The EU AI Act and your AI-built website: what actually applies
If an AI wrote your marketing site, which parts of the AI Act reach you? A calm walk through the risk tiers, the Article 50 transparency rules, the deadlines, and the myths that deserve to be retired.
Somewhere between the AI Act being adopted and its transparency rules taking effect, a genre of advice emerged claiming that every AI-generated paragraph on the internet will soon need a warning label. If you used ChatGPT, Lovable or Bolt to build your company's website, that genre is aimed squarely at your anxiety. Most of it is wrong, and the parts that are right are narrower than they sound.
This piece separates what the regulation actually asks of someone publishing an AI-built marketing site from what it asks of the AI industry. One caveat before anything else: this is general information written by a hosting provider, not legal advice, and if your situation involves regulated sectors, high-stakes content or real doubt, a lawyer who has read your specifics beats any blog post, including this one.
What the Act regulates, and what it does not
The AI Act is a product regulation for AI systems. It sorts them by risk: a short list of prohibited practices, a heavily regulated high-risk category covering things like biometric identification and AI in hiring or credit decisions, a transparency tier for systems that interact with people or generate content, and a minimal-risk remainder with no new obligations at all.
Notice what is absent from that list: websites. A static site is not an AI system, however it was written. The HTML your code generator produced is output, and the Act attaches obligations to systems and to the people who provide or deploy them, not to artifacts those systems leave behind. So the first-order answer for most readers is that your website as such is not regulated by the AI Act, in the same way a document is not regulated by rules about word processors.
Where you do appear in the Act's vocabulary is as a deployer: someone using an AI system professionally. The heavy deployer duties sit in the high-risk category, and building a marketing site with a chatbot's help does not put you there. What can reach a website publisher is one specific article in the transparency tier, so that is where the real analysis lives.
The timeline, briefly
The Act entered into force on 1 August 2024 and applies in stages. The bans on prohibited practices and the AI literacy requirement arrived on 2 February 2025. Obligations for general-purpose model providers followed on 2 August 2025. The bulk of the regulation, including the transparency rules discussed below, applies from 2 August 2026. One adjustment worth knowing: under the omnibus package provisionally agreed in May 2026, generative systems already on the market before that August date get until 2 December 2026 to meet the machine-readable marking requirement. Penalties for transparency violations can reach 15 million euro or 3 percent of worldwide turnover, which explains the volume of the commentary, if not always its accuracy.
Article 50: who must disclose what
Article 50 is the piece that touches AI-generated content, and it splits duties between two roles.
Providers carry the marking duty. The companies behind generative systems must ensure outputs are marked as artificially generated in a machine-readable way. That engineering burden belongs to the toolmakers, not to you. You do not owe anyone watermarks on your HTML.
Deployers carry two disclosure duties, both narrow. The first covers deepfakes: if you publish AI-generated or manipulated images, audio or video depicting real people, places or events in a way that could deceive, you must disclose the manipulation. The second covers text, and its wording does the heavy lifting: disclosure is required when AI-generated text is published to inform the public on matters of public interest, and even then the duty falls away where the content has undergone human review and a person or company holds editorial responsibility for it.
Read that against a normal business website. Product descriptions, service pages, a company story and pricing copy are commercial communication, not reporting on matters of public interest, and Commission-adjacent guidance has been consistent that ordinary advertising does not fall in that category. And on top of that, if you read and approved your pages before publishing, and your company stands behind them, you have human review and editorial responsibility anyway. Note that the review is expected to be substantive: someone actually vetting the content, not a spell-check and a shrug. For the standard AI-built marketing site, the honest conclusion is that no labelling obligation applies.
The edge cases that are real
Narrow is not the same as empty. A few configurations genuinely trigger obligations:
- A chatbot on your site. People interacting with an AI system must be able to know they are. If you embed an assistant, make it identifiable as one rather than dressing it as a human agent.
- Synthetic people presented as real. AI-generated testimonials with invented customers, or a generated video of a recognisable person saying things they never said, run into the deepfake disclosure duty, and into consumer protection law that predates the AI Act by decades.
- News-shaped content. If your content marketing crosses from promotion into informing the public on public-interest topics, health or finance being the classic examples, the text disclosure question becomes live, and the human-review exemption becomes worth documenting rather than assuming.
- AI features beyond the website. The moment your business deploys AI for decisions about people, you are in a different part of the Act entirely, and this post stops being relevant.
Also worth a line: the AI literacy provision, in force since February 2025, expects organisations using AI systems to ensure staff operate them with adequate understanding. For a small team publishing AI-built pages, that is less a compliance project than a reason to know roughly what this post covers.
The compliance surface you already had
Here is the practical irony: for a marketing site, the AI Act changes little, while GDPR governs it today. The form collecting visitor emails, the analytics script logging IPs, the jurisdiction of every processor in the chain, all of that applies with full force regardless of who or what wrote the HTML. Publishers worried about European regulation get more protection per hour from auditing those layers than from re-reading Article 50. That audit is laid out in data sovereignty for AI-built websites, and the operational side, review before publishing and reversibility after, in deploying AI-generated frontends to production in the EU.
Hosting choice is part of that older, realer compliance story. VibeDeploy runs AI-built sites on EU infrastructure operated by Serso BV in Belgium, with a public DPA, built-in forms and first-party analytics, flat plans from 15 euro on the pricing page, and deploy paths made for AI workflows, from a dragged-in folder at deploy localhost to production to guides for ChatGPT and Claude artifacts.
Guidance under the Act is still settling; a Code of Practice on transparency went through drafts into 2026 and interpretations will sharpen. But the shape is clear enough to retire the panic. Publish honestly, review what you publish, disclose your chatbot, fabricate no humans, and keep your data layers in order. The AI Act was written for systems that decide things about people. Your website, thankfully, just says things.
Ship your AI-built site in minutes
VibeDeploy hosts your AI-built websites in the EU with custom domains, automatic SSL, and a free tier that gets you online today.
Related reading
v0 and Bolt output, shipped to production in Europe
Code generators end at a preview or an export. This piece maps what v0 and Bolt actually hand you, how each output type becomes a static build, and what turning that build into a production site on EU infrastructure involves.
How to choose an EU hosting provider for AI-generated websites
A buyer's guide for the decision your AI tool skipped: which jurisdiction, which contract, which processor. Four criteria and a set of written questions that separate real EU hosting from an EU-flavoured checkbox.
Data sovereignty for AI-built websites: what EU hosting actually changes
An AI tool picked your infrastructure for you. Here is what data sovereignty means for an AI-generated site, which layers of the stack carry jurisdiction, and how to keep all of them inside the EU.