EU AI Act August 2: The Article 50 Your Legal Team Underestimated — What Internal Chatbots Must Display

The Digital Omnibus postponed Annex III — not Article 50. By August 2, every internal chatbot must show an AI disclosure. The deployer carries it.

On June 22, 2026, Tech Times published a reminder that many corporate legal teams haven’t yet circled in their calendars: July 22, 2026 at 6 PM CEST is the last day to sign the European Commission’s Article 50 Code of Practice. Organizations that sign by that date receive a presumption of compliance from national supervisory authorities. Those that don’t are not relieved of the obligation — they simply carry a heavier burden of proof.

In conversations with compliance and legal leads at large European enterprises over the past few weeks, I keep hearing the same framing: “We tracked the Digital Omnibus carefully. High-risk AI is pushed to December 2027. We have time.” That reading is accurate for Annex III. It is not accurate for Article 50. And the gap between the two is quietly producing a compliance blind spot in organizations that have otherwise done their homework.

Here is what your internal chatbots must display by August 2 — and why the quality of your document corpus determines the legal value of that disclosure.

The Digital Omnibus Misreading — What Was Postponed, What Was Not

The May 7, 2026 agreement between the Council and the European Parliament postponed one specific set of obligations: the Annex III requirements for new high-risk AI systems (HR tools, credit scoring, access to essential services, etc.) moved from August 2, 2026 to December 2, 2027. For legal teams that had been scrambling to classify their risk models and HR systems, this was a meaningful reprieve.

What the Digital Omnibus did not touch: Article 50(1). The transparency obligation for conversational AI systems — chatbots, AI assistants, internal knowledge agents — remains anchored to August 2, 2026. Article 50(2), which covers synthetic content marking (deepfakes, AI-generated text at scale), was moved to December 2, 2026. Article 50(1) — the chatbot disclosure requirement — was not moved.

For organizations that have a Copilot M365 pilot in production, an internal Rovo assistant deployed on Confluence, a RAG system answering questions for sales teams or HR staff: the deadline is August 2, 2026. That is 39 days from today.

For the full context on the Digital Omnibus scope, Annex IV, and the corpus preparation timeline, see: EU AI Act August 2026: What the Digital Omnibus Did Not Postpone.

What Article 50(1) Actually Requires of an Internal Chatbot

The obligation is framed in functional terms, not technical ones. Article 50(1) of the AI Act requires providers of AI systems designed to interact with natural persons to ensure those systems inform users that they are interacting with an AI system — unless that fact is obvious from the circumstances and context of use.

The Commission’s draft guidelines, published May 8, 2026 (with the consultation period closed June 3), set out the operational expectations. Several points deserve direct attention:

The disclosure must appear at the moment of interaction — not in terms of service. A clause buried in an employee acceptable use policy signed during onboarding, or a banner in an internal governance document: these are insufficient. The information must reach the user at the time of the interaction, in an accessible and comprehensible form.

The disclosure must be adapted to the channel. For a text-based chatbot, a visible label in the interface. For a voice assistant, an audio message at the start of the session. The form must match the modality.

There is no single prescribed wording, but the disclosure must unambiguously identify the AI nature of the system. “You are interacting with an AI assistant” or “This service is provided by an artificial intelligence system” meets the Commission’s expectations. Vague formulations (“This service uses advanced technologies”) do not.

Deployer vs. Provider — Who Carries the Obligation in Your Organization

This is where the most significant confusion — and the most significant exposure — lives. The AI Act distinguishes two actors: the provider (the company that develops or places on the market the AI system) and the deployer (the organization that uses that system in a specific context and exposes it to end users).

Practically: Microsoft is the provider of Copilot. Your organization, which has deployed Copilot M365 to 8,000 employees, is the deployer. Atlassian is the provider of Rovo. Your IT department that activated Rovo on your Confluence instance is the deployer. A RAG vendor — or your own engineering team if you built an internal assistant — is the provider. The business unit that deployed it for sales teams is the deployer.

Article 50(1) places the primary obligation on the provider. But the Commission’s guidelines acknowledge that where a provider cannot directly configure the interface for a third-party deployer’s end users — which is the case for virtually all enterprise deployments — the deployer must ensure that the interface it controls complies with the disclosure requirement.

In other words: you cannot offload your compliance obligation to Microsoft, Atlassian, or Glean. You are responsible for what your employee sees when they open the internal chatbot you have made available to them.

William Fry’s analysis of Articles 50(1) and 50(2) provides useful guidance on provider/deployer responsibility allocation in enterprise scenarios. The practical checklist published by kla.digital confirms that Copilot M365, internal RAG agents, and HR assistants all fall within the Article 50 deployer scope.

The “Obvious AI” Exception — and Why It Does Not Cover Your Internal Copilot

The temptation is real: “Our employees know they’re using Copilot. Everyone knows it’s AI. We don’t need to display a notice.” This is precisely the reasoning the Commission’s guidelines push back against.

The exception for “obvious” AI interactions is real — it is written into Article 50(1). But it is calibrated to a strict standard: the average user. The legally relevant question is not whether your technical team knows this is AI, but whether an ordinary employee — without technical training, interacting with this assistant in the flow of their daily work — would unambiguously understand they are addressing an automated system rather than a colleague or a human service provider.

For an HR assistant answering questions about leave entitlement, for a finance chatbot interpreting expense reimbursement rules, for a commercial assistant drafting proposals: the answer is not automatically yes. The Commission interprets the exception narrowly, and supervisory authorities auditing an incident will expect documentation showing how the organization assessed and justified its decision to invoke the exception.

The operational recommendation: document the analysis if you intend to rely on the obvious exception, and display the disclosure in all cases where that analysis is not conclusive.

The Article 50 Code of Practice — What Signatories Gain Before July 22

The European Commission published its Code of Practice on AI-Generated Content Transparency on June 10, 2026. The document is voluntary — it does not create new legal obligations. But it translates Article 50 into concrete technical and organizational measures, and organizations that implement it benefit from a presumption of compliance with national supervisory authorities.

The deadline to sign as an initial signatory is July 22, 2026 — 28 days from today. Signatories commit to implementing the measures described in the Code and can present their adherence to any supervisory authority as evidence of good faith and proactive compliance.

Not signing by July 22 does not exempt an organization from the August 2 obligation. It does, however, increase the burden of proof in the event of a review or complaint. Atlassian has already signed the EU AI Pact and documented its proactive posture on Article 50 compliance for Rovo — a signal of where deployers with significant AI footprints are heading.

Why an Ungoverned Document Corpus Undermines Your Article 50 Disclosure

There is an angle that legal analyses of Article 50 have not yet addressed — and it is the one we encounter most consistently in the enterprise deployments we support at K-AI. Most internal chatbots deployed by large organizations in 2026 are not simple rule-based bots. They are RAG assistants — systems that retrieve and synthesize content from internal document repositories: SharePoint, Confluence, enterprise content management systems, shared drives.

The Article 50 disclosure, in this context, does not only say “you are interacting with an AI.” It implies: “the information this assistant provides is drawn from our internal documents.” That implicit claim is defensible if and only if the underlying corpus is itself reliable.

A document corpus that is poorly governed — with unresolved contradictions between documents, expired versions that were never invalidated, duplicate versions that diverge on key figures or procedures — produces AI responses that can be factually incorrect even when the RAG pipeline is technically sound. A faithfulness score of 0.97 offers no protection if the retrieved source documents themselves are in conflict.

In that scenario, the disclosure “this service is powered by your internal documents” is formally accurate and substantively misleading. A regulator auditing an incident — an incorrect response to an HR policy question, a wrong piece of guidance on a compliance procedure — will examine not only the notice displayed but also the traceability of the sources used to generate the answer. This is where the document retrieval log (which is also a requirement under Article 12 for high-risk systems) becomes a legal defense instrument, not merely a technical feature.

In the first assessment of a single document repository, K-AI teams typically identify several hundred anomalies — conflicts, divergent duplicates, expired documents still indexed and accessible to the retrieval layer. Each of these anomalies is a potential point of fragility for the substantive validity of your Article 50 disclosure.

Governing the corpus is not only a performance question. It is a question of legal defensibility.

Frequently Asked Questions

What exactly happens on August 2, 2026 under the EU AI Act?

Article 50(1) enters into force on August 2, 2026. Every AI system designed to interact with natural persons — chatbot, conversational assistant, AI agent — must inform users that they are interacting with an AI system, unless this is obvious from the context. Also effective on that date: Article 4 (AI literacy obligations for teams operating AI systems) and Annex IV documentation requirements for high-risk AI systems already in service. Annex III obligations for new high-risk AI systems were postponed to December 2, 2027 by the Digital Omnibus.

Was the EU AI Act delayed by the Digital Omnibus?

Partially. The May 7, 2026 agreement postponed Annex III compliance for new high-risk AI systems (HR, credit scoring, access to essential services) to December 2, 2027. It also moved Article 50(2) synthetic content watermarking to December 2, 2026. Article 50(1) — the chatbot disclosure requirement — was not postponed and remains effective August 2, 2026.

Does Article 50 apply to internal B2E chatbots such as Copilot M365, Rovo, or an internal RAG assistant?

Yes. Article 50(1) applies to any AI system interacting with natural persons — including a company’s own employees. Internal use does not create an exemption. If your organization has deployed Copilot M365, Rovo, Glean, or any RAG assistant for its workforce, it is a “deployer” under the regulation and carries the disclosure obligation independently of what the software provider has implemented in its standard interface.

What does Article 50(1) specifically require an enterprise chatbot to display?

Clear, accessible, and comprehensible information that the user is interacting with an AI system, displayed at the moment of interaction — not in terms of service or onboarding documentation. The disclosure must be channel-adapted (visible text label for a chat interface, audio message for a voice assistant). No single wording is mandated, but it must unambiguously identify the AI nature of the system. The “obvious AI” exception is interpreted narrowly using an average user standard — it does not automatically apply to HR assistants, finance chatbots, or internal knowledge agents.

Why does a poorly governed document corpus undermine an Article 50 disclosure?

Most enterprise internal chatbots are RAG assistants drawing from internal document repositories. The implicit claim in an Article 50 disclosure — “this service is powered by your internal documents” — is defensible only if the corpus is itself reliable. A corpus containing unresolved contradictions, expired versions still indexed, or divergent duplicates produces incorrect AI responses even when the pipeline is technically well-built. In the event of an audit or incident, regulators will examine not only the notice displayed but also source traceability. Without document governance — and without a document retrieval log as required by Article 12 for high-risk systems — the legal defense rests on fragile ground.

Go Further

The August 2 deadline is 39 days away. The Code of Practice signing deadline is 28 days away. If you want to assess the state of your document corpus before formalizing your Article 50 compliance posture, K-AI teams can conduct an initial diagnostic.

contact@k-ai.ai

K-AI works with CMA CGM, Veolia, PwC, BNP Paribas, TotalEnergies and CEVA Logistics. Partners: AWS, Snowflake, Microsoft, Wavestone, Devoteam.