Article 50 vs Article 52: which one binds your chatbot under the EU AI Act

What Article 50 actually says

Article 50 sits in Chapter IV (Transparency obligations for providers and deployers of certain AI systems). Four sub-clauses.

Article 50(1). Providers must ensure that natural persons interacting with an AI system are informed of that fact, unless obvious from the circumstances. Binds chatbots, voice agents, virtual assistants.

Article 50(2). Providers of AI systems generating synthetic content (text, image, audio, video) must mark outputs as artificially generated or manipulated in a machine-readable format. Binds image-generation tools, voice synthesizers, AI writers, deepfake services.

Article 50(3). Deployers of emotion-recognition or biometric-categorisation systems must inform exposed persons. Binds sentiment-analysis features visible to users, biometric clustering.

Article 50(4). Deployers of AI generating deepfakes must disclose. Deployers of AI generating text published to inform the public on matters of public interest must disclose.

All four sub-clauses bind SaaS deployers building user-facing features. Article 50 applies from 2 August 2026 under Article 113.

What Article 52 actually says

Article 52 sits in Chapter V (General-purpose AI models). It governs the classification and notification process for general-purpose AI models with systemic risk.

Specifically, Article 52 says: a GPAI model is presumed to have systemic risk when the cumulative compute used for training exceeds 10²⁵ floating-point operations. Providers of such models must notify the Commission within two weeks of meeting the threshold.

This binds OpenAI, Anthropic, Google, Meta, Mistral, and whoever ships frontier-scale foundation models. It does not bind a SaaS founder who calls those models through an API. The Act draws a clean line: providers ship the model; deployers integrate it into products.

If your SaaS does not train its own GPAI, Article 52 does not bind you. The article that binds you is Article 50.

Why founders confuse the two

Three reasons our reviewers observe.

1. The articles are adjacent. Article 50 and Article 52 are sequential in the Act's text and both reference GPAI. A first reading conflates them.

2. GPAI marketing reinforces the confusion. Posts from OpenAI, Anthropic, and others about their own Article 52 compliance use language like 'AI Act compliance' that founders interpret as transferring to them. It does not.

3. The cybersecurity / risk-management language in Article 55 sounds like it binds SaaS. Article 55 (obligations for GPAI providers with systemic risk) talks about adversarial-evaluation regimes and incident reporting. These are provider-side obligations. A SaaS deployer's read on Article 55 is: make sure your upstream provider is publishing their Article 53 disclosures, reference those in your model card, and move on.

When Article 52 does become relevant to a SaaS

Four cases. Our reviewers see them rarely but they exist.

1. The SaaS is also a GPAI provider. If a company ships an API where third parties call a foundation model the company trained, that company is a GPAI provider. Article 52 applies to the GPAI side; Article 50 still applies to any first-party deployment.

2. The SaaS fine-tunes a base model to a degree that crosses the substantial-modification line. Article 25 governs when a downstream modification creates a new provider. Heavy fine-tunes on substantial datasets can flip the SaaS from deployer to provider. Our reviewers walk this on intake when the customer reports fine-tuning.

3. The SaaS's procurement diligence requires evidence of upstream compliance. Enterprise buyers ask 'is the GPAI you use Article 52-classified.' The answer comes from the upstream provider's documentation; the SaaS references it.

4. The SaaS contracts with the EU public sector. Public-sector procurement frameworks are starting to require evidence that the SaaS's upstream GPAI is published and notified per Article 52. Again, the answer comes from upstream; the SaaS references.

What our reviewers recommend

Default for a SaaS deployer:

Step 1: assume Article 50 binds you. Implement transparency disclosures on every AI surface in your product.

Step 2: in your model card per AI feature, reference your upstream GPAI provider's Article 53 disclosures by URL. This satisfies the deployer-side acknowledgement of the upstream's compliance.

Step 3: do not claim Article 52 applies to you, and do not claim Article 55 applies to you, unless you actually meet the conditions in Section 4 above. Misclassifying yourself as a GPAI provider creates obligations you do not have and does not protect you from anything.

Our practice's audit includes the Article 50 implementation pack and a model card per feature that references upstream Article 53 status. If the customer is in one of the Section 4 edge cases, the lead reviewer flags it on intake and the audit scope adjusts.

Frequently asked questions

Does using OpenAI's enterprise plan affect this?

No. The plan you buy from OpenAI is a commercial relationship; it does not change your classification under the Act. You remain a deployer; OpenAI remains the GPAI provider.

What about white-labeled GPAI services?

Some upstream providers offer white-label arrangements where you ship the model under your brand. Read the contract: if you remain the customer of the GPAI provider, you are a deployer. If you take on the GPAI provider's obligations under contract, you may inherit some of them. Our lead reviewer will read the contract during the audit if you flag it on intake.

Can I run Llama locally and avoid all this?

Self-hosting a model does not move you out of deployer status. You are still placing an AI system on the market under your authority. Article 50 still binds you. Your read on Article 52 depends on whether the open-weights model you run was trained with compute above the 10²⁵ FLOP threshold. Llama 3 family models cross that line.

Is there an Article 52 exemption for small SaaS?

Article 52 has no SME exemption because it does not apply to SaaS deployers in the first place. The deployer-side obligations under Article 50 do apply to small SaaS, but our policy reviewers' read is that proportionality under Article 99(5) cushions penalties for SMEs.

What if the upstream provider is non-compliant?

Their non-compliance is enforced against them. Your deployer-side obligations under Article 50 remain on you. The practical risk: if your upstream is unable to ship Article 53 disclosures, your model card cannot reference them, which surfaces in your own audit. Our lead reviewer would flag this as a procurement risk worth diversifying upstream providers.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://digital-strategy.ec.europa.eu/en/policies/ai-office