EU AI Act Chatbot Disclosure Requirements 2026
Here's the good news most EU AI Act coverage buries: if your SaaS just has a chatbot or AI assistant, you are almost certainly not high-risk. You fall into the limited-risk "transparency" tier — and compliance is mostly telling people, clearly, that they're talking to an AI. This guide covers exactly what that means.
What Article 50 Actually Requires
The EU AI Act's transparency rules live in Article 50. They cover four situations, all centered on one principle: people should not be deceived about whether they're dealing with AI.
- AI systems that interact directly with people (chatbots, voice agents) must inform users they're talking to an AI.
- AI that generates synthetic audio, image, video, or text must mark outputs as artificially generated in a machine-readable form.
- Deepfakes (AI-generated or manipulated media resembling real people/events) must be disclosed as artificially generated.
- Emotion recognition and biometric categorization systems must inform the people exposed to them.
These obligations apply regardless of risk tier. Even a minimal-risk feature must meet the relevant transparency duty if it interacts with people or generates synthetic content.
The "Obvious From Context" Exemption
You don't have to slap "I AM A ROBOT" on everything. Article 50 carves out interactions where the AI nature is obvious from the standpoint of a reasonably well-informed, observant, and circumspect person, considering the circumstances and context.
In practice: a code autocomplete that visibly suggests code, an image filter the user just applied, or a tool literally branded "AI Writer" that the user opened on purpose — these are obviously AI, so no separate disclosure is needed. The obligation targets cases of potential deception: a support chat that could pass for a human agent, a sales assistant, a voice bot.
What a Compliant Chatbot Disclosure Looks Like
The Act doesn't dictate exact wording, but the disclosure must be clear, timely, and understandable. Here's how the requirement maps to concrete UI choices.
Timing: At the Start of the Interaction
REQUIREDInform the user before or at the moment they begin interacting — not buried in a terms-of-service link. A first message or a persistent label in the chat header both work. Disclosing only after the conversation ends does not satisfy the rule.
Action: Add an opening line or header: 'You're chatting with an AI assistant.'
Clarity: Plain, Unambiguous Language
REQUIREDThe user must actually understand it's an AI. Vague brand names ('Ask Aria') or a small avatar are not enough on their own. Use language a layperson reads as 'this is a machine, not a person.'
Action: Prefer 'AI assistant' / 'automated assistant' over ambiguous product names alone.
Accessibility of the Disclosure
BEST PRACTICEThe disclosure itself must be perceivable to all users, including those using screen readers. A disclosure conveyed only by a subtle visual cue fails for non-sighted users — and intersects with EU accessibility law (EAA).
Action: Expose the 'AI' label as real text / ARIA, not an image or color cue alone.
Synthetic Content: Machine-Readable Marking
REQUIRED FOR GENERATORSIf your product generates synthetic images, audio, video, or text, mark outputs as AI-generated in a machine-readable way (e.g., metadata/provenance signals such as C2PA where feasible), plus user-facing labels for deepfakes and public-interest text.
Action: Implement output labeling and provenance metadata for generative features.
Provider vs. Deployer: Who Owes the Disclosure?
The Act splits transparency duties between the provider(who builds/places the AI system on the market) and the deployer(who uses it). For a typical SaaS:
- If you build the chatbot into your product using an LLM API (OpenAI, Anthropic, etc.), you are generally the deployer of an interactive AI system toward your end users — so the duty to inform users they're talking to an AI is yours, not the model provider's.
- If you build a generative tool that others embed, you may be the provider responsible for machine-readable marking of synthetic outputs.
- Deepfake/public-interest text publishers carry the deployer disclosure duty when they release such content.
The takeaway: don't assume "the model provider handles compliance." The user-facing disclosure for your chatbot is your responsibility as the deployer.
Where Transparency Stops and High-Risk Begins
A chatbot is limited-risk — until it's used for a high-risk purpose. The same underlying tech can cross the line depending on what decision it drives.
Limited-Risk: Disclosure Only
Customer-support chatbot, sales/FAQ assistant, in-app help bot, AI writing assistant, content generator. Obligation: tell users it's AI; label synthetic outputs. No technical file or registration required.
High-Risk: Full Obligations
An AI assistant that screens job applicants, decides creditworthiness, triages patients, or gates access to essential services. This jumps to high-risk: risk management, documentation, human oversight, EU database registration.
Prohibited: No Compliance Path
Manipulative AI exploiting vulnerabilities, social scoring, or certain biometric/emotion uses in workplaces and schools. Banned since February 2025 — disclosure does not make these permissible.
Overlap With GDPR & EAA
If your chatbot processes personal data, GDPR still applies (lawful basis, notices). If it's a consumer-facing service, the European Accessibility Act requires it be accessible. Transparency compliance does not discharge these.
Chatbot Transparency Compliance Checklist
For a typical limited-risk SaaS chatbot, steps 1–5 get you compliant. Steps 6–8 apply if you generate synthetic content.
This article is general information, not legal advice. EU AI Act guidance and harmonised standards continue to evolve — confirm Article 50 details and effective dates with qualified EU counsel before relying on them.
Make sure your AI disclosure is actually accessible
A disclosure that screen readers can't announce fails both the EU AI Act and the European Accessibility Act. RatedWithAI scans your product to catch issues like this. Start free.
Scan Your Product for Free →Frequently Asked Questions
Does the EU AI Act require chatbots to say they're AI?
Yes. Article 50 requires AI systems that interact directly with people to inform users they're dealing with an AI, unless it's obvious from context to a reasonably well-informed person. A customer-facing chatbot that could be mistaken for a human agent must disclose its AI nature at the start of the interaction.
When does the EU AI Act chatbot disclosure rule take effect?
The Article 50 transparency obligations apply from August 2026 — the same date high-risk obligations become enforceable. Prohibited practices were enforceable from February 2025 and GPAI obligations from August 2025. If you have an EU-facing chatbot, August 2026 is your deadline to have disclosures in place.
Is my SaaS chatbot 'high-risk' under the EU AI Act?
Almost certainly not, if it's a support, sales, FAQ, or writing assistant. Those are limited-risk and only carry transparency obligations. A chatbot becomes high-risk only when it drives consequential decisions — screening job candidates, determining credit, triaging patients, or gating essential services. The use case, not the technology, sets the tier.
What's the penalty for not disclosing an AI chatbot?
Transparency violations fall under the EU AI Act's penalty regime — up to €15M or 3% of global annual turnover for many obligation breaches (with higher caps for prohibited practices and lower ones for SMEs/startups). Beyond fines, failing to disclose can also expose you to consumer-protection and unfair-practices claims in member states.
Do I have to label AI-generated images and text too?
Often, yes. Providers of generative AI must mark synthetic audio, image, video, and text as artificially generated in a machine-readable form. Deployers publishing deepfakes or AI-generated text on matters of public interest must disclose the artificial nature, with narrow exceptions for clearly artistic or editorial-reviewed content. Plan for both labeling and provenance metadata.