EU AI Act Synthetic Media: Disclosure Obligations for Businesses 2026

Article 50 of Regulation (EU) 2024/1689 — the EU AI Act — imposes binding transparency obligations on AI systems that generate synthetic media: chatbots, deepfakes, emotion recognition systems. These obligations apply from 2 August 2026 to any provider or deployer of AI operating in or directed at the European Union, regardless of where they are established. Non-compliance exposes organisations to fines of up to €15 million or 3% of global annual turnover.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.

What the EU AI Act Requires for Synthetic Media

Defining Synthetic Media Under the Regulation

The EU AI Act does not use "synthetic media" as a defined category but covers all AI-generated or AI-manipulated content that presents a resemblance to real persons, places, or events. This spans images, audio, video, and text produced or altered by generative AI systems, as well as content resulting from algorithmic manipulation of existing material.

The central concept is the regulation's definition of "deepfake": any AI-generated or AI-manipulated image, audio, or video content that resembles existing persons, objects, places, or entities and could be mistakenly perceived as authentic.

Article 50 in Full

The EU AI Act, Regulation (EU) 2024/1689 structures four distinct obligations under Article 50, each targeting a different type of AI system.

Article 50(1) requires providers of AI systems that interact directly with natural persons (chatbots, virtual assistants) to disclose that the person is interacting with an AI system — unless this is obvious from the context.

Article 50(2) obliges operators of emotion recognition systems and biometric categorisation systems to inform the persons exposed to those systems.

Article 50(3) requires providers of AI systems that generate deepfakes to ensure that outputs are marked in a machine-readable format identifying them as artificially generated or manipulated content.

Article 50(4) preserves an exception for legitimate purposes — art, satire, parody — but maintains the disclosure obligation where there is a significant risk of deceiving the public.

Article 50(5) requires providers of general-purpose AI (GPAI) models to implement technical solutions enabling the detection and labelling of AI-generated content produced by their models.

Regulatory synthesis: the EU AI Act makes transparency over synthetic media a binding legal obligation for any business operating in the EU, with full application from 2 August 2026 (EUR-Lex, Regulation EU 2024/1689, Art. 50).

Who Must Comply: Providers, Deployers, and Importers

The Provider / Deployer Distinction

The regulation draws a structural distinction between two categories of actor, each bearing different obligations.

A provider is any entity that develops or has developed an AI system and places it on the EU market or puts it into service in the EU, under its own name or brand. A software publisher selling an AI-powered video generation tool is a provider.

A deployer is any entity that uses an AI system under its own authority within its professional activities to provide products or services. A marketing agency using a third-party AI content generation tool for client campaigns is a deployer.

Importers and distributors placing AI systems developed outside the EU on the European market are also subject to the regulation's requirements.

Our internal analysis shows that 12% of document fraud attempts now involve AI-generated media — evidence that synthetic media risk extends well beyond creative content platforms to every sector that processes documents.

Obligations by Actor Type

Businesses deploying AI content generation in sensitive sectors — financial services, HR, healthcare, public administration — face the broadest exposure. Any AI-generated marketing communication, visual, or document presenting a resemblance to real persons falls within scope.

UK note: The EU AI Act does not apply in the United Kingdom, which left the EU before the regulation was adopted. However, UK businesses operating in EU markets, or whose AI systems are directed at EU residents, are subject to its requirements. The UK's own approach is being developed by DSIT and the AI Safety Institute through the UK AI Regulation Pro-Innovation Approach. UK regulators including the ICO and FCA have issued AI guidance under existing legislative frameworks, but no equivalent binding statute has been enacted as of 2026.

Technical Requirements: Watermarking and the C2PA Standard

Machine-Readable Markings

Article 50(3) does not prescribe a single technology but requires that synthetic content be marked in a machine-readable manner enabling identification as AI-generated or AI-manipulated. The marking must be embedded in the content itself — mentions in terms of service or platform notices do not satisfy this requirement.

Accepted marking approaches include:

• Embedded metadata: information encoded in file properties (EXIF, XMP, IPTC for images; container metadata for video and audio) that identifies AI origin.
• Digital watermarks: imperceptible signals embedded in the file data, resistant to compression and cropping, enabling automated detection even after content modification.
• Cryptographic fingerprints: digital signatures linked to content origin, enabling verification of authenticity and the full chain of processing.

The C2PA Standard

The C2PA standard (Coalition for Content Provenance and Authenticity) is the technical reference most closely aligned with Article 50's requirements. This open standard defines a metadata format — "Content Credentials" — that records content provenance, modifications applied, tools used, and signer identity in a cryptographically signed manifest.

C2PA member companies committed to implementation include Adobe, Microsoft, Google, OpenAI, Sony, the BBC, and Truepic. For businesses deploying AI content generation tools, adopting the C2PA standard represents the most robust and regulator-recognised compliance pathway available.

Technical Steps for Businesses

Technical obligations vary by content type and actor role.

For images and visuals: integrate C2PA Content Credentials via the Adobe Content Authenticity Initiative API or equivalent implementations, or use cryptographic watermarking via specialist providers (Imatag, Digimarc, Truepic).

For video and audio: mark container metadata (MP4, MKV, WAV) and apply watermarking robust to transcoding. Providers of video generation platforms (Sora, Synthesia, Runway) bear the primary implementation responsibility on the provider side.

For AI-generated text from GPAI models: Article 50(5) places the obligation on model providers (OpenAI, Anthropic, Google, Mistral). Deployers must verify that the tools they use satisfy this requirement — due diligence over your AI supply chain is part of compliance.

The European AI Office is coordinating the development of complementary technical standards that will specify accepted formats in greater detail.

Penalties: Amounts and Enforcement Authorities

Penalty Table

The higher of the fixed amount and the turnover percentage always applies. For a company with €500 million in annual global turnover, a single Article 50 violation can generate a €15 million fine.

National Enforcement Authorities

Enforcement is structured across national and European levels.

In France, ARCOM (Autorité de régulation de la communication audiovisuelle et numérique) is the designated market surveillance authority for content and media aspects. It has jurisdiction to audit AI systems generating audiovisual content and to impose sanctions (arcom.fr). The CNIL supervises data protection aspects of AI systems, including biometric categorisation and emotion recognition (cnil.fr).

The European AI Office (Brussels) has jurisdiction over GPAI model providers operating across multiple member states. For cross-border enforcement, it coordinates with national authorities.

In the UK, the ICO remains the primary regulator for AI and data protection issues under UK GDPR, with sector-specific oversight from the FCA for financial services and Ofcom for content.

Compliance Timeline

Key Dates

GPAI model providers (ChatGPT, Gemini, Claude, Mistral) have been subject to their obligations since 2 August 2025. For businesses deploying these models in their own products or services, the critical compliance date is 2 August 2026 — twelve months from the date of this article.

The broader regulatory context includes the eIDAS 2.0 regulation on digital identity, which interacts with the EU AI Act on questions of content authenticity and digital verification. AML obligations under AMLD6 also create parallel requirements for regulated entities using AI in client verification — see our AML compliance guide for the intersection of these frameworks.

Practical Compliance Checklist for Businesses

Step 1: Inventory all in-scope AI systems

Map every AI tool you use or provide that generates or manipulates content (images, video, audio, text) that could resemble real persons or events. Include third-party APIs integrated into your workflows — image generation APIs, text generation tools, voice synthesis.

Step 2: Determine your role for each system

For each identified system, establish whether you are a provider (you develop or commercialise the system) or a deployer (you use a third-party system). Obligations differ and can stack — a publisher using its own AI is both provider and deployer.

Step 3: Audit existing disclosure mechanisms

Verify whether your user interfaces inform recipients when they interact with an AI or receive AI-generated content. Terms-of-service disclosures do not satisfy the regulation — disclosure must be visible, contextual, and delivered at the point of interaction.

Step 4: Implement machine-readable markings

Contact your AI tool providers to verify their compliance with Article 50(5) and their implementation of C2PA or an equivalent standard. If you are a provider, initiate technical development of machine-readable markings for all AI-generated content your system produces.

Step 5: Build your compliance documentation

Assemble a compliance file documenting: the AI systems in use, the technical measures deployed, disclosure procedures, and internal responsibility assignments. Regulators will request this documentation in any enforcement investigation.

Step 6: Train all relevant teams

Marketing, communications, HR, product development — every team using generative AI tools must understand the new obligations. Ignorance of the regulation does not constitute a defence, and the obligations attach to the deployer regardless of whether the provider has informed them.

Step 7: Strengthen your document fraud detection

The growth of synthetic media directly increases document fraud risk. Our platform detects that 12% of document fraud attempts now involve AI-generated media, across 180,000 documents processed monthly. Organisations that receive documents from third parties — banks, insurers, fintechs, HR platforms — need detection capabilities that match the sophistication of AI-generated forgeries.

CheckFile achieves a 94.8% fraud detection recall rate across this volume. Our document verification solutions include synthetic content detection, identifying AI-generated documents before they reach your decision processes.

For a broader overview of document compliance obligations, see our document compliance guide. For the technical dimension of deepfake fraud, our article on synthetic identity documents and our AI fraud detection guide cover detection methods in depth.

Review our security policy to understand our data protection architecture, or consult pricing to find the plan that matches your document volume.

---

Frequently Asked Questions

What does Article 50 of the EU AI Act require in practice?

Article 50 creates four categories of obligation. AI systems that interact with users (chatbots, virtual assistants) must disclose the AI nature of the interaction. Emotion recognition and biometric categorisation systems must inform exposed persons. AI systems that generate deepfakes must embed machine-readable markings in their outputs. Providers of general-purpose AI models must implement technical solutions enabling detection and labelling of AI-generated content. An exception exists for satire and parody, but disclosure remains required where there is a significant risk of public deception.

Does the EU AI Act apply to UK businesses?

UK-based businesses are not subject to the EU AI Act simply by virtue of being in the UK. However, any UK business that provides AI systems to EU users, directs AI-generated content at EU residents, or has an EU establishment is subject to the regulation's requirements for those activities. The UK government is developing its own AI regulatory framework through DSIT and the AI Safety Institute, but no binding legislation equivalent to the EU AI Act was enacted as of May 2026. UK-based businesses with EU operations need to manage compliance across both frameworks.

Is the C2PA standard mandatory under the EU AI Act?

No. The regulation requires machine-readable markings but does not mandate a specific technology. In practice, C2PA has become the industry-leading technical standard — backed by Adobe, Microsoft, Google, OpenAI, the BBC, and others — and represents the most regulator-recognised compliance pathway. Alternative approaches (proprietary cryptographic watermarking, XMP metadata) exist, but their regulatory acceptance is less established. Businesses choosing non-C2PA solutions should document their equivalence to the regulation's requirements.

Do small businesses have to comply with the EU AI Act on synthetic media?

Yes. The regulation applies to all businesses providing or deploying AI systems in the EU, regardless of size. SMEs benefit from reduced penalty caps for providing inaccurate information to authorities (€7.5 million or 1% of turnover), but the substantive compliance obligations are identical. The European AI Office has published dedicated guidance for SMEs on the EU AI Act, and several national authorities offer compliance support programmes.

What is the difference between a provider and a deployer under the AI Act?

A provider develops and places an AI system on the market. A deployer uses that system in its own professional activities to deliver products or services. A company building and selling an AI image generator is a provider. A company using that generator to create marketing visuals for clients is a deployer. Both categories carry distinct, cumulative obligations. A business that both develops and uses its own AI system bears the obligations of both provider and deployer simultaneously.