EU AI Act Synthetic Media Disclosure: What US Businesses Must Know

US businesses are not subject to the EU AI Act by virtue of being American — but any company that deploys AI systems directed at EU users, generates AI content consumed by EU persons, or provides AI-powered services to EU customers falls squarely within scope. Regulation (EU) 2024/1689 Article 50 imposes binding synthetic media disclosure obligations from 2 August 2026, with penalties reaching €15 million or 3% of global annual turnover. The regulation reaches across the Atlantic. If your business touches the EU, you need a compliance plan now.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for guidance specific to your situation.

Does the EU AI Act Apply to US Businesses?

The Extraterritorial Scope of the Regulation

The short answer is: frequently, yes. Article 2(1)(a) of Regulation (EU) 2024/1689 establishes that the regulation applies to providers placing AI systems on the EU market, regardless of whether those providers are established in the EU or elsewhere. Article 2(1)(c) extends this to deployers using AI systems who are located in the EU — meaning the location of the AI's end user matters, not just the location of the developer.

Three categories of US business are clearly caught:

1. US companies with EU customers: any SaaS platform, media company, fintech, or e-commerce operator whose AI-generated content reaches EU residents is subject to the regulation for those activities.
2. US businesses with EU subsidiaries or operations: an American company whose EU branch deploys AI content generation tools must comply as a deployer within the EU.
3. US AI developers whose systems are distributed in the EU: any company selling AI software, APIs, or generative AI products to EU customers is a provider under the regulation, regardless of where the company is incorporated or where the code runs.

The key distinction from US law is extraterritoriality. Unlike most US regulations, which are jurisdiction-bound, the EU AI Act follows the person receiving the output. This mirrors the approach taken by the EU General Data Protection Regulation (GDPR) — and US multinationals already know from GDPR experience that the EU's reach is real and enforced.

What Does Not Trigger the EU AI Act

A US business that uses AI systems exclusively for domestic operations — generating content only for US customers, with no EU distribution, no EU affiliate, and no EU user base — is not within scope. Domestic-only operations remain subject to US law alone. The distinction matters in practice: a local marketing agency using AI tools for US clients operates in a very different compliance position from a US software company whose AI content platform serves a global audience.

The US Regulatory Landscape by Contrast

The United States has not enacted a federal AI Act equivalent. Executive Order 14110, issued in October 2023 and titled "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," directed federal agencies to develop guidelines and risk assessments, but it does not create private-sector compliance obligations on the scale of the EU AI Act. The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) offers a voluntary framework for AI governance, widely adopted in government contracting and financial services — but compliance is not legally mandated.

At the federal regulatory level, the FTC has issued guidance warning that AI-generated content deployed deceptively violates Section 5 of the FTC Act (unfair or deceptive acts or practices), but this operates through enforcement actions rather than ex ante compliance requirements. FinCEN has addressed AI in the context of AML/BSA compliance without creating specific AI disclosure obligations.

State-level legislation is moving faster than federal law. Colorado SB 205 targets algorithmic discrimination. California AB 2013 requires disclosure of training data for AI systems. Illinois's Artificial Intelligence Video Interview Act creates obligations around AI-driven hiring. These state laws are narrower and more sector-specific than the EU AI Act — they do not create a general synthetic media disclosure framework comparable to Article 50.

For US businesses with EU exposure, the EU AI Act is likely the most demanding binding regulation they will face on synthetic media in 2026.

What Article 50 Requires

Synthetic Media Defined

The EU AI Act does not define "synthetic media" as a standalone term. It covers all AI-generated or AI-manipulated content — images, audio, video, and text — that resembles real persons, places, or events, or that could be mistakenly perceived as authentic. The regulation's central operative concept is the deepfake: any AI-generated or AI-manipulated image, audio, or video content resembling existing persons, objects, places, or entities that could mislead viewers about authenticity.

In practice, this captures a wide range of commercially deployed content: AI-generated advertising visuals featuring realistic human faces, AI voice cloning in marketing audio, AI-generated video testimonials, chatbots presenting as human advisors, and synthetic identity documents.

The Four Obligations Under Article 50

Article 50(1) requires providers of AI chatbot and virtual assistant systems that interact directly with natural persons to inform users that they are interacting with an AI — unless this is contextually obvious. A US-based fintech whose EU-facing customer service runs on an AI assistant must implement this disclosure.

Article 50(2) requires operators of emotion recognition and biometric categorisation systems to inform the persons exposed to those systems. US HR technology companies offering AI sentiment analysis tools to EU employers are directly affected.

Article 50(3) requires providers of AI systems that generate deepfakes to embed machine-readable markings in their outputs identifying the content as artificially generated or manipulated. This is the core technical obligation for synthetic media: the marking must be in the content, not just in a terms-of-service footnote.

Article 50(4) preserves a limited exception for art, satire, and parody — but requires disclosure even in these cases where there is a significant risk of public deception.

Article 50(5) obligates providers of general-purpose AI (GPAI) models to implement technical solutions enabling detection and labelling of AI-generated content across all uses of their models. This obligation applied from 2 August 2025, meaning US-based GPAI providers (OpenAI, Anthropic, Google) have already been subject to it for nearly a year.

Regulatory synthesis: Article 50 of Regulation (EU) 2024/1689 makes synthetic media disclosure a binding legal obligation for any US business operating in or directed at the EU market, with full application from 2 August 2026 (EUR-Lex, Regulation EU 2024/1689, Art. 50).

Who Must Comply

Provider vs. Deployer

The regulation draws a fundamental distinction between providers and deployers, each bearing different obligations.

A provider is any entity that develops an AI system and places it on the EU market, whether or not the entity is established in the EU. A US company selling an AI image generation API to European customers is a provider.

A deployer is any entity that uses an AI system in its professional activities to deliver products or services. A US marketing agency using a third-party AI content tool to produce materials for EU clients is a deployer for those activities.

Importers who bring AI systems developed outside the EU into the European market carry provider-equivalent obligations. Distributors who supply AI products to EU markets without modifying them bear proportionate verification obligations.

Our platform detects that 12% of document fraud attempts involve AI-generated synthetic media — across 180,000 documents verified monthly. This figure reflects not just the scale of synthetic media fraud, but how comprehensively AI generation tools have penetrated the document fraud ecosystem. Compliance obligations exist alongside detection capability as complementary responses to the same underlying risk.

Obligations by Actor Type

Technical Requirements: C2PA Watermarking

Machine-Readable Markings Under Article 50(3)

Article 50(3) does not prescribe a specific technology. It requires that synthetic content be marked in a machine-readable format enabling identification as AI-generated or AI-manipulated. The marking must be embedded in the content itself — platform-level notices and terms-of-service disclosures do not satisfy this obligation.

Three main technical approaches are in use:

• Embedded metadata: information encoded in file properties (EXIF, XMP, IPTC for images; container metadata for video and audio) identifying AI origin.
• Digital watermarks: imperceptible signals embedded in file data, resistant to compression, cropping, and re-encoding, enabling automated detection even after content modification.
• Cryptographic fingerprints: digital signatures linked to content origin, enabling verification of the full chain of provenance and processing history.

The C2PA Standard

The C2PA standard (Coalition for Content Provenance and Authenticity) is the technical framework most closely aligned with Article 50's requirements. C2PA defines a metadata format — Content Credentials — that records content provenance, modifications, tools used, and signer identity in a cryptographically signed manifest.

C2PA's backers include Adobe, Microsoft, Google, OpenAI, Sony, the BBC, and Truepic — a roster that spans major US technology companies. For US businesses deploying AI content generation tools, adoption of C2PA represents the compliance pathway most likely to satisfy EU regulatory requirements and to be validated by national enforcement authorities.

For image and visual content: the Adobe Content Authenticity Initiative API provides a direct implementation path. Specialist watermarking providers including Imatag, Digimarc, and Truepic offer alternatives.

For AI-generated text: Article 50(5) places the primary obligation on GPAI model providers. US deployers must verify, through contractual due diligence, that their AI tool providers have implemented compliant detection and labelling solutions.

The NIST AI RMF encourages governance and documentation practices that complement but do not substitute for EU AI Act compliance. The White House Executive Order 14110 directed NIST to develop AI standards — work that informed C2PA's development and aligns US technical standards development with emerging international requirements.

Penalties and Enforcement

EU Penalties for Article 50 Violations

The higher of the fixed amount and the turnover percentage applies. For a US company with $500 million in global annual revenue, a single Article 50 violation could generate a €15 million fine. EU enforcement authorities have cross-border reach: the European AI Office coordinates enforcement across member states and has jurisdiction over GPAI model providers regardless of where they are headquartered.

The EU has demonstrated willingness to enforce extraterritorial regulations against US companies through GDPR — multiple US multinationals have received significant GDPR fines from Irish, French, and other EU data protection authorities. The AI Act enforcement infrastructure is designed along similar lines.

US Regulatory Context

US law does not create direct equivalents to Article 50's obligations, but parallel compliance pressures exist.

The FTC has made clear that AI-generated content deployed in advertising or customer-facing communications that is deceptive violates Section 5 of the FTC Act. FTC enforcement on AI disclosure is active: companies that present AI-generated content as human-created, or fail to disclose the AI nature of customer interactions, face investigation and consent orders.

FinCEN has issued guidance recognizing AI's role in AML compliance, including risks from AI-generated synthetic identities. Financial institutions subject to the Bank Secrecy Act (31 USC §5311) must file Suspicious Activity Reports when synthetic document fraud is suspected — an obligation that intersects with the EU AI Act's disclosure requirements when the same AI systems are used in EU-facing KYC processes.

State deepfake laws add further obligations. California AB 602 creates civil liability for distributing non-consensual deepfakes. California AB 730 prohibits deepfake political content in the 60 days before an election. Texas HB 4337 and Georgia HB 636 address synthetic media in varying commercial contexts. These state laws operate independently of EU AI Act compliance but collectively reinforce the regulatory direction of travel.

Compliance Timeline

The critical date for most US businesses is 2 August 2026. GPAI model providers (including US-based OpenAI, Anthropic, and Google) have been subject to Article 50(5) since 2 August 2025. Deployers of those models must have their own disclosure and verification measures in place by August 2026.

Practical Checklist for US Businesses

Step 1: Map your EU exposure

Identify every product, service, or workflow that: (a) generates or manipulates AI content, (b) reaches EU users, customers, affiliates, or employees. Include third-party AI APIs integrated into your platform. A US SaaS company that does not actively market in the EU but has EU users through organic growth is still within scope.

Step 2: Classify your role for each AI system

Establish whether you are a provider (you develop or commercialize the AI system) or a deployer (you use a third-party system). A business that both builds and uses its own AI tool bears both sets of obligations simultaneously.

Step 3: Audit your disclosure mechanisms

Review every customer-facing interface where AI-generated content is delivered. Verify that users are informed when they interact with an AI assistant. Verify that AI-generated images, video, and audio carry machine-readable markings. Terms-of-service disclosure does not satisfy the regulation.

Step 4: Engage your AI tool providers

Send due diligence requests to every AI tool vendor supplying systems used in EU-facing activities. Specifically ask: (a) whether they are compliant with Article 50(5), (b) what technical standards they have implemented (C2PA or equivalent), and (c) what documentation they provide to support your own compliance file.

Step 5: Implement C2PA or equivalent technical measures

If you are a provider of AI content generation tools with EU distribution, initiate or accelerate C2PA Content Credentials integration. If you are a deployer, ensure your workflow does not strip or overwrite markings embedded by the generating system.

Step 6: Build your compliance documentation file

Assemble documentation covering: inventory of in-scope AI systems, role classification (provider/deployer), technical measures implemented, disclosure procedures, vendor due diligence records, and internal responsibility assignments. This file is what EU enforcement authorities will request in any investigation.

Step 7: Align your FTC disclosure obligations

For US-facing activities, ensure AI-generated advertising and marketing content complies with FTC guidance on clear and conspicuous disclosure. The disclosure standards differ between FTC and EU AI Act requirements, but building disclosure habits that satisfy the stricter (EU) standard typically satisfies the less prescriptive FTC framework as well.

Step 8: Strengthen synthetic media detection in your document workflows

The same AI tools driving compliance obligations are driving document fraud. Our platform detects that 12% of document fraud attempts involve AI-generated synthetic media, across 180,000 documents processed monthly, with a 94.8% fraud detection recall rate. For any US business that receives documents from third parties — for KYC, lending, HR, or insurance purposes — detection capability must keep pace with generation capability.

CheckFile provides document verification solutions that include synthetic content detection, identifying AI-generated documents before they reach your decision processes. Learn more about synthetic identity fraud and our AI fraud detection approach, or review our document compliance guide for the broader regulatory context.

For technical architecture and data handling, see our security policy. For plan options matched to your document volume, see pricing.

---

Frequently Asked Questions

Does the EU AI Act apply to my US business if we have EU customers?

Yes, if your AI systems generate or process content that EU customers or users receive. Article 2(1)(a) of the regulation applies to providers placing AI systems on the EU market regardless of where the provider is established. A US company with EU users of its AI-powered platform is a provider under the regulation for those activities. Domestic-only US operations — with no EU distribution, no EU users, no EU affiliates — are outside scope.

What is the difference between the EU AI Act and US federal AI law?

The EU AI Act is a comprehensive, binding regulation with specific technical requirements and substantial penalties for non-compliance. US federal AI governance — EO 14110 and the NIST AI RMF — is voluntary and guidance-based, creating no equivalent private-sector compliance obligations. The FTC can pursue enforcement for deceptive AI practices under Section 5 of the FTC Act, but this is reactive enforcement rather than a proactive compliance framework. For US businesses with EU exposure, the EU AI Act is the more demanding and more concrete obligation.

Is C2PA required, or are other watermarking approaches acceptable?

The regulation requires machine-readable markings but does not mandate C2PA specifically. However, C2PA has become the industry-leading standard — supported by Adobe, Microsoft, Google, OpenAI, the BBC, and others — and is the approach most likely to satisfy EU enforcement authorities. US businesses choosing alternative watermarking or metadata approaches should document how those approaches meet the regulation's requirements with equivalent technical robustness.

What are the penalties for a US company that violates Article 50?

The maximum penalty is €15 million or 3% of global annual turnover, whichever is higher. For a US company with $1 billion in global revenue, that could reach approximately €30 million (3% of turnover). EU enforcement authorities have jurisdiction to investigate providers and deployers regardless of where they are headquartered, and the EU has demonstrated willingness to enforce extraterritorial regulations against US multinationals through the GDPR precedent.

What US state laws on deepfakes should we also track?

California AB 602 (civil liability for non-consensual deepfakes), AB 730 (political deepfake prohibition), Texas HB 4337, and Georgia HB 636 are the primary state-level frameworks as of May 2026. These operate independently of EU AI Act compliance and vary considerably in scope and penalty structure. Colorado SB 205 addresses algorithmic discrimination in consequential decisions. California AB 2013 targets AI training data disclosure. None of these create a comprehensive synthetic media disclosure framework comparable to Article 50 — monitoring both federal developments and state-level changes alongside EU obligations is essential for US businesses in this space.