The EU AI Act’s implementation schedule has changed again: New standards for generative AI labeling and high-risk AI regulations ================================================================================================================================ With the EU Council’s final approval of the Regulation on the Simplification of AI Rules on June 29, 2026, the preparation standards for companies regarding generative AI transparency obligations and the implementation timeline for high-risk AI have been readjusted. The key points are the labeling and notification requirements that take effect on August 2, 2026, and the distinction between the implementation timelines for standalone and product-embedded high-risk AI. - Starting August 2, 2026, AI transparency requirements—including chatbot disclosures, labeling of AI-generated content, and disclosure of deepfakes—will take full effect. - The effective dates for the implementation of high-risk AI have been adjusted to December 2, 2027, for standalone systems, and August 2, 2028, for systems embedded in products. - AI used to create non-consensual sexual deepfakes and child sexual exploitation material should not merely be subject to disclosure requirements but should be treated as prohibited and a serious violation of the law. - While the EU’s code of conduct and practical guidelines are tools to aid compliance, actual legal liability is determined in accordance with the provisions and implementation schedule of the AI Act. Overview The EU AI Act is the EU’s comprehensive AI legislation that regulates artificial intelligence on a risk-based basis. With the EU Council’s final approval on June 29, 2026, of regulations to streamline and revise AI rules, the implementation timeline and classification of obligations that companies must actually prepare for have once again become critical. There are two particularly noteworthy aspects of these changes. Transparency requirements for generative AI, chatbots, and deepfakes, effective August 2, 2026 Adjusted implementation dates for high-risk AI systems: Standalone systems on December 2, 2027; systems embedded in products on August 2, 2028 In other words, not all AI obligations take effect on the same day. Companies are not subject to the same obligations simply because they “use AI”; instead, they must assess whether the system interacts with users, generates content, creates deepfakes, is used in high-risk areas, or is linked to product safety regulations. Key Dates at a Glance Category Key Details Effective Date Transparency Requirements for Generative AI, Chatbots, and Deepfakes Notification of interaction with AI, labeling of AI-generated content, disclosure of deepfakes, etc. August 2, 2026 Standalone High-Risk AI Systems Standalone systems in specific high-risk areas such as recruitment, education, essential services, and law enforcement December 2, 2027 High-Risk AI Systems Embedded in Products AI components combined with machinery, equipment, and product safety regulations August 2, 2028 Voluntary Codes and Guidelines Voluntary standards to assist with labeling and disclosure practices Do not replace the legal obligations themselves Generative AI Transparency Obligations Effective August 2, 2026 Starting August 2, 2026, companies must pay particular attention to the transparency obligations under the AI Act. These obligations do not mean “an unconditional ban on all AI-generated outputs,” but rather require that users and society be informed, notified, and made aware of AI involvement. 1. Chatbots and Conversational AI: Provide a notice to prevent users from mistakenly believing they are conversing with a human When users interact directly with an AI system, the provider or distributor must ensure that users are aware they are interacting with AI. For example, the following services may be subject to this requirement: Customer service chatbots AI-powered consultation and reservation systems Interactive AI assistants on websites Voice-based automated response AI Generative AI interfaces that respond to users as if they were human agents In practice, methods such as clearly stating that “this response is generated by an AI system” on the first screen, in the opening message, via voice prompts, in service descriptions, or through UI labels can be considered. 2. AI-Generated Content: Machine-Readable Labels and Detectability When AI generates or manipulates synthetic content—such as images, audio, video, or text—it is necessary to label the content to indicate that it was artificially generated or manipulated. It is important to note that this may require more than just a simple text label; where technically feasible, machine-readable or detectable labeling may be required. This is a measure designed to enable search engines, platforms, verification tools, and AI systems to recognize the source and nature of the content. Possible implementation methods may vary depending on the content type. Content Type Examples of Possible Labeling Methods Image Metadata, watermarks, captions, labels on the posting screen Video On-screen labels, metadata, synthetic content indicators, disclosure in the description field Audio Voice prompts, file metadata, disclosure on the publication page Text AI-generated disclosure on the authoring or publishing screen, metadata, indication of editorial responsibility However, exceptions and scope are crucial in legal determinations. For example, functions that do not substantially alter the meaning of the input—such as simple adjustments, grammar corrections, or standard editing assistance—may be treated differently from the disclosure obligations for deepfakes or synthetic content. 3. Deepfakes: The fact of manipulation must be clearly disclosed Deepfakes refer to synthetic or manipulated content that makes real people, objects, places, or events appear to be factual. The transparency requirements under the AI Act focus on disclosing deepfakes to prevent users from mistaking them for actual records. For example, the following types of content require special attention: Videos that make it appear as though a real person is saying something they did not actually say Synthetic images of people that look like real photographs Content featuring voice replicas of politicians, business leaders, celebrities, etc. Generated videos designed to look like footage of real events The disclosure method must be appropriate for the context of the content. On short-form video platforms, on-screen labels and disclosures in the description section may be required, while for news and informational content, review by an editor-in-charge and clear indication that the content is generated or manipulated are crucial. The Significance of Non-Consensual Sexual Deepfakes and AI for Generating Child Sexual Exploitation Material Two areas that must be distinguished separately in this discussion are non-consensual sexual deepfakes and AI-generated child sexual exploitation material. This is not simply a matter of “since it was created by AI, a label is sufficient.” Non-Consensual Sexual Deepfakes Non-consensual sexual deepfakes refer to the act of synthesizing or manipulating sexual images, videos, or audio without the subject’s consent. This area is directly linked to the victim’s right to personality, sexual self-determination, privacy, reputation, and safety. Therefore, companies must not treat this merely as a matter of labeling general generative content. Platforms, creation tools, APIs, and model distributors must consider the following controls: Blocking requests to generate sexual deepfakes Preventing the misuse of face synthesis involving celebrities and the general public Establishing procedures for reporting, removal, and blocking Sanctioning accounts for repeated violations Safeguards for storage and sharing paths of generated content Blocking requests involving minors or individuals whose consent cannot be verified AI for Generating Child Sexual Exploitation Material Child sexual exploitation material—whether targeting real children or synthesized and generated by AI—constitutes an extremely serious illegal and harmful category. The risk does not disappear simply because AI did not directly film the actual victims. This is because generative AI can be misused as a tool to mass-produce or disseminate child sexual exploitation images. Therefore, in this area, the key priorities are prevention of creation, blocking of access, reporting systems, and law enforcement cooperation, rather than transparency labels. Companies must exercise control not only over content policies but also over model safety, prompt filtering, output review, training data management, and prevention of API abuse. How Has the Timing for Implementing High-Risk AI Changed? High-risk AI refers to AI that can have a significant impact on human rights, safety, opportunities, and access to essential services. The AI Act imposes stringent obligations on such systems, including risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy, robustness, and cybersecurity. The key point of this schedule adjustment is that high-risk AI is categorized into standalone systems and systems embedded in products, with different implementation deadlines for each. Stand-alone High-Risk AI: December 2, 2027 Stand-alone high-risk AI refers to AI systems used for specific high-risk purposes, even if they are not directly linked to product safety certification. For example, the following areas may be relevant: Support for employment-related decision-making, such as hiring, promotion, and termination Admission to educational institutions, assessment, and evaluation of learning outcomes Access to essential private services, such as credit scoring, loans, and insurance Access to public benefits, social security, and essential public services Support related to law enforcement, immigration and border control, and judicial and democratic procedures Sensitive use cases, such as biometric-based identification and classification These systems must be prepared to comply with the high-risk AI obligations taking effect on December 2, 2027. Simply stating that a model performs well is insufficient; organizations must document the intended use, data, risk management, human oversight, logs, and the responsible party. High-Risk AI Embedded in Products: August 2, 2028 High-risk AI embedded in products refers to AI integrated into the safety functions of physical products or regulated products, such as machinery, equipment, and medical, industrial, or safety-related products. In this case, the AI Act obligations intersect with existing EU product safety regulations, conformity assessment, CE marking, and quality management systems. The reason the effective date was adjusted to August 2, 2028, is that there are more factors to prepare for than with simple software services. Since this involves product design, supply chains, hardware integration, testing, certification body procedures, and product release cycles, a longer transition period is necessary. Why Was the Schedule Adjusted? The EU’s schedule adjustment is less a measure to weaken or render the AI regulations ineffective and more an effort to align actual enforceability with companies’ ability to prepare. In particular, the obligations for high-risk AI cannot be fulfilled with a simple notice alone. Companies must prepare the following: Determine whether their systems are high-risk Compile a list of AI systems and document their intended uses Manage dataset sources and quality Establish a risk management framework Design human oversight procedures Ensure logging and traceability Verify accuracy, robustness, and cybersecurity Define the division of responsibilities among suppliers, distributors, importers, and users Preparing technical documentation and conformity assessments If these obligations take effect before these elements are sufficiently addressed, not only companies but also regulatory authorities may face difficulties in interpretation and enforcement. Therefore, the schedule adjustment can be understood as a measure that grants regulated entities a preparation period while simultaneously enabling effective enforcement. Why It Is Important to Distinguish Between Voluntary Codes and Actual Legal Obligations The European Commission has presented practical codes of conduct and policy guidance for the identification and labeling of AI-generated content. These codes serve as useful references for companies on how to apply labels, provide information on the content’s origin, and notify users. However, voluntary codes are not the same as legal obligations. Category Voluntary Code Legal Obligation Nature Practical guidelines and best practices Legal requirements Participation Voluntary in principle Mandatory if applicable Effect Helps demonstrate compliance efforts Sanctions may apply for violations Criteria Specific commitments in the code Provisions of the AI Act, implementation schedule, and interpretations by supervisory authorities Corporate Response Reference for internal policies and technical implementation Managed according to legal and compliance standards Therefore, companies should not assume that they have fulfilled all legal obligations simply by “participating in a voluntary code.” Conversely, even if a company does not participate in a voluntary code, it must still separately fulfill the transparency, documentation, and risk management obligations required by law. Checklist for Companies: What to Check Now 1. Does our service involve interaction with AI? Do users interact directly with chatbots, voice bots, or customer service AI? Could users confuse an AI with a human agent? Is an AI disclosure provided on the first screen or at the start of the conversation? Are the criteria for switching from automated responses to human agents clear? 2. Do we create or distribute AI-generated content? Do we use AI to generate images, videos, audio, or text? Are the generated works published, shared, or sold externally? Can users easily identify that the content was generated or manipulated by AI? Have you reviewed machine-readable indicators such as metadata, watermarks, or labels? 3. Does it include deepfake or synthetic person features? Does the service include features that synthesize the faces, voices, or behaviors of real individuals? Is there a risk of misidentification in public interest sectors such as politics, finance, healthcare, or disaster response? Could the service be misused for non-consensual sexual synthesis, defamation, fraud, or impersonation? Are there procedures in place for reporting, removal, blocking, and account sanctions? 4. Could this be classified as high-risk AI? Is it used in the fields of hiring, education, credit, insurance, public services, law enforcement, immigration, or the judiciary? Does the AI’s output have a substantial impact on people’s rights or opportunities? Is it standalone software, or a safety feature embedded in a product? Have you distinguished whether the effective date is December 2, 2027, or August 2, 2028? 5. Are you confusing autonomous code with legal obligations? Have you compiled a list of legal obligations, regardless of whether you participate in the autonomous code initiative? Do your internal policies, product design, and legal reviews use the same criteria? Have you verified whether your service is provided to EU users or in the EU market? Have you reflected the scope of responsibility for suppliers, distributors, API providers, and client companies in your contracts? Common Misunderstandings in Practice This does not mean “all AI-generated content is prohibited” AI-generated content itself is not prohibited. The key point is that users must be able to recognize when content has been generated or manipulated by AI. However, non-consensual sexual deepfakes, child sexual exploitation material, and content intended for fraud, impersonation, or rights infringement must be managed as separate high-risk categories. It also does not mean “simply adding a label solves all problems” Labeling is only part of the transparency obligation. If content is illegal, infringes on the rights of others, poses a safety hazard, or is used for high-risk decision-making, additional obligations or prohibitions may apply regardless of whether it is labeled. This does not mean, “Since the high-risk AI timeline has been delayed, we can postpone our preparations” Compliance with high-risk AI obligations requires significant preparation time. Data governance, risk management, technical documentation, and human oversight systems are not add-ons that can be implemented just before a product launch. Even with the revised schedule, it is safest to begin system cataloging and risk classification starting in 2026. Conclusion The most important practical takeaway from the EU AI Act’s new schedule is clear: Starting August 2, 2026, generative AI, chatbots, and and deepfakes, and preparations for high-risk AI obligations—divided between standalone and product-embedded systems—must be completed by December 2, 2027, and August 2, 2028, respectively. For companies, having only self-regulatory codes, technical guidelines, and internal ethical principles is not enough. Based on when actual legal obligations take effect, which systems they apply to, and which business roles are subject to them, companies must also establish AI inventories, labeling systems, risk management processes, documentation, and procedures for blocking prohibited content. FAQ Q. Will all generative AI be banned starting August 2, 2026? A. No. The key point is not a ban, but an obligation to ensure transparency. Requirements include disclosing interactions with chatbots, labeling AI-generated content, and disclosing deepfakes. However, areas involving serious harm—such as non-consensual sexual deepfakes or the creation of child sexual exploitation material—should be considered prohibited and illegal, as they cannot be addressed by simple labeling alone. Q. What kind of disclosure is required for a chatbot? A. It must be made clear to users that they are interacting with an AI system so that they do not mistake it for a conversation with a human. For example, this can be indicated through the conversation start screen, the first response, voice prompts, service descriptions, and UI labels. Q. Is it enough to label AI-generated content based solely on the text visible to humans? A. This is not always the case. The intent of the AI Act is to include not only human-readable labels but also, to the extent technically feasible, labels that can be read or detected by machines. It is advisable to review metadata, watermarks, content source information, and labels on the posting screen together. Q. Are all deepfakes illegal? A. Deepfakes are not illegal in all cases. There may be legitimate contexts, such as satire, creative expression, or the production of legal videos. However, when there is a risk of mistaking the content for real people or events, the fact that it is manipulated must be disclosed; furthermore, the creation of non-consensual sexual deepfakes or child sexual exploitation material constitutes a separate and serious criminal offense. Q. How has the timing for implementing high-risk AI changed? A. Based on this schedule, the key implementation dates are December 2, 2027, for standalone high-risk AI systems, and August 2, 2028, for high-risk AI systems embedded in products. Standalone systems primarily consist of software-based AI used for specific purposes such as recruitment, education, credit, and public services, while product-embedded systems primarily consist of AI components combined with product safety regulations. Q. What is the difference between standalone high-risk AI and high-risk AI embedded in products? A. Standalone high-risk AI refers to software-based systems that support decision-making or evaluation in specific high-risk areas. Product-embedded high-risk AI refers to AI integrated into the functionality of physical products or regulated products, such as machinery, equipment, and safety-related products. The latter may raise issues related to product safety certification and conformity assessment procedures. Q. Does participating in a voluntary code of conduct mean that all obligations under the AI Act have been fulfilled? A. That is not the case. While voluntary codes may serve as tools to assist with practical implementation—such as labeling and disclosure—they do not replace the legal obligations themselves. Regardless of whether they participate in a voluntary code, companies must fulfill their obligations in accordance with the provisions of the AI Act, its implementation schedule, and the interpretations of the regulatory authorities. Q. Are companies outside the EU also affected by this schedule? A. Companies outside the EU may also be affected if they provide AI systems to the EU market, offer services to users within the EU, or if their AI outputs are used in the EU. Whether the regulations actually apply must be assessed based on the service delivery structure, user location, contractual relationships, and the role of the system. Q. What should a company do first? A. The first step is to create an AI inventory. You must classify the AI systems you operate: whether they are generative AI, interact directly with users, have deepfake capabilities, are used in high-risk areas, and whether they are standalone or embedded in products. Next, you must establish procedures for labeling, disclosure, risk management, documentation, and blocking prohibited content. Sources - Council of the EU press release: Artificial Intelligence — Council Gives Final Approval to Simplify and Streamline Rules: https://www.consilium.europa.eu/en/press/press-releases/2026/06/29/artificial-intelligence-council-gives-final-green-light-to-simplify-and-streamline-rules/pdf/ - Council of the EU: Timeline — Artificial Intelligence Act: https://www.consilium.europa.eu/en/policies/artificial-intelligence-act/timeline-artificial-intelligence/ - European Commission: Code of Practice for Marking and Labeling AI-Generated Content: https://digital-strategy.ec.europa.eu/en/news/commission-publishes-code-practice-marking-and-labelling-ai-generated-content - European Commission policy page: Code of Practice on AI-Generated Content: https://digital-strategy.ec.europa.eu/en/policies/code-practice-ai-generated-content Images - EU map, calendar timeline, scales, shield, and AI icons illustrating AI regulation: https://injoys.com/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsiZGF0YSI6NjA5LCJwdXIiOiJibG9iX2lkIn19--8e16e4963edd51ee36a6858032a5df94de0fe542/ai-c8ae09ee.webp - Flowchart linking text, image, video, audio and code inputs to a dashboard and AI machine with checks: https://injoys.com/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsiZGF0YSI6NjE1LCJwdXIiOiJibG9iX2lkIn19--9cf4862ca7f5c6ad7f0c4ae109d881fccfb4a3fe/ai-5220d203.webp --- Category: AI Data Source: https://injoys.com/en/articles/eu-ai-act-timeline-generative-ai-transparency-high-risk-ai License: cc_by Translation-Status: reviewed