GreyScape.ai

Compliance

Article 50 transparency rules: what to disclose to your users

The three Article 50 duties every SaaS with AI features needs to ship: AI interaction disclosure, synthetic content marking, and deepfake labels. Concrete examples and the UI patterns that work.

GreyScape.ai Published 10 June 2026 7 min read

Article 50 of the EU AI Act sets out three transparency duties that catch a much wider surface than the high-risk regime. Where Annex III applies to roughly 10-20% of SaaS surfaces, Article 50 applies to almost any product that ships an AI feature with user-visible output. That includes chatbots, AI drafting assistants, image generators, voice cloners, AI-narrated video tools, support copilots, scheduling assistants — the lot.

This is the practitioner's guide to the three duties, what each one means in product terms, and the UI patterns we've seen work without crashing conversion rates.

For the bigger compliance picture, see our EU AI Act compliance guide for SaaS.

Duty 1: AI interaction disclosure

The rule: When a natural person interacts directly with an AI system, they must be informed they are doing so, unless that's obvious from the context.

What "obvious from context" means in practice: a clearly labelled "AI assistant" button on a help page is probably obvious. A chatbot popping up in the corner of a website is not — users frequently believe they are talking to a human agent. The European AI Office is expected to publish guidance, but the safe default is to disclose explicitly.

SaaS triggers:

  • Customer-support chatbots (Intercom Fin, Zendesk AI, Ada, Drift)
  • AI tutoring or learning assistants
  • AI scheduling assistants on websites
  • AI drafting agents in document editors
  • AI voice agents in IVR / call centres
  • AI-driven email reply drafting (the recipient should know if a reply was AI-generated, not just the author)
  • AI moderation bots that interact with users in forums

UI patterns that work:

  • A persistent label inside the chat panel: "AI assistant — responses are generated by AI"
  • A first-message disclosure: "Hi, I'm an AI assistant. I can help with X, Y, Z. For anything I can't help with, I'll route you to a human."
  • A pre-call disclosure for voice: "You're about to speak to an AI assistant. Press 1 to continue, or 0 to be transferred to a human."

What doesn't work:

  • Burying the disclosure in a terms-of-service link only
  • Using ambiguous branding like "Smart Assistant" without saying it's AI
  • Only disclosing after the user has shared sensitive information

Duty 2: Synthetic content marking

The rule: AI-generated or AI-manipulated audio, image, video, or text content must be marked in a machine-readable format that is detectable as artificially generated.

What "machine-readable" means: this is not the visible label (that's covered by the deepfake duty below). It's metadata embedded in the file or the publication chain so that downstream platforms (YouTube, X, Instagram, news aggregators, content classifiers, browsers) can detect AI generation programmatically.

The current de facto standard is C2PA (Coalition for Content Provenance and Authenticity) — backed by Adobe, Microsoft, Sony, OpenAI, Google, and most major content platforms. The Act doesn't mandate C2PA specifically, but the technical recommendations from the European AI Office point that way.

SaaS triggers:

  • Image-generation features (Midjourney, DALL-E in your product, Stable Diffusion wrappers)
  • AI voice synthesis (ElevenLabs-powered features, Murf, custom voice clones)
  • AI video generation or editing (Synthesia, Runway, custom models)
  • AI text-to-speech for podcast or audiobook production
  • AI-drafted text used as content (article generators, AI copy tools)

Implementation patterns that work:

  • Sign every AI-generated asset with a C2PA manifest at the moment of generation
  • Pass the manifest through any post-processing or compression so it survives downstream
  • For text, use a stable watermarking scheme (statistical or semantic) where feasible; for current text models this is harder than image/audio/video but emerging
  • Document the marking scheme in your technical documentation for the Article 11 dossier

What doesn't work:

  • Marking only the final exported file but stripping it during preview or in-product render
  • Relying on the underlying model vendor's marking if you don't pass it through your pipeline
  • Custom proprietary watermarks that downstream tools can't detect

Duty 3: Deepfake and impersonation labels

The rule: AI systems generating or manipulating image, audio, or video content that constitutes a deepfake must visibly label the content as artificially generated or manipulated.

What counts as a deepfake: image, audio, or video that resembles existing persons, objects, places, entities, or events and would appear to a person to be authentic or truthful, when in fact it is artificially generated or manipulated.

The key word is "resembles" — a fully synthetic stock photo of an imaginary person doesn't trigger; a generated video of a recognisable politician saying something they didn't say does. Same for voice clones of real people, manipulated video of real events, or AI-generated images depicting recognisable celebrities.

SaaS triggers:

  • AI face-swap features (commercial or consumer)
  • Voice-cloning tools that can clone a real person's voice
  • AI video tools that can place a real person in a scene
  • AI image tools where users can prompt the likeness of a real person
  • Brand voice / brand likeness clones used in marketing tooling

UI patterns that work:

  • Visible overlay label on the output ("AI-generated — depicts X who did not say this")
  • Always-on watermark in the corner of the rendered video or image
  • Disclosure copy in the product when a user generates content depicting a real person, with friction ("This content will be visibly labelled as AI-generated")
  • Refusal at the prompt level for politically-sensitive likenesses

Carve-outs:

The Act has narrow carve-outs for clearly artistic, creative, satirical, fictional, or analogous works (Article 50(4)). The label can be adjusted to "appropriate manner that does not hamper the display or enjoyment" — but the disclosure obligation still exists in some form.

How the three duties interact

The duties are cumulative — a single feature can trigger all three. An AI customer-support assistant that also generates synthetic voice replies of a brand's known spokesperson:

  • Triggers Duty 1 (AI interaction disclosure — users must know they're talking to AI)
  • Triggers Duty 2 (synthetic content marking — the voice output must be machine-readably marked)
  • Triggers Duty 3 (deepfake label — it's a voice clone of an identifiable real person)

You don't get to pick which duty applies; all that apply, apply.

Detection: which features trigger which duties

This is the operational layer most teams skip until an audit. The right architecture has a system-level register that records:

  • For each AI system in your product or operations, which output modalities it produces (text, image, audio, video, mixed)
  • Whether it interacts directly with users
  • Whether outputs depict real people, events, or places
  • Which Article 50 duty applies as a result

GreyScape.ai ships this as the Article 50 transparency triggers feature — category and keyword fallbacks for chat, image, voice, video, and deepfake outputs. The register flags each AI system in your inventory with the duties that apply, with the rationale, and links to the obligation evidence.

You can also do it manually in a register. The form matters less than the existence of a register and the discipline of keeping it current.

What to ship this week

If your product has any AI feature with user-visible output, this week:

  1. Walk every AI feature against the three duties. Each one either triggers a duty or doesn't; document the call.
  2. Ship the disclosure UI for any chat / assistant / interactive AI surface. It's cheap, it works, your users actually appreciate the clarity.
  3. Audit your synthetic-content pipeline. Are you signing outputs with C2PA or equivalent? If not, this is now an Article 50 violation in waiting.
  4. For any feature that can depict real people, ship the deepfake label. Visible, always-on, on the rendered output.

These are the smallest-effort, highest-leverage compliance items in the Act. They do not require organisational change, RFP, or board approval — they require an engineer with a UI ticket and an afternoon.

For the wider Act picture, the main compliance guide walks the full 90-day plan. For the high-risk regime, Annex III explained covers which systems trigger the heavy obligations.

Next step

See the EU AI Act compliance layer in action

GreyScape.ai ships the working operational layer — per-system register, obligation catalogue, evidence vault, FRIA template, Article 50 triggers, one-click audit pack — at $3/user/month.

Explore EU AI Act readiness Try the demo

Related reading

Compliance

The EU AI Act for SaaS: A 2026 Compliance Guide

A working compliance plan for SaaS companies with 53 days to the first big enforcement deadline. What the EU AI Act covers, which obligations actually hit you, and the 90-day plan to get a defensible position by 2 August 2026.

Read

Compliance

EU AI Act FRIA template: how to write a Fundamental Rights Impact Assessment

A working FRIA template for Article 27 of the EU AI Act, with the seven sections, what to put in each, and a worked example for a credit-scoring AI system.

Read

Compliance

Annex III explained: which AI systems are high-risk under the EU AI Act

A practitioner's walk-through of the eight Annex III categories — what the EU AI Act actually means by 'high-risk', with concrete SaaS examples and the borderline cases that catch most companies out.

Read