5 EU AI Act transparency checks your board owes before August 2

I read two things this week that, side by side, explain why a lot of boards are about to get a surprise. On June 24, Sidley’s privacy team published a plain walkthrough of what becomes binding on August 2. The day after, Mondaq’s European tech desk wrote up the final Parliament vote that everyone assumed had pushed those rules back.

The headline most executives remember is “the EU delayed the AI Act.” That happened. It just did not happen to the part that touches the most companies.

What the Digital Omnibus actually moved, and what it left alone

Here is what got lost in the relief. When the European Parliament gave final approval to the targeted AI Act amendments on June 16, the vote was not close: 423 in favour, 57 against, 174 abstentions. That package did push back the deadlines that scared everyone. The Annex III high-risk obligations now sit in December 2027, and a board that spent the spring worried about conformity assessments genuinely has more room than it did three months ago. That relief is real.

But the same package was specific about what it did not move. To quote Mondaq: “Parliament has approved the extension of the implementation timeline for the transparency and watermarking obligations under Article 50(2) AI Act until 2 December 2026. All other transparency obligations will continue to apply from 2 August 2026.”

Read that twice. One narrow slice, the provider obligation to embed machine-readable marks in generated output, slipped four months. Everything else in Article 50 stayed exactly where it was. And Article 50 is the part of this law that reaches normal companies, not just the labs building frontier models.

Sidley put the scope in one sentence on June 24: “From 2 August 2026, organisations will become subject to the transparency obligations set out in Article 50 of the EU AI Act.” Not high-risk providers. Organisations. Any company running a customer-facing chatbot, generating marketing images or copy with AI, or publishing AI-assisted content on matters of public interest is inside this deadline, and it did not move.

Five checks to run before the file goes quiet

I want to keep this calm, because the work here is smaller than the penalty number suggests. Most of August 2 is disclosure, not redesign: telling people when they are talking to a machine, and labelling content that a machine made. That is a project a competent team finishes in five weeks, as long as someone owns it. Here are five checks, each tied to a specific obligation, each answerable with a yes, a no, or a name.

1. Confirm every customer-facing AI conversation says it is AI

   Article 50(1) is the simplest one to close and the easiest one to miss. Sidley's summary: providers of interactive systems "must inform users they are interacting with an AI system, unless this is already obvious in the relevant context." Walk every chatbot, voice agent, and support copilot. The disclosure has to be clear and up front, not buried in a footer nobody reads. This is a one-afternoon fix that becomes a finding when it is skipped.

2. Decide who marks the generated content, and when

   The provider duty to mark synthetic output in a machine-readable format is the one piece that moved to December 2 for systems already on the market, which is not a reason to ignore it until November. The decision to make now is whether to rely on the model vendor's marking or build it in-house, because the Commission's June 10 Code of Practice is explicit that no single technique is enough. It calls for layered marking: C2PA provenance in the file plus an invisible watermark that survives compression and cropping. That is a vendor conversation, not a checkbox.

3. Label deepfakes and AI-written public-interest content

   The deployer obligations stay live for August 2. When a marketing or comms team produces AI-generated images of people, or publishes AI-written articles on matters of public interest, those need a clear disclosure at the point of publication. Sidley's guidance is direct: deployers must "clearly disclose that the content has been artificially generated or manipulated." The labelling rules apply even when there was no intent to deceive.

4. Screen any emotion-recognition or biometric system twice

   Any deployment of emotion-recognition or biometric categorisation owes affected people notice under Article 50, and it should be screened first against the Article 5 prohibitions. Worth flagging for the board: the same June package added a fresh prohibition on AI that generates non-consensual intimate images and child sexual abuse material, with a December 2 compliance date. If any product surface could be misused that way, that is now a named legal line, not a content-policy preference.

5. Produce the AI inventory that makes the other four checks possible

   A company cannot disclose, mark, or label systems it has not listed. This is where most teams stall, and the data is uncomfortable. Across the four steps Sidley recommends, the first is to map relevant AI use cases, and nobody can map what was never inventoried. Make a named owner responsible for a living list of every AI system that touches a customer or produces published content. Everything else on this page depends on that list existing.

Three questions the board will ask, with answers that do not flinch

When this hits the agenda, the questions are predictable. Here is how to answer them without manufacturing panic.

“Didn’t the EU push this back?” Partly. The high-risk obligations moved to December 2027, a genuine reprieve. The transparency obligations under Article 50 did not move, except for one narrow watermarking duty that slipped to December 2, 2026. Disclosure and labelling are still owed on August 2.

“What happens if we miss it?” Article 50 breaches sit in the law’s middle penalty tier: up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. From August 2, national market surveillance authorities can investigate and sanction. The realistic near-term risk is not a maximum fine on day one; it is being the unprepared company that draws the first scrutiny. The fix is cheap relative to that exposure.

“Are we even able to comply?” This is the honest one, and for most companies the answer is “not yet, because we have not finished the inventory.” A Cloud Security Alliance research note from March found that over half of organisations lack a systematic inventory of their AI systems, and only 18 percent had fully implemented AI governance frameworks despite 88 percent using AI operationally. That gap is the actual project.

August 2 is not a redesign deadline. It is a "can the company name its AI systems and tell people when they are talking to one" deadline. The companies that struggle are the ones who never made the list.

The 60-second version for the board

If there is one minute on the agenda, say this. The EU delayed the hard parts of the AI Act to 2027, and that is good news we will use. But the transparency rules that apply to our chatbots, our AI-generated content, and our published AI material are still live for August 2 this year. The work is mostly disclosure and labelling, not engineering. The blocker is that we have not inventoried our AI systems yet, so I am assigning a named owner to produce that list in two weeks, and the disclosure changes follow from it. Penalty exposure is the 15 million euro tier, so this is worth doing properly, and we have time to do it calmly.

Relief on the deadlines that scared everyone, discipline on the one that quietly stayed.

What to watch between now and August

The Commission’s final transparency guidelines are still pending. The draft went out for consultation on May 8 and the comment window closed June 3, so the finished, non-binding guidance is expected before August 2. It will not change the obligations, but it will sharpen the edge cases, especially around what counts as “obvious” disclosure and what content qualifies as public interest. Watch for it, hand it to whoever owns the inventory, and let the rest of the noise wash past. There is a list to build, and five weeks is plenty of time to build it.