← auditaisdk.com  ·  All articles

EU AI Act Article 50 Transparency Obligations for Generative AI: Chatbots, Deepfakes, Watermarking and the 2 August 2026 Deadline

By Marc Dubois · May 2026 · 14 min read

TL;DR: Article 50 is the only substantive obligation block the May 2026 Omnibus did not delay. Binding on 2 August 2026. Four regimes stack inside it: (1) chatbot disclosure under 50(1) — providers must inform users they are interacting with AI; (2) synthetic content marking under 50(2) — providers of generative AI must machine-readably mark images, audio, video and text (C2PA, SynthID, provider-side watermarks); (3) emotion recognition and biometric categorisation disclosure under 50(3) — deployers must inform exposed persons; (4) deepfake and public-interest text labelling under 50(4) — deployers must disclose AI-generated or manipulated content. Penalties up to EUR 15 million or 3% of global turnover under Article 99(4). The €199 managed audit ships an Article 50 compliance bundle covering the chatbot UI disclosure copy, the synthetic content marking pipeline, and the deployer-facing toggles for deepfake and emotion-recognition disclosures.

Why Article 50 is the deadline that did not move

When the European Commission published the May 2026 Omnibus simplification package, the headline was that the Annex III high-risk regime would be delayed to December 2027 and the Annex I regulated-product regime to August 2028. The detail buried in the impact assessment was the carve-out: Article 50 transparency obligations would remain binding on the original 2 August 2026 date. The Commission's reasoning was that transparency is independent of the high-risk classification — a chatbot does not need a conformity assessment to disclose that it is a chatbot, and a deepfake does not need a CE marking to carry a label.

For B2B SaaS that ships any flavour of generative AI — chat assistants, image generators, voice clones, video synthesisers, text rewriters — the result is a hard deadline less than three months away. Procurement teams already use Article 50 readiness as a quick screen: "do you have an Article 50 disclosure on the chatbot, and do your image outputs carry C2PA Content Credentials?" If you can answer yes with a screenshot, you skip a compliance review. If you cannot, the deal flips into a procurement-led remediation track and adds six to ten weeks to the sales cycle.

The 2026 deadlines post covers the full timeline. This guide unpacks Article 50 specifically: each paragraph, who owes what, the technical implementation in 2026, and the one-page compliance bundle that gets signed.

The four transparency regimes inside Article 50

Article 50 reads like one provision but operates as four distinct regimes, each with a different actor, a different trigger, and a different evidence requirement. Mapping them once and forgetting later costs deals.

Paragraph Who owes Trigger Disclosure form
50(1) Provider AI system interacts directly with natural persons Visible disclosure at first interaction
50(2) Provider of generative AI Output is synthetic audio, image, video or text Machine-readable marking; detectable as AI-generated
50(3) Deployer Emotion recognition or biometric categorisation system used on natural persons Inform exposed persons; comply with GDPR
50(4) Deployer Generates or manipulates deepfake content, or AI text published to inform public on matters of public interest Visible disclosure; carve-outs for art, satire, crime detection

The provider / deployer split matters because a single product touches both. A B2B SaaS that ships an image generator carries the 50(2) duty as provider (machine-readable marking). Its customer who uses the generator to create a face-swap of a real person carries the 50(4) duty as deployer (visible deepfake label). The compliance bundle has to pass through both responsibilities so neither side is left exposed.

Article 50(1) — chatbot disclosure

DUTY · ART. 50(1)

Inform natural persons that they are interacting with an AI system

Providers of AI systems intended to interact directly with natural persons must design and develop the system so the persons are informed they are interacting with an AI, unless the interaction is obvious from the circumstances and context of use to a reasonably well-informed, observant and circumspect natural person.

The information must be provided in a clear and distinguishable manner at the latest at the time of the first interaction or exposure.

The 50(1) test has two prongs and one carve-out:

  1. Direct interaction. The AI talks to humans — chatbots, voice assistants, email auto-replies that converse, embodied agents. Background analysis ("an AI scored this CV") is not direct interaction; that is a different regime under Annex III.
  2. Time of disclosure. At the latest at the first interaction. A disclosure buried in the footer of the homepage does not satisfy this — the user has to be informed when the chat opens, not when they scroll the legal page.
  3. Obviousness carve-out. If the AI nature is obvious to a reasonably well-informed person taking into account context, the duty falls away. The carve-out is narrower than vendors initially read it. A chatbot labelled "AI Assistant" arguably triggers obviousness; a chatbot called "Sarah from Customer Service" does not.
The "obviousness" trap. Many vendors built chatbots before Article 50 was drafted and now rely on a footer note or a tooltip. The Commission's 2026 implementation guidance reads "reasonably well-informed" against the lowest-context user, not the most-informed user. A chatbot that opens with "Hi! How can I help?" without an AI disclosure fails the test even if the brand is widely known to use AI. The fix is small — one short sentence in the first message — and the cost of not fixing it is procurement using your chatbot as evidence of a broader compliance gap.

Acceptable disclosure formulations that procurement legal teams accept in 2026:

Each is short enough to fit at the top of the conversation, distinct enough to satisfy "clear and distinguishable", and contains the word AI rather than a euphemism. "Smart assistant", "virtual helper", "automated agent" — these are read as evasive by procurement and create a documentation discussion you do not want.

Article 50(2) — synthetic content marking

DUTY · ART. 50(2)

Mark AI-generated outputs as machine-readable and detectable

Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content must ensure the outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. Providers must ensure their technical solutions are effective, interoperable, robust and reliable as far as technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation, and the generally acknowledged state of the art.

Article 50(2) is the technical centre of gravity of the entire transparency regime. The duty sits on the provider of the generative AI system, including downstream providers who wrap a GPAI model. The implementation question is which marking technologies the Commission accepts as state of the art.

The 2026 reality is a small toolchain that has crystallised around three standards:

Standard Covers Use as your default for
C2PA Content Credentials (ISO/TS 22144) Images, video, PDF, audio Visual content shipped to external audiences. The reference manifest is signed and includes generator identity, model name, timestamp.
Google SynthID (invisible watermark) Images, audio, text (logits-bias variant) Belt-and-braces on top of C2PA. Survives screenshot, transcoding, light edits. The detector is held by Google but exposed via a paid API to integrators.
Provider-side response metadata Text outputs from API calls Where a visible C2PA does not fit the medium, attach a structured x-ai-generated: true header and a provenance JSON block in the API response.

The state-of-the-art test in Article 50(2) is conditioned on "technically feasible". For images and video, C2PA is the unambiguous answer — embedding a manifest is cheap, well-tooled and standards-backed. For audio, SynthID-Audio and Adobe Soundverse are the leading options. For text, the 2026 situation is messier: paraphrase-robust text watermarks exist but are not yet universal, and the Commission's guidance accepts compliance through the upstream GPAI provider's solution combined with API metadata.

The technically-feasible carve-out is not a free pass. Some vendors read "as far as technically feasible" as a permission to ship nothing if their pipeline is hard. The Commission's 2026 guidance reads it as a duty to implement the best available state-of-the-art solution, even if imperfect. Shipping zero marking for image outputs in 2026 is indefensible because C2PA is mature and free. Shipping no text marking when the upstream provider has a watermark you can pass through is also indefensible.

Acceptable Article 50(2) postures by modality in 2026:

Image outputs. Embed C2PA Content Credentials in every generated image. Sign with a certificate identifying your product. If shipping through Adobe Firefly, OpenAI Images or a Stable Diffusion derivative, lean on the upstream provider's existing C2PA signing pipeline and add your own product-identifier line.
Video outputs. Embed C2PA Content Credentials in every generated video. Where the video is generated by an upstream provider that already signs (Runway, Sora, Veo), pass through; do not strip the manifest in your pipeline.
Audio outputs. Embed SynthID-Audio or equivalent invisible watermark plus C2PA manifest where the player chain supports it. For text-to-speech in real-time agent calls, the realistic answer in 2026 is provider-side watermark plus a visible disclosure at the start of the call ("This call is being conducted by an AI assistant").
Text outputs. Pass through the upstream provider's text watermark where it exists (SynthID-Text, OpenAI's announced equivalent). Include a structured marker in the API response (x-ai-generated: true) so downstream integrators can mark their UI. Where text is also caught by Article 50(4) — public-interest text — add a visible label.

Article 50(3) — emotion recognition and biometric categorisation

DUTY · ART. 50(3)

Inform persons exposed to emotion recognition or biometric categorisation

Deployers of an emotion recognition system or a biometric categorisation system must inform the natural persons exposed to it and process the personal data in accordance with Regulation (EU) 2016/679 (GDPR), Regulation (EU) 2018/1725, and Directive (EU) 2016/680. The duty does not apply to AI systems permitted by law to detect, prevent and investigate criminal offences, subject to safeguards.

This paragraph is narrow in scope but high-risk in penalty. Emotion recognition systems and biometric categorisation systems are defined in Article 3(39) and 3(40) — the former infers emotions from biometric data, the latter categorises persons into specific groups based on biometric data. In a B2B SaaS context, the use cases that trigger 50(3) typically include:

The duty sits on the deployer — the entity using the system on natural persons — not the provider. A provider that ships an emotion-recognition feature still has to support the deployer's compliance by exposing the disclosure controls and the GDPR-required lawful basis fields. The provider's Article 13 SDK product information (the instructions for use) must explicitly tell the deployer that 50(3) applies.

Article 5 reaches first. Some emotion recognition use cases are prohibited outright under Article 5(1)(f) — for example, emotion inference in workplaces and education institutions except for medical or safety reasons. Article 50(3) only kicks in for use cases that survive Article 5. Run the Article 5 test before the Article 50(3) test. Many call-centre and HR vendors discovered in 2025 that their pre-existing emotion-recognition features needed to be either redesigned around the prohibition or pulled from the EU market entirely.

Article 50(4) — deepfakes and public-interest text

DUTY · ART. 50(4)

Disclose AI-generated or manipulated image, audio or video content (deepfake)

Deployers of an AI system that generates or manipulates image, audio or video content constituting a deepfake must disclose that the content has been artificially generated or manipulated. The duty does not apply where the use is authorised by law to detect, prevent, investigate or prosecute criminal offences. Where the content is part of an evidently artistic, creative, satirical, fictional or analogous work or programme, the duty is to disclose the existence of such generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work.

DUTY · ART. 50(4) — TEXT

Disclose AI-generated text published to inform the public on matters of public interest

Deployers of an AI system that generates or manipulates text which is published with the purpose of informing the public on matters of public interest must disclose that the text has been artificially generated or manipulated. The duty does not apply where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content.

The deepfake rule (50(4) image/audio/video) and the public-interest text rule (50(4) text) sit in the same paragraph but trigger differently. The deepfake rule is content-based — does the output resemble an existing person, object, place or event in a way that could falsely appear authentic? The public-interest text rule is publication-based — is the text being published to inform the public on a matter of public interest?

For B2B SaaS providers building deepfake-capable features (face swap, voice clone, video synthesis), the duty falls on your customer (the deployer), but you need to support the customer's compliance by:

  1. Surfacing the deepfake label as a default-on UI toggle the deployer cannot accidentally disable.
  2. Embedding the visible disclosure into the output file (a watermark frame, an audio fingerprint, a footer caption) where the deployer is publishing under a public-interest context.
  3. Passing through the C2PA Content Credentials marker required under 50(2) so the deepfake claim is also machine-readable.
  4. Documenting the artistic/satirical carve-out in your product terms — your customer needs a hook to use the lighter disclosure when their use case qualifies.

For B2B SaaS providers building AI text-generation tools used by media or political clients, the duty also falls on your customer, but the carve-out for human review and editorial control is the load-bearing item. Most newsroom-grade text-generation workflows include editorial review by default; document that workflow in your product terms so your customer can rely on the editorial-responsibility exemption.

Article 50(5) and 50(6) — manner of disclosure and Codes of Practice

Two procedural paragraphs close out Article 50:

The 2 August 2026 deadline — what the Omnibus did and did not change

The May 2026 Omnibus rebalanced the AI Act timeline. Article 50 was deliberately excluded from the delay. The dates that matter for transparency planning:

Date Event Affects you?
2 August 2025 GPAI obligations entered into application (Article 53, 55). Indirectly — upstream provider obligations affect your downstream watermark pass-through.
2 February 2025 Article 5 prohibited practices entered into application. Includes emotion recognition prohibitions in workplaces and education. Yes — Article 5 prevails over Article 50(3). Test prohibition before testing disclosure.
2 August 2026 Article 50 transparency obligations binding. Chatbots, synthetic content marking, emotion recognition disclosure, deepfake labelling all enforceable. Yes — for any provider or deployer of generative AI in the EU market.
December 2027 Annex III high-risk obligations applicable (delayed by Omnibus). If your AI system is also Annex III high-risk, both regimes apply.
August 2028 Annex I regulated-product obligations applicable (delayed by Omnibus). Rarely.

Full timeline in the 2026 deadlines post.

The Article 50 compliance bundle — the one-page version

The bundle template enterprise procurement signs in one review cycle:

ARTICLE 50 TRANSPARENCY COMPLIANCE — <PRODUCT NAME>

1. Article 50(1) — chatbot disclosure
   - Direct-interaction AI surface(s): <e.g. /chat, /support, /assistant>
   - Disclosure copy at first interaction: <exact UI string>
   - Disclosure visible in: <chat header + first message>
   - Obviousness carve-out claimed: <no | yes — justification>

2. Article 50(2) — synthetic content marking
   - Image outputs: C2PA manifest embedded, signed by <certificate identity>
   - Video outputs: C2PA manifest embedded
   - Audio outputs: SynthID-Audio or equivalent invisible watermark
   - Text outputs: provider-side watermark passed through + x-ai-generated: true header
   - State-of-the-art justification: <reference to current Commission guidance>

3. Article 50(3) — emotion recognition / biometric categorisation
   - In scope: <no | yes — describe feature>
   - Article 5 prohibition pre-check completed: <yes — see /docs/article-5-assessment>
   - Deployer-facing disclosure controls: <available in /settings/disclosure>
   - GDPR Art. 13/14 notice template provided to deployer: <yes>

4. Article 50(4) — deepfake labelling / public-interest text
   - Generates deepfake-capable content: <no | yes — describe>
   - Default-on visible label embedded: <yes>
   - Artistic / satirical carve-out documented in terms: <yes>
   - Editorial-responsibility carve-out documented in terms (text): <yes>

5. Article 50(5) accessibility
   - Disclosures pass screen-reader test: <yes>
   - Disclosures localised to required languages: <list>

6. Article 50(6) Code of Practice
   - Subscribed to Article 50(2) Code of Practice: <yes | no — reason>
   - C2PA membership status: <contributor | implementer | not member>

7. Versioning
   - Document version: <1.0>
   - Last reviewed: <2026-05-12>
   - Review frequency: quarterly or at every UI / pipeline change

One page. Procurement legal signs one-pagers. The same template fits B2B chatbots, image generators, voice clones and text-rewrite features — only the populated fields change.

Common failure modes (audited in 2026)

FAILURE · 1

Footer-only chatbot disclosure

The most common 50(1) failure. A site footer note that the assistant is AI-powered does not satisfy "at the latest at the time of the first interaction or exposure". The bot opens a conversation with no disclosure in the chat itself; the user never sees the footer. Fix: one line in the first message, plus a header badge. Cost: thirty minutes.

FAILURE · 2

Stripping C2PA manifests in the pipeline

An image-generation product gets its outputs from an upstream provider that already signs with C2PA, then re-encodes the image through an internal compression pipeline that drops the manifest. The output ships without the marker, and the provider is in breach of 50(2). Fix: preserve C2PA across the pipeline, or re-sign with your own certificate after re-encode.

FAILURE · 3

Treating text output as marking-exempt

Some vendors read 50(2) as image-and-video only. The provision explicitly covers text. The technical-feasibility carve-out reduces the burden but does not eliminate it. Where the upstream GPAI provider ships SynthID-Text or equivalent, you must pass it through. Where the upstream does not, document the absence and add API-response metadata (x-ai-generated: true) so downstream integrators can mark their UI. Defending zero text marking with no documentation is the failure procurement catches.

FAILURE · 4

Emotion recognition feature live without an Article 5 pre-check

Call-centre QA and HR-interview tools that infer emotion are routinely live in 2026 without a documented assessment against Article 5(1)(f). The disclosure under 50(3) does not cure an Article 5 prohibition — if the use case is prohibited, no amount of consent fixes it. Fix: file an Article 5 assessment for every emotion-recognition surface before shipping the 50(3) disclosure.

FAILURE · 5

Deepfake-capable feature without deployer guardrails

Voice-clone APIs and face-swap features routinely ship without a UI control telling the deployer "you must disclose deepfake output". The provider then claims the duty sits on the deployer. The deployer claims they did not know. Procurement reads the gap as a joint failure. Fix: surface a non-dismissable disclosure-default toggle in the UI; pass C2PA Content Credentials through; document the artistic carve-out in your product terms so the deployer has a hook to use it correctly.

The auditai SDK and Article 50

The auditai SDK ships exports tailored for each Article 50 paragraph:

pip install auditai-sdk

from auditai import AuditAI
audit = AuditAI(
    product="Acme AI Assistant",
    chat_surface_disclosure=True,
    generates_synthetic_content=["image", "text"],
    upstream_model="gpt-4o-2024-08-06"
)
audit.export_article_50_bundle("./article-50-bundle.pdf")

FAQ

1. Does the EU AI Act Article 50 deadline apply on 2 August 2026?

Yes. Article 50 is the only substantive obligation block in the EU AI Act that the May 2026 Omnibus did not delay. The chatbot disclosure rule under Article 50(1), the synthetic content marking rule under Article 50(2), the emotion recognition and biometric categorisation disclosure rules under Article 50(3), and the deepfake and public-interest text labelling rule under Article 50(4) all become binding on 2 August 2026. The Annex III high-risk obligations were pushed to December 2027 and the Annex I regulated-product obligations to August 2028, but Article 50 was carved out of the delay explicitly because the Commission considered the transparency regime independent of the broader high-risk framework.

2. Who has to disclose under Article 50 — the provider or the deployer?

Both, but in different paragraphs. Article 50(1) puts the chatbot disclosure duty on the provider — the entity that builds and places the AI system on the market. Article 50(2) puts the synthetic content marking duty on the provider of generative AI systems, including downstream providers who build on a GPAI model. Article 50(3) puts the emotion recognition and biometric categorisation disclosure duty on the deployer — the entity using the system on natural persons. Article 50(4) puts the deepfake and public-interest text labelling duty on the deployer who generates or manipulates the content. If you are a B2B SaaS that builds a chatbot and your customer deploys it, you carry the 50(1) and 50(2) duties; your customer carries the 50(3) and 50(4) duties to the extent the use case triggers them.

3. What does "machine-readable marking" mean under Article 50(2)?

Article 50(2) requires providers of generative AI to mark synthetic audio, image, video or text outputs in a machine-readable format and to make them detectable as artificially generated or manipulated. In 2026 the operational answer is C2PA Content Credentials for images and video, SynthID-style invisible watermarks for AI-generated images and audio (Google), Adobe Content Authenticity Initiative metadata for creative outputs, and provider-side training-data watermarks for text. The 2026 Commission guidance accepts any solution that is technically feasible, sufficiently reliable, interoperable and effective at the state of the art. C2PA is the cleanest answer because it is an ISO standard (ISO/TS 22144) and has multi-vendor support. Pure visible labels alone are not enough — the requirement is machine-readable detection, with visible disclosure carrying a separate role under Article 50(4).

4. Does Article 50 apply to my B2B chatbot if it is only used internally inside a customer organisation?

Article 50(1) applies whenever an AI system is intended to interact directly with natural persons. A B2B chatbot used by employees of your customer still interacts directly with natural persons — the employees. The carve-out at the end of Article 50(1) is narrow: it exempts cases where the AI nature is obvious to a reasonably well-informed person taking into account the circumstances and context of use. A chatbot framed as a customer-service agent is not obviously AI; an interface called "AI Assistant" arguably is. The safest posture is to disclose at the start of the conversation and let the customer remove the disclosure only when their use case clearly meets the obviousness test. Article 50(1) also exempts use for purposes of preventing, detecting and investigating criminal offences.

5. What is a deepfake under Article 50(4) and when does the labelling duty apply?

Article 3(60) defines a deepfake as AI-generated or manipulated image, audio or video content that resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic or truthful. Article 50(4) puts the labelling duty on the deployer who generates or manipulates such content. The disclosure must make clear that the content is artificially generated or manipulated. Exemptions cover artistic, creative, satirical, fictional and analogous works, where the disclosure is required in an appropriate manner that does not hamper the display or enjoyment of the work, and use for the prevention, detection, investigation and prosecution of criminal offences. For B2B SaaS shipping image-editing or video-synthesis features, the practical implication is that the customer-facing UI needs a deepfake-label toggle and the user is responsible for using it; the provider is liable under Article 50(2) for the machine-readable marking of the output regardless.

6. Does Article 50(2) marking apply to text output, and how do you watermark text?

Yes — Article 50(2) covers text output explicitly. The marking requirement is technical-feasibility-conditioned: the solution must be effective, interoperable, robust and reliable as far as technically feasible at the state of the art. In 2026 text watermarking is more contested than image watermarking. The major upstream providers have shipped logits-bias watermarks (Google SynthID-Text, OpenAI's announced but unreleased system); these survive paraphrase up to a threshold and are detectable by the upstream provider. Downstream providers do not have to invent text watermarking from scratch — Article 50(2) accepts compliance via the upstream GPAI provider's solution combined with disclosure metadata in the API response. Where the text is also covered by Article 50(4) (public-interest text purporting to inform the public), the deployer must additionally disclose visibly, and the technical-feasibility carve-out does not apply to the visible disclosure.

7. How does Article 50 interact with Article 53 GPAI obligations?

Article 53 sits on the upstream GPAI provider — the model developer. Article 50 sits on the AI system provider and deployer. As a downstream provider building on GPT-4 or Claude, you usually do not have a direct Article 53 duty (see the GPAI downstream providers guide), but you do have direct Article 50(1) and 50(2) duties because you are the provider of the AI system. Your upstream model provider supplies the machine-readable watermark or the API metadata you pass through; you build the chatbot disclosure UI and the C2PA Content Credentials pipeline. The flowdown checklist treats this as two separate files stacked: the GPAI flowdown (Article 53 references) and the Article 50 compliance bundle (your own UI, marking pipeline, deployer-facing toggles).

8. What are the penalties for Article 50 non-compliance?

Article 99(4) classifies Article 50 breaches as "other infringements" rather than prohibited practices or high-risk system breaches. The maximum fine is up to EUR 15 million or 3% of global annual turnover for the preceding financial year, whichever is higher. SMEs and startups are subject to the lower of the two figures. National market surveillance authorities can also order corrective measures, withdrawal or recall of the AI system from the market. The reputational risk usually bites earlier than the regulatory fine: a procurement team that discovers your chatbot lacks the Article 50(1) disclosure will block the deal as a "compliance risk", and a journalist running a C2PA validator over your image generator output will flag the missing marker as a story. Build the disclosures and markers before the 2 August 2026 deadline; do not wait for enforcement.

The bottom line

Article 50 is the EU AI Act obligation that touches the most products in the smallest amount of code. A chatbot needs one disclosure string. An image generator needs C2PA manifests on every output. A voice clone needs an invisible watermark and a deepfake-label toggle. None of these changes is expensive on its own; the cost is the surveying — finding every AI surface in your product, mapping it to the right Article 50 paragraph, and documenting the implementation in a one-pager procurement can sign.

The deadline is 2 August 2026 and the Omnibus did not move it. Procurement teams have already started using Article 50 readiness as a fast screen on AI vendors. If you are responding to a security questionnaire today and the chatbot has no disclosure or the image generator has no C2PA manifest, the deal stalls.

The good news is that the toolchain is mature, the bundle template is one page, and a well-documented Article 50 posture pairs cleanly with the Article 26 deployer file your customer carries. The €199 managed audit produces the bundle above populated against your specific product, including the disclosure copy in the required EU languages, the C2PA signing-certificate configuration, and the deployer-facing controls for emotion recognition and deepfake labelling. Five business days, signed, defensible.

Ship the Article 50 compliance bundle before the deadline that did not move

One PDF. Chatbot disclosure copy. C2PA pipeline. Deepfake toggle. Article 5 pre-check. Ready for procurement review.

Get the managed audit — €199 →

Related reading

This article is informational and reflects the EU AI Act as in force after the May 2026 Omnibus delay. It is not legal advice. The managed-audit deliverable is a compliance memo, not a legal opinion; engage qualified counsel for binding interpretation. Article references are to the EU AI Act consolidated text. The state-of-the-art assessment for Article 50(2) marking technology reflects the Commission's 2026 guidance and the C2PA Code of Practice draft; both may be revised before the 2 August 2026 binding date.