AI Act transparency: what EU SMEs must label by August 2026

The Digital Omnibus delayed the AI Act’s most demanding rules, and a lot of SME owners heard the same headline: we have until 2027. For one set of duties, that reading is wrong, and it is the set most small firms will actually trip over.

On 2 August 2026, the transparency obligations in Art. 50 of Regulation (EU) 2024/1689 still apply. The Omnibus moved the high-risk regime to 2 December 2027 for standalone Annex III systems and 2 August 2028 for systems embedded in regulated products. It left Article 50 on its original date, with one narrow exception. So the question for an SME is no longer “when does the AI Act hit us?” It is “which of the four Article 50 duties is ours, and which belongs to our vendors?”

What the Omnibus moved, and what it did not

The Digital Omnibus is a simplification package the Commission proposed on 19 November 2025. Co-legislators reached a provisional agreement on 7 May 2026, with a European Parliament plenary vote expected in June 2026 and formal Council adoption after that. Until the text is adopted and published in the Official Journal, the original AI Act dates remain legally binding.

What it changes is real but targeted:

• High-risk obligations for standalone Annex III systems move from 2 August 2026 to 2 December 2027.
• High-risk obligations for systems embedded in regulated products move to 2 August 2028.
• The simplified documentation and proportionate-penalty regime, previously reserved for SMEs, extends to small mid-caps.
• A new prohibition is added for AI that generates non-consensual intimate imagery or child sexual abuse material.

What it does not touch is just as important. The Art. 4 AI literacy duty, in force since 2 February 2025, stays. The general-purpose AI model rules, applicable since 2 August 2025, stay. And Article 50 stays on 2 August 2026, except for the machine-readable marking duty in Art. 50(2), which is postponed to 2 December 2026 for generative systems already on the market before August. That single grace period is the only Article 50 relief in motion, and it is not yet law.

The four transparency duties, in plain terms

Article 50 is short, but it bundles four different obligations that fall on different parties. Reading it as one rule is where SMEs go wrong.

• Art. 50(1): providers must design AI systems that interact directly with people so that the person is told they are dealing with an AI, unless that is obvious to a reasonably observant user. This is the chatbot and voice-assistant notice.
• Art. 50(2): providers of generative AI, including general-purpose systems, must mark synthetic audio, image, video and text in a machine-readable format that is detectable as artificially generated. The solution must be effective, interoperable, robust and reliable as far as is technically feasible. Assistive editing and minor alterations are out of scope.
• Art. 50(3): deployers of an emotion recognition or biometric categorisation system must inform the people exposed to it, and must process their data in line with the GDPR.
• Art. 50(4): deployers must disclose deep fakes as artificially generated or manipulated, and must disclose AI-generated or manipulated text that is published to inform the public on matters of public interest. Artistic and satirical work gets a lighter disclosure that does not spoil the piece; text under genuine human editorial responsibility is exempt.

Under Art. 50(5), every one of these disclosures must be clear, distinguishable, and given at the latest at the first interaction or exposure, and it must meet accessibility requirements.

Article 50 duty	Who owes it	Applies from	Typical SME action
50(1) “you are talking to an AI” notice	Provider of the interacting system	2 Aug 2026	If you build or rebrand a bot, show the notice; if you buy one, confirm the vendor does
50(2) machine-readable marking of synthetic content	Provider of the generative system	2 Dec 2026 for pre-August systems, else 2 Aug 2026	Choose tools that mark and watermark outputs; this is not yours to build
50(3) emotion / biometric categorisation notice	Deployer	2 Aug 2026	Inform exposed persons; align with the GDPR
50(4) deepfake and public-interest text disclosure	Deployer	2 Aug 2026	Label AI-generated or altered image, audio, video and public-interest text

Source: Regulation (EU) 2024/1689, Article 50 and Article 113; European Parliament, Digital Omnibus on AI. Last verified 2026-06-09.

Provider or deployer: the distinction that decides your list

The single most useful thing an SME can do before August is to place itself on the right side of one line. A provider builds or develops an AI system, or puts one on the market under its own name. A deployer uses an AI system under its own authority in the course of business. Most SMEs are deployers, and that changes the bill.

The marking duty in Art. 50(2) and the design duty in Art. 50(1) are written as provider obligations. If you use ChatGPT, Copilot, a hosted image generator or an off-the-shelf chatbot, the legal weight of marking and of designing the AI-interaction notice sits with the tool maker, not with you. Your job is procurement: pick vendors who already mark their outputs and who surface the AI notice, and keep the evidence that they do.

Your direct duties as a deployer are narrower and concrete. They are the Art. 50(3) notice if you run emotion recognition or biometric categorisation, and the Art. 50(4) disclosure if you publish deep fakes or AI-generated text on matters of public interest. The trap is the firm that quietly crosses into provider territory: rebrand a chatbot as “your” assistant, fine-tune a model and ship it, or wrap a generator in your own product, and you can inherit the provider obligations you assumed were someone else’s.

What “clear and distinguishable” actually means

The Act does not define the exact wording or placement of a disclosure, but the guidance is no longer a blank page. On 8 May 2026 the Commission issued draft guidelines on the implementation of the Article 50 transparency obligations, and ran a public consultation that closed on 3 June 2026, with a final version due before the August application date. In parallel, the AI Office is steering a Code of Practice on the marking and labelling of AI-generated content, now at its second draft after versions published on 17 December 2025 and 5 March 2026.

Two practical signals come out of that work. First, marking is moving toward a two-layered approach: secured metadata attached to the file, plus a visible or audible watermark, with optional fingerprinting and logging. Second, “clear and distinguishable” means a disclosure a normal user actually notices, not a line buried in terms of service. A grey footer nobody reads will not satisfy Art. 50(5).

For a deployer, that translates into simple, testable rules: the chatbot says it is an AI in its opening message, the deepfake carries a visible label, and the AI-generated public-interest text names itself as such where a reader will see it before they act on it.

A short compliance checklist for SME deployers

This is a process task, not a high-risk programme. For most SMEs it is a few days of internal work, not a six-figure engagement.

1. List your AI touchpoints. Every chatbot, voice agent, content generator and any emotion or biometric tool. If the list is empty of the last category, Art. 50(3) does not apply to you.
2. Sort each one into provider or deployer. Bought and used as-is, you are a deployer. Built, fine-tuned or rebranded, check whether you became a provider.
3. Push the marking duty to vendors in writing. Ask each generative tool how it marks outputs under Art. 50(2), and keep the answer.
4. Write your disclosures. A one-line AI notice for any interface that talks to people, a visible label format for deepfakes, and a rule for AI-generated public-interest text.
5. Set the timing. Disclosure at first interaction or exposure, and accessible, per Art. 50(5).
6. Diarise the dates. 2 August 2026 for the disclosure duties; 2 December 2026 for the marking grace period, if the Omnibus is adopted as agreed. Watch the Official Journal so a change does not catch you flat.

The decision for 2026

The Omnibus bought real time on the heavy, expensive tier of the AI Act. It did not buy time on the cheap, visible one. Article 50 is the part of the law a customer can check from your homepage, and it is the part that lands first.

For most SMEs the honest answer is reassuring: you are a deployer, you owe two disclosure duties and a procurement check, and the cost is measured in days, not consultants. The firms that get this wrong will not be the ones that read the law. They will be the ones that read the headline, relaxed until 2027, and forgot which deadline the delay never moved.