What is the difference between Article 13 and Article 26 transparency obligations?

Article 13 obliges the provider of a high-risk AI system to deliver instructions for use to the deployer. The recipient is the deployer; the artifact is documentation; the timing is before the system enters service. Article 26 obliges the deployer of a high-risk AI system to inform the natural persons subject to the system that an AI system is involved. The recipient is the affected natural person; the artifact is a notice; the timing is before the AI affects the person. The two articles operate on different recipients and at different points in the deployment lifecycle.

Does Article 50 horizontal disclosure apply to non-high-risk AI systems?

Yes. The Article 50 horizontal disclosures apply regardless of risk classification. A customer-service chatbot that interacts with natural persons has to disclose that it is an AI system even though the chatbot itself may not be classified as high-risk. The horizontal disclosures and the high-risk-specific Article 13 and Article 26 obligations stack: a high-risk AI system that interacts directly with natural persons has to satisfy both Article 50 (horizontal interaction disclosure) and Article 26 (high-risk end-user notice).

What format does an AI transparency disclosure have to take?

The EU AI Act does not prescribe a specific format. The obligation is that the disclosure be clear, accessible, and understandable. For Article 26 end-user notices, common patterns include a prominent label in the UI before the user submits the request, a written notice in the workflow's introduction, or a contractual disclosure for employment or credit applications. For Article 50 horizontal disclosures, the most common patterns are a label at the start of an AI chat session and a visible watermark on generated content. The audit record has to capture which pattern was used.

Are there penalties for failing to fire the required disclosure?

Yes. Article 99 of the EU AI Act sets administrative fines for non-compliance with the obligations of providers and deployers. The fines for non-compliance with transparency obligations under Articles 13, 26, and 50 are up to €15 million or 3% of total worldwide annual turnover, whichever is higher. The penalty exposure makes the audit evidence layer material: a deployer who cannot prove the disclosures fired for a specific set of affected persons may be liable for the entire affected population under a single inspection.

How does AI transparency disclosure interact with GDPR transparency obligations?

The GDPR's Articles 13 and 14 require controllers to inform data subjects about the processing of their personal data, including the existence of automated decision-making and meaningful information about the logic involved. The EU AI Act's Article 26 transparency obligation overlaps with the GDPR's automated-decision-making transparency but is broader: Article 26 applies whenever a natural person is subject to a high-risk AI system, regardless of whether the AI processes personal data under the GDPR's definition. In practice, controllers building AI deployments in the EU have to satisfy both regimes, with the EU AI Act adding requirements that go beyond what the GDPR alone required.

AI Transparency Disclosure: What EU AI Act Article 13 Requires from Providers and What Deployers Owe Their Users

AI transparency disclosure obligations under the EU AI Act run across three distinct layers. Article 13 requires providers of high-risk AI systems to deliver instructions for use that describe the system's intended purpose, characteristics, capabilities, limitations, human oversight measures, and expected lifetime to deployers before the system enters service. Article 26 extends the obligation: deployers have to inform natural persons that they are subject to an AI system before the AI affects them. Articles 50 through 53 cover the horizontal transparency obligations: labelling AI-generated content, disclosing AI interactions to users, and watermarking generated media. Each layer has a different recipient (deployer, end user, public) and a different artifact (instructions, notice, label).

The provider-to-deployer obligation is documentation. The deployer-to-end-user obligation is notification. The horizontal obligation is labelling. The three converge on the same evidentiary requirement: the disclosures actually fired, and there is a record proving it.

I want to walk through what each layer requires, where the operational evidence comes from, and how the per-decision audit record proves the disclosures executed.

Article 13: provider-to-deployer transparency

Article 13(1) sets the principle: high-risk AI systems shall be designed and developed in such a way as to ensure their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately. Article 13(2) requires the system to come with instructions for use in a digital or other appropriate form, including concise, complete, correct, and clear information that is relevant, accessible, and understandable to deployers.

Article 13(3) specifies the minimum content of the instructions for use. The list runs to nine items:

The identity and the contact details of the provider
The characteristics, capabilities, and limitations of the system's performance, including its intended purpose
The level of accuracy, including its metrics, resilience, and cybersecurity declared per Article 15, and any known and foreseeable circumstances that may impact the expected levels
Any known or foreseeable circumstances that may lead to risks to health and safety, fundamental rights, or discrimination
Where applicable, the technical capabilities and characteristics of the AI system to provide information that is relevant to explain its output
The system's performance regarding specific persons or groups of persons on which the system is intended to be used
Specifications for the input data, or any other relevant information in terms of the training, validation, and testing data sets used
Where applicable, information to enable deployers to interpret the system's output and use it appropriately
Human oversight measures referred to in Article 14

The instructions for use are documentation. The system card concept (see AI system cards) is the operational format that captures these fields. Article 13 obliges the provider; the deployer relies on the documentation to satisfy its own obligations under Article 26 and Article 14.

Article 26: deployer-to-end-user transparency

Article 26(11) extends the transparency obligation to deployers. Where a deployer uses a high-risk AI system listed in Annex III, the deployer has to inform the natural persons subject to the AI system that they are subject to the use of the system. The information has to be provided in a clear and accessible way.

The article applies particularly to employment decisions, access to essential services, law enforcement, migration, and the administration of justice. A deployer using an AI system to screen job candidates has to tell the candidates that an AI system is involved in the screening. A deployer using AI in a credit-decision workflow has to tell the applicants. A deployer using AI in a healthcare-decision workflow has to tell the patients.

The Article 26 disclosure has to fire before the AI affects the natural person. Disclosure after the fact does not satisfy the obligation. The evidence question is whether the deployer can demonstrate, on inspection, that each affected person received the disclosure before the decision was communicated.

Articles 50 to 53: horizontal transparency obligations

Article 50 covers four categories of horizontal disclosure that apply regardless of risk classification.

The first category: providers ensuring that AI systems intended to interact directly with natural persons are designed in such a way that the natural persons concerned are informed that they are interacting with an AI system. The most common example is a customer-service chatbot. The disclosure has to be timed so the natural person knows before the interaction begins.

The second category: providers and deployers of AI systems generating synthetic audio, image, video, or text content have to ensure that the output is marked in a machine-readable format and detectable as artificially generated or manipulated. Watermarking standards under the EU AI Act follow the work of the C2PA (Coalition for Content Provenance and Authenticity) and similar initiatives.

The third category: deployers of an emotion-recognition system or a biometric categorisation system have to inform the natural persons exposed to it of the operation of the system. The disclosure has to be timed before the system runs.

The fourth category: deployers of AI systems that generate or manipulate image, audio, or video content constituting a deep fake have to disclose that the content has been artificially generated or manipulated. The disclosure is content-level; the user sees the label on the content itself.

The operational evidence for AI transparency disclosure

The per-decision audit record at the AI request layer is where the operational evidence sits. The record has to capture, for each request:

Whether a disclosure was required for this request (based on the use case classification)
Which disclosure category applied (Article 13 instructions reference, Article 26 end-user notice, Article 50 horizontal disclosure)
Whether the disclosure fired
The timestamp of the disclosure relative to the decision communication
The natural-person identity of the recipient (where present in the request context)
The medium of the disclosure (UI notification, document delivery, label embedded in content)

Standard application logging captures the model call and response. It does not capture the disclosure event. The gap is structural: the disclosure executes in the application's UI layer, while the model call executes in the application's service layer, and the application's log destinations for the two events are typically different.

The fix is to surface the disclosure event into the same audit record that captures the model call. The application emits a disclosure-fired event when the UI presents the notice; the gateway correlates the disclosure event with the model call by request ID; the per-decision audit record contains both halves.

Article 13, Article 26, and Article 12 convergence

The three articles converge on the same evidentiary requirement. Article 12 requires automatic logging of system operation. Article 13's instructions for use have to be referenced inside that log so a regulator can verify the deployer was operating the system according to the provider's stated parameters. Article 26's end-user disclosure has to be recorded inside the same log so a regulator can verify the disclosure fired.

The convergence point is the per-decision audit record. A single record that captures the policy state (including which Article 13 instructions version was in effect), the disclosure events (including which Article 26 notices fired and when), and the model call satisfies Article 12 and supports inspection under Article 13 and Article 26.

DeepInspect

DeepInspect captures the per-decision audit record at the gateway between authenticated users or agents and the model. The record includes the natural-person identity, the input classification, the policy version in effect at the moment of decision, the model called, and the outcome returned. The disclosure event correlation is supported: the application emits the disclosure-fired event with the same request ID that the gateway records, and the per-decision audit record carries both the disclosure timestamp and the model-call timestamp.

For the Article 13 instructions reference, the policy version captured in the audit record identifies which instructions-for-use version the system was operating under. For the Article 26 notice, the disclosure event in the record proves the notice fired before the decision communication. For the Article 50 horizontal disclosures, the per-decision record captures whether the disclosure category applied and whether it fired.

If your AI deployment has to demonstrate Article 13, Article 26, or Article 50 compliance on inspection, book a demo today.