documents and face swaps cheaply and at scale, and the outputs are good enough to pass a selfie-plus-document flow. Static image uploads are the weak point, and a labelling law does not close it.
This is where the architecture of verification matters more than the paperwork around it. A flow that reads the cryptographically signed chip inside a passport or identity card to ICAO 9303 and eIDAS standards is checking a signature a generative model cannot forge, not a picture it can. Pairing that chip read with two-step liveness, and never uploading a raw face image, removes the surface that most deepfake attacks target. The transparency rules will make legitimate AI use visible, but the fraud they are often invoked against is defeated at the verification layer, by reading the chip rather than trusting the image. It is the same logic behind the EUDI wallet making its biometric portrait optional: the less raw biometric data a system holds, the less there is to fake or leak.
How should compliance teams respond?
Start with an inventory. Map every place AI touches your onboarding and monitoring, then classify each against the four Article 50 duties and record the disclosure you will show. Update consent language and privacy notices where an AI agent, liveness check, or attribute-inference tool interacts with applicants, and confirm your GDPR basis for any biometric categorisation. Decide whether to sign the Commission's Code of Practice to simplify the marking obligation, and give your market surveillance evidence pack an owner before 2 August. Re-test your onboarding against synthetic-document and face-swap attacks, because disclosure duties do nothing about them.
Zyphe was built for the fraud problem the labelling rules leave open. Verification runs on an NFC chip read to ICAO 9303 and eIDAS standards with two-step liveness and no image upload, so there is no face photo to deepfake and no central honeypot to breach. Personal data is sharded across a decentralised network under a threshold scheme with a customer-held key, which keeps biometric processing minimal and your audit trail exportable per region. If the AI Act transparency obligations have you reviewing your onboarding stack, book a demo.
The bottom line
The AI Act transparency obligations make AI use visible: they force disclosure of chatbots, marking of synthetic media, and labelling of deepfakes from 2 August 2026, under a penalty band reaching 3 percent of worldwide turnover. For KYC and identity teams the work is largely documentary, mapping AI in the stack to the four Article 50 duties and evidencing each disclosure. The risk the rules do not touch is the one that matters most at onboarding, because the deepfakes used to open fraudulent accounts are never labelled by their authors. Transparency is a compliance duty. Deepfake-resistant verification is the control that actually protects the front door.
Cited sources
Michelangelo Frigo (Co-Founder at Zyphe) Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.