Back to Blog Listing

The 2 August deadline that most compliance teams have not scoped yet

The 2 August deadline that most compliance teams have not scoped yet
Kacper Osiewalski Jul 4, 2026 4 min read

Written by: Kacper Osiewalski, Lead Backend Engineer, Digital Colliers

If your firm ships anything customer-facing that uses AI, you have a hard date on the calendar. Article 50 of the EU AI Act starts applying on 2 August 2026. Most compliance teams I talk to have this pencilled in, but very few have actually scoped the work. And in financial services, the surface area is bigger than people think.

This piece goes deeper than the LinkedIn post. If you are the person who is going to own the disclosure workflow, here is what to look at now.

What Article 50 actually asks for

Article 50 is the transparency layer of the Act. It sits separately from the high-risk regime, which does not apply until 2 December 2027. Do not conflate the two. Article 50 is narrower in scope but broader in reach, because it hits almost every customer touchpoint, not just the models flagged as high-risk.

The short version of what you owe users from 2 August 2026:

  • People interacting with an AI system need to be told they are interacting with an AI, unless it is obvious from context.
  • Synthetic or manipulated content (text, audio, image, video) needs to be marked as artificially generated in a machine-readable way.
  • Deepfakes and AI-generated text published to inform the public on matters of public interest need clear labelling.
  • Emotion recognition and biometric categorisation systems need to inform the people exposed to them.

Fines for non-compliance sit at up to €15M or 3% of global turnover, in the same band as the rest of the Act's operator obligations. That is enough to get a board meeting scheduled, so it is worth scoping properly.

The customer-touch map most orgs do not have

The gap I keep seeing is not legal interpretation. It is inventory. Compliance teams have a decent view of the models the data science group has shipped. They have almost no view of the AI features that product teams have quietly wired in through vendors over the last 18 months.

Before you can scope a disclosure workflow, you need a map. For a mid-sized bank or insurer, that usually covers:

  • Chatbots and virtual assistants on web, app, and IVR.
  • AI-assisted email or in-app messaging (draft-generation, tone rewriting, auto-reply).
  • Document summarisation shown to customers (policy explainers, statement summaries).
  • Knowledge-base search that uses a language model to synthesise answers.
  • Voice biometrics and call-centre sentiment tooling.
  • Any marketing content generated with AI that goes out under the firm's name.
  • Fraud and onboarding flows that show AI-derived reasoning to the customer.

Each one gets a row. Each row gets a decision: does it need a disclosure, and if so, what does the disclosure say and where does it appear. Do this before you brief legal, not after. Legal cannot draft against a system they have not seen inventoried.

Scoping the disclosure workflow itself

A disclosure workflow is not one banner. It is a small pipeline. Reviewing what operators shipping this in 2026 tend to build, the shape is roughly:

  1. A registry of AI features with an owner, a purpose, and a disclosure decision recorded against each.
  2. A UI pattern library, so disclosures look consistent and can be audited.
  3. A content pipeline that marks synthetic outputs with the required machine-readable provenance signals.
  4. A change-control gate. New AI feature ships only after registry entry and disclosure sign-off.
  5. Evidence capture. Screenshots, timestamps, versioned copy, kept somewhere an auditor can find.

The last one is where GDPR programmes teach us something useful. The firms that survived GDPR audits well were the ones with evidence, not the ones with the prettiest policies. Same story here.

The tension nobody wants to talk about

There is real tension between compliance and product roadmaps. Every disclosure the product team ships is a small friction added to a customer journey they have spent quarters optimising. Expect pushback on wording, placement, and timing.

The SCHUFA ruling from December 2023 is a useful reference point when that conversation gets hot. It made clear that automated decisions carrying legal or significant effects on individuals already sit under GDPR scrutiny, independent of the AI Act. In other words, this is not a new regulatory posture in Europe. It is the direction of travel becoming explicit.

If you start the mapping exercise this quarter, you have runway. If you wait for Q2 2026, you will be scoping, drafting, and shipping under time pressure, with product owners who feel ambushed. That is the failure mode to avoid.

Related Posts