What if the chatbot on my website was built by a third-party vendor?

Using a vendor's tool does not automatically transfer compliance responsibility to the vendor. The EU AI Act distinguishes between providers (companies that develop AI systems) and deployers (companies that use AI systems in customer-facing applications). Most businesses using third-party chatbot platforms are deployers, and deployers carry obligations under Article 50. Review your vendor agreement to confirm whether the vendor's system already presents the required disclosure to users, and which party the agreement assigns responsibility to for ensuring users are informed. If your agreement does not address this, work with the vendor and your legal counsel to close that gap before August 2.

What does the disclosure actually have to say?

Article 50 requires that users are clearly informed they are interacting with an AI system, at the latest at the time of the first interaction. The disclosure must be clear and distinguishable, but the law does not prescribe specific wording. The European Commission has published draft guidelines on the implementation of Article 50 transparency obligations to give providers and deployers more practical direction. In general, a clear, simple statement at the start of the interaction, such as informing users they are speaking with an AI assistant, is the direction the guidance points toward. The obligation applies unless it is obvious from context that the user is interacting with an AI rather than a person.

AI Governance

The EU AI Act's first major business deadline is August 2. Here is what small and medium businesses need to understand before then.

Most business owners who have heard of the EU AI Act assume it is a problem for large technology companies, not small and medium businesses. Many also heard that EU AI compliance deadlines got pushed back. Both assumptions are partly wrong. On August 2, 2026, Article 50 of the EU AI Act takes effect. This section covers transparency obligations, and it applies to any organization, regardless of size or location, that operates an AI-powered chatbot or produces AI-generated content that EU residents can access. The delayed obligations are real. High-risk AI system requirements, which cover areas like employment decisions and biometric screening, have been postponed under the EU's Digital Omnibus proposal. Most of those obligations will not apply until December 2027 at the earliest. But the chatbot disclosure rules were not delayed. They apply August 2. Five weeks is not much time if your business needs to update customer-facing systems, review vendor contracts, or add disclosure language to existing tools.

By Fabio Rabelo · Founder, ATLACIS · June 28, 2026

Book a Call See How It Works

What August 2 actually requires

Article 50 of the EU AI Act establishes four categories of transparency obligation. Not all four apply equally to every business. The most relevant for small and medium businesses are these three. First, chatbot and AI interaction disclosure. Any AI system designed to interact directly with people must clearly inform users that they are communicating with an AI, not a human. This disclosure must happen at the start of the first interaction, in a clear and distinguishable way, not buried in terms of service or fine print. If your business uses an AI chatbot for customer service, sales support, website chat, appointment booking, or any other customer-facing conversation, EU users must be informed they are talking to AI before the conversation proceeds. Second, AI-generated content labeling. If your business deploys AI to create or manipulate images, audio, video, or text and publishes that content publicly, disclosure obligations apply. For deployers, the requirement covers AI-generated deepfakes and AI-generated text published to inform the public on matters of public interest. These rules apply from August 2. Third, the machine-readable marking requirement. Providers of generative AI systems must technically mark outputs as AI-generated. For systems already on the market before August 2, there is a transitional window to December 2, 2026. For new generative AI systems launched after August 2, the marking obligation applies immediately. What is not required on August 2: the stricter obligations for high-risk AI systems, including documentation, conformity assessments, and quality management systems, have been postponed under the EU's Digital Omnibus proposal. Those take effect December 2027 at the earliest. If your business uses AI in employment decisions, credit evaluation, or other high-stakes applications, that work is important, but August 2 is not the relevant deadline for that category.

Who this actually applies to

The EU AI Act has extraterritorial reach. It applies to any organization that offers AI-enabled products or services in the EU market, regardless of where that organization is based. US companies are not exempt. The practical question is: can EU residents access your AI-powered tools or AI-generated content? If you operate an e-commerce site, a SaaS product, a professional services platform, or any other digital presence with AI-powered features, and EU residents can reach it, you are likely in scope for the transparency obligations. The obligations apply to two types of actors. Providers are the companies that develop and supply AI systems. Deployers are the companies that put those systems to use in customer-facing applications. For most small and medium businesses, the relevant role is deployer. That means even if you are using a third-party chatbot tool built by a vendor, you as the deployer may carry responsibility for ensuring EU users receive the required disclosure. The Act does not have an SMB exemption for Article 50 obligations. Scope is determined by whether you operate AI-powered tools that EU residents interact with, not by your company size.

What business owners often misunderstand about the delay

The most common misunderstanding is conflating the high-risk AI delay with a general EU AI Act delay. Media coverage has focused on the postponement of high-risk AI system requirements under the Digital Omnibus agreement, reached on May 7, 2026 between the European Parliament and the Council. That coverage is accurate. The detailed obligations for high-risk AI systems in employment, biometrics, credit, and infrastructure were originally due August 2, 2026, and they have been pushed back. But Article 50 transparency obligations are not high-risk system requirements. They sit in a separate part of the Act, and the delay provisions in the Digital Omnibus do not extend to them. Multiple law firm compliance alerts published in June 2026, including from Sidley Austin and Latham and Watkins, confirm that chatbot disclosure obligations apply from August 2 without delay. The second misunderstanding is about what triggers the obligation. The disclosure requirement does not depend on whether your AI tool is sophisticated. A basic automated response system that holds text conversations with users may qualify as an AI system designed to interact with natural persons under the Act. If EU users cannot immediately tell from context that they are talking to software, the disclosure is required. The third misunderstanding concerns penalties. Violations of Article 50 can result in fines of up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. These are not numbers reserved for large enterprises. A company with 2 million euros in annual revenue faces a potential 60,000 euro penalty for a transparency violation. Whether enforcement actions target smaller companies first is a separate question, but the legal exposure is real from day one.

What a serious business should do before August 2

Five weeks is not long. The starting point is an honest assessment of scope. The first question is whether your business serves EU customers or whether EU residents can access your digital products or services. If the answer is genuinely no, and you have no EU-facing presence, the August 2 obligations do not apply. That is a legitimate answer, but confirm it rather than assume it. If the answer is yes or uncertain, the next questions are straightforward. Do any customer-facing interactions use AI, including chatbots, automated assistants, AI-powered search, or any system that responds to users in conversation format? Does your business publish AI-generated content that EU users can access, including marketing materials, product descriptions, or informational content produced using generative AI tools? For each yes: does the current system or content already include a clear, upfront disclosure that AI is involved? Adding chatbot disclosure is usually not technically complex. It is often a matter of updating the chatbot configuration to show a disclosure message at the start of conversations, or reviewing the settings of a third-party tool to confirm disclosure is active. The harder task is confirming who holds responsibility when AI tools are provided by a third party. If you use a vendor's chatbot platform on your website, the vendor agreement may or may not address EU AI Act compliance. Review the agreement to confirm whether the vendor's system already meets the disclosure requirements and which party bears responsibility for ensuring users are informed. If the contract is silent on this, that is a gap worth closing before August 2, not after. For businesses with any uncertainty about their scope or obligations, the right step is to work with a qualified legal advisor who can assess the specific situation. This post provides business awareness, not legal advice.

The Atlacis view

The EU AI Act is often framed as a large-company concern. The practical experience of August 2 is going to be different. Many small and medium businesses use AI chatbots, AI customer service tools, or AI-generated content without having thought carefully about what that means for their EU-facing operations. The transparency obligations under Article 50 are not the most complex part of the EU AI Act. But they are the first part that requires real action by real businesses, and the window is five weeks. The pattern we see with business owners and AI compliance is the same as with data privacy: the owners who handle it well are the ones who understood their exposure before the deadline, not the ones who scrambled after. The practical work here is manageable for most businesses. Map which AI tools interact with EU customers. Confirm that those tools include the required disclosures at the start of interactions. Review vendor agreements to understand who is responsible for compliance. For most businesses with a modest EU presence, this is a week of focused effort, not a months-long compliance project. What makes it harder is starting at week four instead of week one. The time to understand your AI exposure is before the deadline, not after. At Atlacis, we help business owners understand where their AI exposure is, including regulatory exposure, before it becomes a compliance problem. If you are not certain whether August 2 applies to your business, or which AI tools are in scope, that question is worth resolving now.

The short version

Article 50 of the EU AI Act imposes transparency obligations that take effect on August 2, 2026. The most immediate requirement is that AI chatbots and AI interaction systems must clearly disclose to EU users that they are interacting with AI, at the start of the first conversation.
The high-risk AI system obligations have been delayed to December 2027 or later under the EU Digital Omnibus proposal. The chatbot disclosure rules in Article 50 were not delayed and apply August 2.
The EU AI Act applies to any organization offering AI-enabled products or services in the EU market, including US companies with EU-facing websites, apps, or customer interactions. Location of incorporation is not the determining factor.
Businesses using third-party AI tools are responsible as deployers for ensuring EU users receive the required disclosures. Vendor agreements should specify who holds the compliance obligation.
Fines for Article 50 violations can reach 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. This exposure applies to businesses of any size operating in scope.
The practical starting point is three questions: do EU residents interact with AI-powered systems in your business, does your business publish AI-generated content that EU users access, and do your current systems already include the required disclosures?

Where ATLACIS can help

Sources

Tags:EU AI ActAI governanceAI complianceAI transparencychatbot disclosureAI regulationbusiness AIAI riskdata privacyAI vendor decisions

FAQ

Common questions

Does the EU AI Act apply to a US business with no European office?: Yes, if the business offers AI-enabled products or services to EU residents. The EU AI Act has extraterritorial reach similar to GDPR. Having a European office is not the relevant test. The relevant test is whether EU residents can access your AI-powered tools or AI-generated content. If your website, app, or digital service is accessible to EU users and includes AI-powered interactions or AI-generated content, the transparency obligations may apply regardless of where your business is incorporated or operated.
What if the chatbot on my website was built by a third-party vendor?: Using a vendor's tool does not automatically transfer compliance responsibility to the vendor. The EU AI Act distinguishes between providers (companies that develop AI systems) and deployers (companies that use AI systems in customer-facing applications). Most businesses using third-party chatbot platforms are deployers, and deployers carry obligations under Article 50. Review your vendor agreement to confirm whether the vendor's system already presents the required disclosure to users, and which party the agreement assigns responsibility to for ensuring users are informed. If your agreement does not address this, work with the vendor and your legal counsel to close that gap before August 2.
What does the disclosure actually have to say?: Article 50 requires that users are clearly informed they are interacting with an AI system, at the latest at the time of the first interaction. The disclosure must be clear and distinguishable, but the law does not prescribe specific wording. The European Commission has published draft guidelines on the implementation of Article 50 transparency obligations to give providers and deployers more practical direction. In general, a clear, simple statement at the start of the interaction, such as informing users they are speaking with an AI assistant, is the direction the guidance points toward. The obligation applies unless it is obvious from context that the user is interacting with an AI rather than a person.

Keep reading

More from the blog

Samsung banned ChatGPT in 2023 after employees leaked code. Three years later they are deploying AI to every employee. Here is the governance lesson.

In 2023, Samsung employees uploaded proprietary semiconductor code and internal meeting notes to ChatGPT. Samsung banned all generative AI tools. Three years later, the company announced one of OpenAI's largest ever enterprise deployments. The arc between those two decisions is the governance lesson most business owners have not finished drawing.

Your employees are already using AI you did not approve

Nearly half of employees use AI tools their employer never sanctioned, and most share sensitive data when they do. The real AI question is not what to buy next. It is what is already running inside your business.

IBM surveyed 1,000 executives on AI vendor risk. 91 percent do not know what they depend on. Here is what that means for your business.

A June 2026 IBM Institute for Business Value study found that 91 percent of senior executives do not fully understand their AI dependencies. The research puts a profit number on that gap. The lesson is not to buy more AI. It is to understand what you already depend on.

Make better AI decisions, starting with one call.

Book a free AI Fit Call. We will tell you what to use, what to avoid, and where to start. No jargon, no pressure.

Book a Call See How It Works