
Chief Executive Officer
Published: July 16, 2026

Article 50 of the EU AI Act becomes enforceable on August 2, 2026. Penalties reach €15 million or 3% of global turnover. The regulation creates the world’s first legally binding deepfake disclosure requirement, applies extraterritorially to U.S. companies with EU exposure, and mandates a multi-layer marking approach (C2PA metadata + imperceptible watermarking). The deepfake disclosure obligation under Art. 50(4) has no grace period. Real-time, cross-channel detection infrastructure is the operational answer.
In This Article
Most cybersecurity regulations tell you what to protect. Article 50 of the EU AI Act (Regulation 2024/1689) tells you what to detect and disclose, and it does so with fines that make GDPR’s early days look measured.
Article 50 imposes binding transparency obligations on organisations that provide or deploy certain categories of AI system in the EU market. For security leaders, the operative word is "deploys." You don't need to build AI systems to fall in scope. If your organisation deploys emotion recognition or biometric categorisation systems, you must inform the people exposed to them. If you deploy AI that generates or manipulates deepfake content, or AI-generated text published to inform the public on matters of public interest, you must disclose it. And if you build or supply AI that interacts with people or generates synthetic content, the provider-side duties in Article 50 apply too.
The obligations cover four categories, and the one that should command the most attention from CISOs is Article 50(4), the deepfake disclosure requirement.
The regulation creates obligations for both providers (those who build AI systems) and deployers (those who use them):
AI interaction disclosure (Art. 50(1)) - Organisations must inform people when they are interacting with an AI system, unless it is obvious from context.
Synthetic content marking (Art. 50(2)) - Providers of AI systems that generate synthetic audio, image, video, or text must ensure outputs are marked in a machine-readable format and detectable as artificially generated. The EU’s Code of Practice, finalized on June 10, 2026, specifies a multi-layer approach: C2PA cryptographically signed metadata combined with imperceptible watermarking (such as Google’s SynthID). Neither technique alone meets the statutory requirement of being “effective, interoperable, robust, and reliable.”
Emotion recognition and biometric disclosure (Art. 50(3)) - Deployers using AI for emotion recognition or biometric categorisation must inform affected individuals.
Deepfake disclosure (Art. 50(4)) - Deployers of AI systems that generate or manipulate image, audio, or video content constituting a deepfake must disclose that the content has been artificially generated or manipulated. This applies irrespective of purpose, with narrow exemptions only for law enforcement use and obviously fictional or satirical works.
That last obligation, the deepfake disclosure duty, has the sharpest operational teeth. It doesn’t just apply to content you create. It applies to content you encounter and deploy. If a cloned voice enters a Zoom call with your EU-based counterpart, if a manipulated video lands in a Teams meeting, if an AI-generated phishing email reaches your inbox, you are the deployer, and disclosure is your obligation.
Here’s where U.S.-based companies often assume they’re safe. They’re not.
Article 50 has extraterritorial reach, following the same jurisdictional model as GDPR. It applies to:
Any organisation deploying AI systems within the EU, regardless of headquarters location. A Detroit-based company with employees, customers, or partners in the EU falls in scope.
Any provider placing AI systems on the EU market, including SaaS platforms accessible to EU users.
Any organisation whose AI-generated content reaches EU audiences. The disclosure obligation attaches to the deployer, not the geography of the server.
The practical test: if your employees join video calls with EU-based counterparts, if your customers include EU entities, or if your communications reach EU recipients, Article 50 applies to you. The deepfake that enters your London office’s Zoom call doesn’t care that your headquarters is in Michigan.
Non-compliance with Article 50 carries administrative fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher. For prohibited AI practices, the ceiling rises to €35 million or 7% of global turnover.
These are enforced by national market surveillance authorities in each of the 27 EU member states. The enforcement infrastructure is already being built. The Code of Practice is finalized. The guidelines are published. The deadline is fixed.
Milestone | Date | Status |
|---|---|---|
EU AI Act entered into force | August 1, 2024 | Done |
Prohibited AI practices ban | February 2, 2025 | Done |
Final Code of Practice on AI content transparency | June 10, 2026 | Done |
Code of Practice signatory deadline | July 22, 2026 | 20 days out |
Article 50 transparency obligations enforced | August 2, 2026 | 31 days out |
Extended marking compliance (Omnibus) | December 2, 2026 | — |
Full AI Act enforcement (high-risk systems) | August 2, 2027 | — |
Important nuance: The AI Omnibus provisional agreement of May 2026 grants generative AI systems already on the market before August 2 an extension until December 2, 2026 for the machine-readable marking requirement under Art. 50(2). But the deepfake disclosure obligation under Art. 50(4) has no extension. It applies from August 2, full stop.
This is where most compliance guidance falls short. The regulation tells you to “disclose” deepfakes. The Code of Practice tells you to “mark” and “label” synthetic content. But neither addresses the operational question that security teams actually face:
How do you detect an inbound deepfake you didn’t create?
Marking and labeling solve the provider-side obligation. If your company generates synthetic content, you mark it. But the deployer-side obligation, disclosing deepfakes that enter your communication channels from external sources, requires real-time detection.
Consider a real scenario that Article 50 now governs. An AI-cloned voice joins a conference call with your EU-based finance team. The voice sounds like your CFO. It requests a wire transfer. Under Article 50(4), if that content is a deepfake, the deployer (your organisation) has a disclosure obligation.
You can only disclose what you detect. If your detection capability is limited to uploading recordings after the call ends and waiting for a forensic report, you cannot meet a real-time disclosure obligation.
This is not a theoretical concern. The $25 million Arup Hong Kong deepfake wire fraud (2024) involved a live video call with multiple cloned participants. The Ferrari CEO voice-clone attempt (2024) was caught only because an executive asked an off-script question. The WPP CEO impersonation used a combination of voice cloning and WhatsApp messaging. In each case, detection happened by luck or by damage, not by system.
Article 50 does not fix this for you. It binds providers and deployers who intend to comply; it has no purchase on an adversary who doesn't. Which is precisely why detection, not disclosure, is the control that matters against inbound attacks.
Meeting the deepfake disclosure obligation requires three operational capabilities:
Article 50 doesn’t distinguish between modalities. A deepfake on a Zoom call carries the same disclosure obligation as one in an email. Your detection infrastructure needs to cover voice, video, email, and messaging. Most detection vendors today are single channel: one covers voice, another covers email, a third does forensic video analysis. None of these alone meets the multi-modal obligation.
The disclosure must happen when the deepfake is “encountered,” not hours or days later during a forensic review. Detection has to operate during the communication, not after it.
The regulation requires a disclosure trigger register documenting each scenario: what was detected, when, on which channel, what action was taken, who owns the process, and when it’s next reviewed. Every detection event needs to generate a verifiable record that can survive regulatory inspection.
Training-first vendors - deepfakes as awareness topic, not detection. Training doesn't satisfy a disclosure obligation.
Voice-only platforms - one channel out of four. Art. 50(4) covers all modalities equally.
Email-only security vendors - zero voice/video detection. Rebranding around "human risk management" but inbox-only.
Thought leadership without a compliance product - publishing about the regulation is not offering a product that maps to it.
Structural gap - Art. 50 requires cross-channel real-time detection. Most detection vendors are single-channel and predate the deepfake fraud wave. Few cover voice, video, and text in one control which is where the inbound attacks actually land.
Use this to assess where your organisation stands before August 2:
Step 1: Inventory your AI systems. Catalogue every AI system your organisation provides or deploys. Map each to the relevant Article 50 sub-paragraph: interactive (50(1)), generative (50(2)), biometric (50(3)), or deepfake-related (50(4)).
Step 2: Assess your deepfake exposure. Determine whether your communication channels (voice calls, video meetings, email, SMS) are monitored for AI-generated manipulation. Most organisations will find they have email filtering but zero voice or video detection.
Step 3: Deploy cross-channel detection. Implement real-time deepfake detection across all communication modalities, not just email. The regulation doesn’t give you credit for protecting one channel while leaving three exposed.
Step 4: Establish disclosure protocols. When a deepfake is detected, who is notified? How quickly? Through what channel? Document these protocols before the deadline.
Step 5: Build your disclosure trigger register. For each AI interaction scenario, document the owner, channel, label decision, exception rationale, evidence location, and next review date.
Step 6: Verify content provenance. If your organisation generates synthetic content, confirm that outputs carry C2PA content credentials and imperceptible watermarking as required by the Code of Practice.
Step 7: Test and review. Run a tabletop exercise simulating a deepfake attack across voice, video, and email. Does your detection fire? Try Defrag to see what AI impersonation looks like against your own defences. Fix what breaks before the deadline.
Netarx is a real-time deepfake detection platform covering voice, video, email, and SMS in a single deployment. It maps directly to the operational requirements Article 50 creates:
Real-time detection during live communications - not forensic analysis after the fact. When a deepfake enters a Zoom call, Netarx identifies it during the call, enabling the immediate disclosure Article 50(4) requires.
Cross-modal coverage from a single platform - voice, video, email, and SMS. No need to stitch together separate vendors for separate channels.
No-integration deployment - deploys without requiring platform connectors or email gateway reconfiguration. Critical when you have 31 days to compliance, not 31 weeks.
Audit-ready detection records - every event is logged with what was detected, when, on which channel, and what action was taken. This feeds directly into the disclosure trigger register.
SOURCES & REFERENCES

Chief Executive Officer
CEO/Founder of Netarx LLC, Real-time detection of deepfake and social engineering threats via enterprise video, voice and email. Managing Partner of Koach Capital, a Private Equity firm managing a multitude of commercial real estate (CRE) funds whose focus is retail sale-leasebacks. Sandy's entrepreneurial success began by founding a network integration and services provider that served large enterprises. We focused on advanced technologies including Business Intelligence (BI), Network & Information Security, Virtualization, Storage Area Networks, Unified Communications and Data Center Services. In 2009, Netarx acquired the VAR business of Analysts International (including Sequoia and Entree Systems). In 2011 Netarx was acquired by Logicalis (a division of Datatec - Symbol LSE: DTC) and stayed on as its Chief Technology Officer. He continued to build by founding Verge.io (Formerly Yottabyte) and Service.com. Also, Sandy served as a General Partner of Ludlow Ventures, a venture capital fund focusing on investments in early-stage tech companies. Sandy contributes to the community via lectures, publications and developing new technologies - he currently holds 8 Patents.
Yes. Article 50 follows the same extraterritorial model as GDPR. If your AI systems are deployed within the EU, if your services are offered to EU users, or if your AI-generated content reaches EU audiences, the obligations apply regardless of where your company is headquartered.