EU AI Act Deepfake and AI-Generated Content Compliance

Under Article 50 of the EU AI Act, organizations that use AI to generate or manipulate image, audio or video content that constitutes a deepfake must disclose that the content is artificially generated or manipulated. These transparency obligations become enforceable on 2 August 2026. They sit alongside GDPR rather than replacing it, because deepfakes involving real people also process personal data. Engage Compliance helps Seed to Series C companies map their AI features against Article 50, set up disclosure and labelling, and align the work with their existing GDPR program.

What Article 50 requires for deepfakes

Article 50(4) places the disclosure duty on deployers: anyone using an AI system to create or manipulate deepfake image, audio or video must disclose that it is artificially generated, clearly and at the point a person encounters it. Related duties cover providers of generative AI, who must mark outputs in a machine-readable format so they are detectable as AI-generated, and chatbots, which must tell users they are interacting with AI.

There are limited carve-outs. Content that is part of an evidently artistic, creative, satirical or fictional work gets a lighter regime, where a minimal, non-intrusive disclosure is enough. Use authorised by law for detecting or investigating crime is exempt. A standardised EU label for AI-generated content and a Code of Practice on marking and labelling are taking shape through 2026.

Who has to comply

The rules reach far beyond AI labs. If your product or marketing generates or alters realistic media, you likely have obligations. Common cases: SaaS products with generative image, voice or video features; marketing and content tools that produce synthetic media; HR tech that uses AI to generate or alter candidate-facing content; ecommerce using AI-generated product imagery or virtual try-on; and any team publishing AI-altered media that depicts real people.

How deepfake rules interact with GDPR

A deepfake that resembles a real person almost always processes personal data, and where it uses facial or voice characteristics it can involve special category data. You still need a lawful basis, clear transparency to the person depicted, and in many cases a Data Protection Impact Assessment. This is why AI Act readiness should sit with whoever owns privacy, so the disclosure, lawful basis and risk assessment are joined up rather than handled as a separate legal exercise.

The 2 August 2026 deadline and what to do now

Inventory every AI feature in your product and marketing that generates or alters media. Classify each against the Article 50 categories: chatbot, generative output, deepfake, emotion or biometric. Implement disclosure and labelling at first exposure, plus machine-readable marking for generated outputs. Run a DPIA where real people are depicted and document your lawful basis. Track the Code of Practice and the EU label, and update your approach as they finalise.

How we help with AI Act readiness

We run an AI feature inventory, classify each feature against Article 50, design the disclosure and labelling approach, complete the DPIA where personal data is involved, and fold it all into your GDPR program, so you have one coherent privacy and AI governance setup rather than two disconnected ones. Advisory starts at 500 euro per month, with a named DPO from 2,000.

This page is general information about the EU AI Act and is not legal advice. We provide framework readiness and program support, working with your legal counsel where formal legal opinions are required.

EU AI Act deepfake FAQ

What does the EU AI Act require for deepfakes?

It requires deployers who use AI to create deepfake image, audio or video to disclose that the content is artificially generated or manipulated, clearly and at the point people see it. Providers of generative AI must also mark outputs so they are machine-detectable.

When do EU AI Act deepfake rules take effect?

The Article 50 transparency obligations, including deepfake disclosure, become enforceable on 2 August 2026.

Is AI-generated content allowed under the EU AI Act if it is disclosed?

Yes. The Act does not ban AI-generated or deepfake content; it requires transparency. As long as you disclose and, for generative outputs, mark the content as AI-generated, you can use it, with a lighter regime for clearly artistic or satirical work.

Do deepfake rules apply if we only use AI images in marketing?

If those images realistically depict real people or events in a way that could appear authentic, the disclosure duty can apply. Purely synthetic, obviously unreal imagery carries less risk, but it is worth classifying each use to be sure.

How do GDPR and the EU AI Act overlap on deepfakes?

A deepfake of a real person also processes personal data, often biometric, so GDPR applies in parallel: you need a lawful basis, transparency and frequently a DPIA, on top of the AI Act disclosure. Handling both together is far simpler than treating them separately.