Lokalaise
Back to the blog
AI Law6 min read

2 August 2026: the AI deployer checklist — what stays binding despite the Digital Omnibus

Many read the Digital Omnibus as "everything is delayed". Wrong: the transparency obligations under Article 50 of the AI Act apply from 2 August 2026 — and they bind deployers, not just providers. We separate deferred from binding, explain the provider/deployer distinction, and give you a checkable checklist.

Marius Gill

Marius Gill

CTO @ Lokalaise

Share

6 min read

A dangerous misunderstanding is doing the rounds: that the Digital Omnibus "softened" the AI Act and bought everyone time. That holds for the high-risk obligations — but not for the transparency obligations. Those apply from 2 August 2026, and they bind not only providers but also deployers: every company that uses AI.

The deadline is only weeks away. This article cleanly separates what was deferred from what stays, clears up the often-confused distinction between provider and deployer, and gives you a checkable checklist. Up front, plainly: this is a professional briefing, not legal advice.

What the Digital Omnibus deferred — and what it didn't

On 7 May 2026, the Council and Parliament reached a provisional agreement on the Digital Omnibus, the first major amendment to the AI Act. It defers the high-risk obligations — but the transparency obligations under Article 50 stay on 2 August 2026. Equating "deferred" with "done" overlooks exactly the obligations that bite first.

ObligationOriginallyNowStatus
Prohibited practices (Art. 5)2 Feb 20252 Feb 2025applies
AI literacy (Art. 4)2 Feb 20252 Feb 2025applies
GPAI obligations (Chapter V)2 Aug 20252 Aug 2025applies
Transparency (Art. 50)2 Aug 20262 Aug 2026applies — not deferred
High-risk, Annex III2 Aug 20262 Dec 2027deferred
High-risk, Annex I (embedded)2 Aug 20272 Aug 2028deferred

Two caveats belong to honesty: the Omnibus began as a provisional political agreement (7 May 2026) — the European Parliament adopted the text on 16 June 2026, so only the Council's formal adoption and publication in the Official Journal remain (expected before 2 August 2026). And one detail does touch Article 50: the machine-readable marking of synthetic content by providers (Art. 50(2)) applies from 2 August 2026 in general; only generative AI systems already on the market before then get a four-month grace period to 2 December 2026. The other transparency obligations are unchanged.

Provider or deployer? The distinction decides

Under Article 3(4) of the AI Act, a deployer is any natural or legal person using an AI system professionally under its own authority. A provider is whoever develops it (or has it developed) and places it on the market under its own name. So most companies using a third-party AI tool are deployers — and carry their own obligations, independent of the provider.

Article 50 splits the duties along this line:

Article 50 separates provider and deployer duties. Whoever adapts or rebrands a system can also become a provider.

Important: anyone who substantially modifies, adapts or offers an AI system under their own name can additionally become a provider — and then carries both sets of duties.

The deployer duties under Article 50 — the checklist

For deployers, two paragraphs matter most — plus the rule on how disclosure must happen:

If you, as a deployer, …… then you must (Article 50)
use emotion recognition or biometric categorisationinform the affected persons of its operation (50(3))
generate or manipulate deepfakes (image, audio, video)disclose that the content is AI-generated or -manipulated (50(4))
publish AI text on matters of public interestdisclose the AI origin — exception: human review with editorial responsibility (50(4))
make any of these disclosuresgive it clearly and distinguishably, at the latest at first interaction or exposure (50(5))

The provider duties — flagging the AI interaction (50(1)) and machine-readable marking of synthetic content (50(2)) — apply on top if you provide systems yourself. To support labelling, the European Commission published a (voluntary) Code of Practice on marking AI-generated content on 10 June 2026. The Code is voluntary — the underlying Article 50 obligations are not.

What happens on a breach — and who checks?

Breaches of the transparency obligations can be fined up to EUR 15 million or 3% of total worldwide annual turnover under Article 99 of the AI Act — whichever is higher. In Germany the Bundesnetzagentur becomes the central market-surveillance authority: the Bundestag passed the implementing law (KI-MIG) on 11 June 2026; the final step in the legislative process is still pending. The supervisor is getting its national teeth right on time for the deadline.

How a local, auditable stack makes compliance easier

Transparency, labelling and traceability are not architectural accidents — they are a property. An AI stack that delivers sourced answers (every statement backed by a source) and logs every retrieval in an audit trail makes disclosure and documentation duties practically achievable, rather than something to reconstruct after the fact. That is exactly how Lokalaise is built: a grounded, permission-aware knowledge layer on your own hardware, with no external APIs — with traceable data flows you can actually evidence to a supervisor (see Security & data sovereignty).

It fits the wider sovereignty thread we described using the cloud criteria: BSI C3A: when is a cloud truly sovereign? — and why uncontrolled AI use also gets expensive, we show in our piece on shadow AI. To be clear: Lokalaise is an enabler, not legal counsel. Which of your use cases fall under Article 50 is something to assess with your legal team — we provide the technical foundation.

Your next steps

Three questions create clarity fast — answer them for every AI use in your organization:

  1. Role: For this system, are you the deployer, the provider — or both?
  2. Trigger: Do you generate deepfakes or publish AI text on matters of public interest? Does the human-review exception apply?
  3. Evidence: Can you, if challenged, evidence disclosure, labelling and data flows?

Wherever you hesitate, it's worth a closer look. In a short demo we'll show how a local, auditable AI stack practically supports meeting the transparency obligations.

Frequently asked questions

Yes. The Digital Omnibus (provisional agreement of 7 May 2026) defers the high-risk obligations to December 2027 and August 2028 — but the transparency obligations under Article 50 of the AI Act stay on 2 August 2026. Note: the Omnibus is not yet final; the European Parliament adopted it on 16 June 2026, and only the Council's formal adoption and publication in the Official Journal remain.

Under Art. 3(4) of the AI Act, a deployer is any natural or legal person using an AI system professionally under its own authority. A provider is whoever develops and places a system on the market. Most companies using a third-party AI tool are deployers. Whoever adapts, rebrands or substantially modifies a system can also become a provider.

As a deployer you must label AI-generated or AI-edited text when it is published to inform the public on matters of public interest (Art. 50(4)). There is an important exception: where the content underwent human review and a person holds editorial responsibility. Purely internal use is not covered.

Breaches of the transparency obligations can be fined up to EUR 15 million or 3% of total worldwide annual turnover under Art. 99 of the AI Act — whichever is higher. In Germany the Bundesnetzagentur becomes the central market-surveillance authority; the Bundestag passed the implementing law (KI-MIG) on 11 June 2026.

Prohibited practices and AI literacy have applied since 2 February 2025, the obligations for general-purpose AI models (GPAI) since 2 August 2025. The transparency obligations under Art. 50 apply from 2 August 2026. The high-risk obligations were deferred by the Digital Omnibus to 2 December 2027 (Annex III) and 2 August 2028 (Annex I).

Indirectly, yes. Transparency, labelling and traceability are easier to evidence when answers are backed by sources and every data flow is documented in an audit trail — as with a local, grounded RAG stack. That is a technical foundation, not a substitute for a legal assessment of your specific use cases.

Conclusion

The Digital Omnibus defers the high-risk obligations — the transparency duties under Article 50 stay on 2 August 2026. Anyone using AI is a "deployer" and must label deepfakes and AI-generated text on matters of public interest, clearly and at the first interaction. Disclosure, labelling and traceability are easier when answers are sourced and data flows are documented. That is no substitute for legal advice — but it makes the obligations achievable.

Marius Gill

Written by

Marius Gill

CTO @ Lokalaise

Share

Back to the blog

Keep reading

More from the blog

The prominent figure 42 percent: the share of AEC companies naming data security as the biggest AI hurdle, in the Lokalaise style with context tiles 69 percent and 27 percent.AI in Construction

AI in construction: why 42% of the AEC sector call data security the biggest hurdle

The most-cited AI hurdle in construction isn't a technical problem, it's a trust problem: 42% of AEC decision-makers name data-sharing security as the biggest challenge — ahead of cost and complexity. At the same time, adopters see clear ROI. We frame the Bluebeam numbers honestly and show why construction firms in particular can't tip their project data into other people's clouds — and how a local AI resolves the conflict.

The prominent figure plus $670,000 as the surcharge per breach from shadow AI, in the Lokalaise style with metric tiles.AI Security

Shadow AI costs $670,000 more: what the IBM report means for regulated companies

IBM has put a price on ungoverned AI: breaches with high shadow-AI use cost $670,000 more on average. One in five breaches now involves shadow AI. We translate the numbers into a budget and risk case — and show why bans make it worse and a sanctioned, local AI removes the costliest variable.

An AI assistant ingests injected content and exfiltrates private data through a trusted-looking channel to an attacker — an image of a data leak.AI Security

When the AI assistant becomes the data leak: what EchoLeak and SearchLeak teach

One click on a real microsoft.com link — and the mailbox, MFA codes and files are at the attacker's. SearchLeak (June 2026) and EchoLeak (2025) reveal a pattern. We explain the lethal trifecta, why these leaks work, and what a local, permission-aware AI changes about the attack surface — and what it doesn't.