Overview

The EU AI Act is the EU’s comprehensive AI legislation that regulates artificial intelligence on a risk-based basis. With the EU Council’s final approval on June 29, 2026, of regulations to streamline and revise AI rules, the implementation timeline and classification of obligations that companies must actually prepare for have once again become critical.

There are two particularly noteworthy aspects of these changes.

  1. Transparency requirements for generative AI, chatbots, and deepfakes, effective August 2, 2026
  2. Adjusted implementation dates for high-risk AI systems: Standalone systems on December 2, 2027; systems embedded in products on August 2, 2028

In other words, not all AI obligations take effect on the same day. Companies are not subject to the same obligations simply because they “use AI”; instead, they must assess whether the system interacts with users, generates content, creates deepfakes, is used in high-risk areas, or is linked to product safety regulations.

Key Dates at a Glance

Category Key Details Effective Date
Transparency Requirements for Generative AI, Chatbots, and Deepfakes Notification of interaction with AI, labeling of AI-generated content, disclosure of deepfakes, etc. August 2, 2026
Standalone High-Risk AI Systems Standalone systems in specific high-risk areas such as recruitment, education, essential services, and law enforcement December 2, 2027
High-Risk AI Systems Embedded in Products AI components combined with machinery, equipment, and product safety regulations August 2, 2028
Voluntary Codes and Guidelines Voluntary standards to assist with labeling and disclosure practices Do not replace the legal obligations themselves

Generative AI Transparency Obligations Effective August 2, 2026

Starting August 2, 2026, companies must pay particular attention to the transparency obligations under the AI Act. These obligations do not mean “an unconditional ban on all AI-generated outputs,” but rather require that users and society be informed, notified, and made aware of AI involvement.

1. Chatbots and Conversational AI: Provide a notice to prevent users from mistakenly believing they are conversing with a human

When users interact directly with an AI system, the provider or distributor must ensure that users are aware they are interacting with AI.

For example, the following services may be subject to this requirement:

  • Customer service chatbots
  • AI-powered consultation and reservation systems
  • Interactive AI assistants on websites
  • Voice-based automated response AI
  • Generative AI interfaces that respond to users as if they were human agents

In practice, methods such as clearly stating that “this response is generated by an AI system” on the first screen, in the opening message, via voice prompts, in service descriptions, or through UI labels can be considered.

2. AI-Generated Content: Machine-Readable Labels and Detectability

When AI generates or manipulates synthetic content—such as images, audio, video, or text—it is necessary to label the content to indicate that it was artificially generated or manipulated.

It is important to note that this may require more than just a simple text label; where technically feasible, machine-readable or detectable labeling may be required. This is a measure designed to enable search engines, platforms, verification tools, and AI systems to recognize the source and nature of the content.

Possible implementation methods may vary depending on the content type.

Content Type Examples of Possible Labeling Methods
Image Metadata, watermarks, captions, labels on the posting screen
Video On-screen labels, metadata, synthetic content indicators, disclosure in the description field
Audio Voice prompts, file metadata, disclosure on the publication page
Text AI-generated disclosure on the authoring or publishing screen, metadata, indication of editorial responsibility

However, exceptions and scope are crucial in legal determinations. For example, functions that do not substantially alter the meaning of the input—such as simple adjustments, grammar corrections, or standard editing assistance—may be treated differently from the disclosure obligations for deepfakes or synthetic content.

3. Deepfakes: The fact of manipulation must be clearly disclosed

Deepfakes refer to synthetic or manipulated content that makes real people, objects, places, or events appear to be factual. The transparency requirements under the AI Act focus on disclosing deepfakes to prevent users from mistaking them for actual records.

For example, the following types of content require special attention:

  • Videos that make it appear as though a real person is saying something they did not actually say
  • Synthetic images of people that look like real photographs
  • Content featuring voice replicas of politicians, business leaders, celebrities, etc.
  • Generated videos designed to look like footage of real events

The disclosure method must be appropriate for the context of the content. On short-form video platforms, on-screen labels and disclosures in the description section may be required, while for news and informational content, review by an editor-in-charge and clear indication that the content is generated or manipulated are crucial.

The Significance of Non-Consensual Sexual Deepfakes and AI for Generating Child Sexual Exploitation Material

Two areas that must be distinguished separately in this discussion are non-consensual sexual deepfakes and AI-generated child sexual exploitation material. This is not simply a matter of “since it was created by AI, a label is sufficient.”

Non-Consensual Sexual Deepfakes

Non-consensual sexual deepfakes refer to the act of synthesizing or manipulating sexual images, videos, or audio without the subject’s consent. This area is directly linked to the victim’s right to personality, sexual self-determination, privacy, reputation, and safety.

Therefore, companies must not treat this merely as a matter of labeling general generative content. Platforms, creation tools, APIs, and model distributors must consider the following controls:

  • Blocking requests to generate sexual deepfakes
  • Preventing the misuse of face synthesis involving celebrities and the general public
  • Establishing procedures for reporting, removal, and blocking
  • Sanctioning accounts for repeated violations
  • Safeguards for storage and sharing paths of generated content
  • Blocking requests involving minors or individuals whose consent cannot be verified

AI for Generating Child Sexual Exploitation Material

Child sexual exploitation material—whether targeting real children or synthesized and generated by AI—constitutes an extremely serious illegal and harmful category. The risk does not disappear simply because AI did not directly film the actual victims. This is because generative AI can be misused as a tool to mass-produce or disseminate child sexual exploitation images.

Therefore, in this area, the key priorities are prevention of creation, blocking of access, reporting systems, and law enforcement cooperation, rather than transparency labels. Companies must exercise control not only over content policies but also over model safety, prompt filtering, output review, training data management, and prevention of API abuse.

How Has the Timing for Implementing High-Risk AI Changed?

High-risk AI refers to AI that can have a significant impact on human rights, safety, opportunities, and access to essential services. The AI Act imposes stringent obligations on such systems, including risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy, robustness, and cybersecurity.

The key point of this schedule adjustment is that high-risk AI is categorized into standalone systems and systems embedded in products, with different implementation deadlines for each.

Stand-alone High-Risk AI: December 2, 2027

Stand-alone high-risk AI refers to AI systems used for specific high-risk purposes, even if they are not directly linked to product safety certification. For example, the following areas may be relevant:

  • Support for employment-related decision-making, such as hiring, promotion, and termination
  • Admission to educational institutions, assessment, and evaluation of learning outcomes
  • Access to essential private services, such as credit scoring, loans, and insurance
  • Access to public benefits, social security, and essential public services
  • Support related to law enforcement, immigration and border control, and judicial and democratic procedures
  • Sensitive use cases, such as biometric-based identification and classification

These systems must be prepared to comply with the high-risk AI obligations taking effect on December 2, 2027. Simply stating that a model performs well is insufficient; organizations must document the intended use, data, risk management, human oversight, logs, and the responsible party.

High-Risk AI Embedded in Products: August 2, 2028

High-risk AI embedded in products refers to AI integrated into the safety functions of physical products or regulated products, such as machinery, equipment, and medical, industrial, or safety-related products. In this case, the AI Act obligations intersect with existing EU product safety regulations, conformity assessment, CE marking, and quality management systems.

The reason the effective date was adjusted to August 2, 2028, is that there are more factors to prepare for than with simple software services. Since this involves product design, supply chains, hardware integration, testing, certification body procedures, and product release cycles, a longer transition period is necessary.

Why Was the Schedule Adjusted?

The EU’s schedule adjustment is less a measure to weaken or render the AI regulations ineffective and more an effort to align actual enforceability with companies’ ability to prepare. In particular, the obligations for high-risk AI cannot be fulfilled with a simple notice alone.

Companies must prepare the following:

  • Determine whether their systems are high-risk
  • Compile a list of AI systems and document their intended uses
  • Manage dataset sources and quality
  • Establish a risk management framework
  • Design human oversight procedures
  • Ensure logging and traceability
  • Verify accuracy, robustness, and cybersecurity
  • Define the division of responsibilities among suppliers, distributors, importers, and users
  • Preparing technical documentation and conformity assessments

If these obligations take effect before these elements are sufficiently addressed, not only companies but also regulatory authorities may face difficulties in interpretation and enforcement. Therefore, the schedule adjustment can be understood as a measure that grants regulated entities a preparation period while simultaneously enabling effective enforcement.

Why It Is Important to Distinguish Between Voluntary Codes and Actual Legal Obligations

The European Commission has presented practical codes of conduct and policy guidance for the identification and labeling of AI-generated content. These codes serve as useful references for companies on how to apply labels, provide information on the content’s origin, and notify users.

However, voluntary codes are not the same as legal obligations.

Category Voluntary Code Legal Obligation
Nature Practical guidelines and best practices Legal requirements
Participation Voluntary in principle Mandatory if applicable
Effect Helps demonstrate compliance efforts Sanctions may apply for violations
Criteria Specific commitments in the code Provisions of the AI Act, implementation schedule, and interpretations by supervisory authorities
Corporate Response Reference for internal policies and technical implementation Managed according to legal and compliance standards

Therefore, companies should not assume that they have fulfilled all legal obligations simply by “participating in a voluntary code.” Conversely, even if a company does not participate in a voluntary code, it must still separately fulfill the transparency, documentation, and risk management obligations required by law.

Checklist for Companies: What to Check Now

1. Does our service involve interaction with AI?

  • Do users interact directly with chatbots, voice bots, or customer service AI?
  • Could users confuse an AI with a human agent?
  • Is an AI disclosure provided on the first screen or at the start of the conversation?
  • Are the criteria for switching from automated responses to human agents clear?

2. Do we create or distribute AI-generated content?

  • Do we use AI to generate images, videos, audio, or text?
  • Are the generated works published, shared, or sold externally?
  • Can users easily identify that the content was generated or manipulated by AI?
  • Have you reviewed machine-readable indicators such as metadata, watermarks, or labels?

3. Does it include deepfake or synthetic person features?

  • Does the service include features that synthesize the faces, voices, or behaviors of real individuals?
  • Is there a risk of misidentification in public interest sectors such as politics, finance, healthcare, or disaster response?
  • Could the service be misused for non-consensual sexual synthesis, defamation, fraud, or impersonation?
  • Are there procedures in place for reporting, removal, blocking, and account sanctions?

4. Could this be classified as high-risk AI?

  • Is it used in the fields of hiring, education, credit, insurance, public services, law enforcement, immigration, or the judiciary?
  • Does the AI’s output have a substantial impact on people’s rights or opportunities?
  • Is it standalone software, or a safety feature embedded in a product?
  • Have you distinguished whether the effective date is December 2, 2027, or August 2, 2028?

5. Are you confusing autonomous code with legal obligations?

  • Have you compiled a list of legal obligations, regardless of whether you participate in the autonomous code initiative?
  • Do your internal policies, product design, and legal reviews use the same criteria?
  • Have you verified whether your service is provided to EU users or in the EU market?
  • Have you reflected the scope of responsibility for suppliers, distributors, API providers, and client companies in your contracts?

Common Misunderstandings in Practice

This does not mean “all AI-generated content is prohibited”

AI-generated content itself is not prohibited. The key point is that users must be able to recognize when content has been generated or manipulated by AI. However, non-consensual sexual deepfakes, child sexual exploitation material, and content intended for fraud, impersonation, or rights infringement must be managed as separate high-risk categories.

It also does not mean “simply adding a label solves all problems”

Labeling is only part of the transparency obligation. If content is illegal, infringes on the rights of others, poses a safety hazard, or is used for high-risk decision-making, additional obligations or prohibitions may apply regardless of whether it is labeled.

This does not mean, “Since the high-risk AI timeline has been delayed, we can postpone our preparations”

Compliance with high-risk AI obligations requires significant preparation time. Data governance, risk management, technical documentation, and human oversight systems are not add-ons that can be implemented just before a product launch. Even with the revised schedule, it is safest to begin system cataloging and risk classification starting in 2026.

Conclusion

The most important practical takeaway from the EU AI Act’s new schedule is clear: Starting August 2, 2026, generative AI, chatbots, and and deepfakes, and preparations for high-risk AI obligations—divided between standalone and product-embedded systems—must be completed by December 2, 2027, and August 2, 2028, respectively.

For companies, having only self-regulatory codes, technical guidelines, and internal ethical principles is not enough. Based on when actual legal obligations take effect, which systems they apply to, and which business roles are subject to them, companies must also establish AI inventories, labeling systems, risk management processes, documentation, and procedures for blocking prohibited content.