On June 29 the EU split the AI Act’s timeline in two. Most teams heard “the deadline moved to 2027” and relaxed. Engineers should hear something different: one set of obligations moved, and the set that lands on August 2, 2026 is the set that touches your code.
Here is the split, precisely. High-risk system obligations under Annex III (the quality management system, risk framework, conformity assessment) moved from August 2, 2026 to December 2, 2027. High-risk AI embedded in regulated products follows in August 2028. But Article 50 transparency obligations, the penalty powers for general-purpose AI, and the national market-surveillance authorities all activate on August 2, 2026, exactly as scheduled. Fines in the transparency band run up to 15 million euros or 3 percent of global turnover.
Article 50 is not a policy document. It is a set of engineering requirements with a ship date. This is the checklist.
1. Chatbot disclosure: users must know they are talking to a machine
Any AI system that interacts directly with people must be designed so those people know they are dealing with AI, unless it is obvious from context. For a customer-facing chatbot, that means a clear disclosure in the conversation surface itself, not a line in your terms of service. Audit every conversational entry point: web chat, in-app assistant, voice line, WhatsApp flows. If a reasonable user could believe a human wrote the reply, you have work to do before August 2.
2. Machine-readable marking of AI-generated content
Systems that generate text, audio, image, or video content must mark their outputs in a machine-readable format so the content is detectable as artificially generated. Two dates matter here. Systems placed on the market before August 2, 2026 get a grace period to December 2, 2026 to bring output marking into compliance. Systems entering the market on or after August 2 must mark from day one. If your product emails customers with AI-written copy or publishes AI-generated summaries, the marking pipeline is now a launch dependency.
3. Inventory which systems are actually in scope
The mapping exercise takes an afternoon and prevents both panic and blind spots. List every system that either talks to a person or generates content a person will see. For each one, record: does it disclose, does it mark outputs, when did it enter the market, and who owns the fix. Most enterprises discover the list is longer than expected, because it includes vendor tools operating under your brand.
4. Ask your vendors the two questions now
If a third-party AI product powers your customer conversations or content, the transparency obligations still reach you as the deployer. Two questions for every vendor: does your product disclose its AI nature to end users in the interaction itself, and do generated outputs carry machine-readable marking? Get the answers in writing. A vendor who cannot answer by August is telling you something.
5. Keep evidence that the disclosure happened
The obligation is not just to disclose; it is to be able to show a regulator that disclosure was in place, for which systems, from which date. Screenshots on a wiki will not survive an inquiry. Log the disclosure state per interaction surface, version it when the UX changes, and keep the record somewhere append-only. When the request letter arrives, the answer should be a lookup, not an archaeology project.
6. Do not waste the sixteen months you just got
The December 2027 extension for high-risk obligations is runway, not relief. The quality management system, the risk framework, the decision-level audit trail: none of those requirements shrank by a clause. Companies that treated GDPR’s grace period as a snooze button spent three to five times more on compliance than the ones that moved early, and the same curve is setting up now. The teams that use 2026 to build decision-level evidence will spend 2027 verifying instead of scrambling.
August 2 is a transparency deadline. December 2027 is an evidence deadline. The teams that conflate them will miss the first and scramble for the second.
The one-week version
- Day 1-2: inventory every user-facing AI surface and every content-generating system; record market-entry dates.
- Day 3: ship disclosure copy on any chatbot surface missing it. This is a UX change, not a research project.
- Day 4: scope the output-marking pipeline; confirm whether the December 2 grace period applies to you.
- Day 5: send the two vendor questions; start the evidence log.
None of this requires a compliance department. It requires an engineering lead with a list and a week. The fines start at numbers that get board attention, and the fixes, for once, are shippable.
Twenty-one days to August 2. Where do you stand?
The Navedas Readiness Assessment maps every AI surface you run against every AI Act requirement, transparency and high-risk both, and delivers the remediation plan in one week.