On July 22, 2026, at 18:00 CEST, the window closes for AI providers to sign the EU’s Code of Practice on Transparency of AI-Generated Content. Eleven days later, on August 2, 2026, the obligations that Code was written to help with become enforceable anyway — whether a company signed or not. Article 50 disclosure requirements for chatbots and deepfakes go live, and the AI Office’s supervisory and fining powers over general-purpose AI providers activate. Fines reach €15 million or 3% of global annual turnover, whichever is greater. Most enterprise AI programs currently treat compliance as a project with a deadline. This one doesn’t have a deadline anymore. It has a start date.
There’s a genuine amount of confusion circulating about which date matters and why, largely because two unrelated EU processes are landing in the same news cycle. It’s worth separating them, because they point enterprises toward very different actions.
Two dates, two different clocks
The first clock is the Code of Practice on Transparency of AI-Generated Content, and it closes July 22. Signing isn’t mandatory, but it isn’t free to skip either: signatories get a presumption of conformity with the transparency rules, which shifts the burden of proof onto regulators to show non-compliance rather than onto the company to prove compliance. Enterprises deploying assistive AI at scale — chat interfaces, generative content tools, customer-facing copilots — have a real decision to make here about whether that presumption is worth the commitment.
The second clock, and the one that actually matters regardless of what anyone signs, is Article 50, enforceable August 2, 2026. It requires that anyone deploying a chatbot or similar conversational AI disclose “you are talking to an AI” at the start of the interaction, in plain and accessible language, and that synthetic or deepfake content be labeled as such. This isn’t a footnote requirement. It touches every customer-facing assistive AI deployment an enterprise runs, and the general penalty ceiling under Article 99 — that same €15 million or 3% of global turnover — applies to non-compliance. The same date activates the AI Office’s supervisory and fining authority over general-purpose AI (GPAI) model providers. GPAI providers have technically been obligated since August 2025; what changes August 2 is that Brussels can now actually enforce it, and models released before that original date get until August 2027 to fully catch up. See the Commission’s own GPAI provider guidelines for the underlying obligations.
A third, entirely separate development has muddied the water further. The Digital Omnibus, which received final Council approval on June 29, 2026, defers high-risk AI system obligations out to December 2027. That’s a real and meaningful delay — but it applies to a different category of the Act. It does nothing to the Article 50 disclosure requirement or the GPAI enforcement powers landing August 2. If your compliance plan assumes the Omnibus bought you more runway on chatbot disclosure, it didn’t. Worth reading the actual Council press release rather than the secondhand summary making the rounds, because conflating these two threads is exactly how enterprises end up caught flat-footed on the wrong deadline.
Why “we’ll handle it before August 2” is the wrong plan
The instinct in a lot of legal and compliance teams right now is to treat this as a sprint: audit the chatbots, add a disclosure banner, check the box, move on. That instinct misses what regulators are actually going to ask for, which isn’t a banner — it’s evidence. Evidence that disclosure happened consistently, across every deployment, every time, not just on the interfaces someone remembered to check. Evidence that synthetic content got labeled before it shipped, not after a complaint. Evidence that policy enforcement is a standing, monitored practice rather than a one-time remediation before a known date. A disclosure banner added in July satisfies an audit that happens in July. It does not satisfy the audit that happens in October, after the banner quietly disappeared during a redesign nobody flagged.
This is the structural problem with treating AI governance as a bolt-on project instead of an operating discipline. Enterprises running dozens of chatbots, copilots, and AI-enabled tools across departments can’t manually audit each one before a deadline and call it done — new tools get added, existing ones get reconfigured, and shadow AI keeps showing up in places IT never approved. Our own research into shadow AI statistics shows just how much AI usage exists entirely outside sanctioned channels, which means it’s also outside whatever disclosure and labeling controls a compliance team thinks they’ve implemented. You can’t put a disclosure banner on a tool you don’t know is running.
What actually holds up under regulatory scrutiny is a standing measurement layer — one that knows what AI tools are in use, whether disclosure requirements are being met at the point of interaction, and can produce an audit trail on demand instead of reconstructing one under pressure. This is precisely the gap Olakai was built to close. Olakai Assistive gives enterprises visibility into every chatbot, copilot, and employee-facing AI tool in use — including the shadow AI that never went through procurement — with governance and DLP controls built in as a Key Feature, not an afterthought. For engineering organizations, Olakai Agentic extends the same governance discipline to autonomous agents and AI coding tools, where disclosure and audit obligations are increasingly following the same logic as chatbot transparency rules. Both products are part of a single, vendor-neutral Enterprise AI Intelligence Platform, which matters here specifically because Article 50 and GPAI enforcement don’t stop at your own tooling — they extend to the vendor chain. If a third-party model provider embedded in your stack can’t demonstrate compliance, that exposure becomes yours too, and a governance approach that only covers tools your team built directly will miss it.
What CISOs should actually be doing this month
For security and compliance leaders, the practical sequence is straightforward even if the underlying work isn’t trivial. First, get a real inventory of every AI interface employees or customers touch, sanctioned and unsanctioned, because Article 50 doesn’t care whether IT approved the tool. Second, decide on the Code of Practice question before July 22 — sign for the presumption of conformity, or accept the higher evidentiary bar of proving compliance without it. Third, and most important, stop treating August 2 as a finish line. It’s the day enforcement starts, not the day the work ends; disclosure and labeling have to be continuously monitored and continuously provable, month over month, not demonstrated once and forgotten. Our CISO governance checklist walks through the broader set of controls this requires, and our CISO use case page covers how policy enforcement and audit-ready evidence get built into day-to-day operations rather than bolted on before a deadline.
The enterprises that treat August 2 as a governance maturity milestone — not a scramble — will be the ones who can answer a regulator’s questions in minutes instead of weeks. The ones still assembling their evidence trail after the fact will find that a banner slapped on in July doesn’t hold up to an audit in Q4. If your AI governance is still a spreadsheet and a promise, now is the time to change that.
