With a voluntary code and a hard deadline.
Covered unlabelled deepfakes and AI-generated public-interest content are about to become a compliance risk in Europe. The European Commission published the final Code of Practice on marking and labelling of AI-generated content on June 10, a voluntary playbook arriving roughly seven weeks before the AI Act’s transparency obligations begin applying on August 2, 2026.
The code, drafted by six independent experts through a process the Commission said involved more than 187 participants, provides providers and deployers of generative AI systems with a practical route to compliance with Article 50 of the AI Act. From August 2, deepfakes must be clearly labeled, as must AI-generated or AI-manipulated text published to inform the public on matters of public interest, subject to exemptions that include text under human review and editorial responsibility. People must also be told when they are interacting with an AI system such as a chatbot. Article 50 is not a blanket labelling mandate for everything touched by AI: the obligations attach to defined categories of covered content and defined actors, leaving most routine AI-assisted work product outside their reach.
“Europeans have a right to know whether what they see, hear or read has been made or altered by AI, especially when such content can shape public debate,” said Henna Virkkunen, the Commission’s executive vice-president for tech sovereignty, security and democracy, in a statement accompanying the release. “Transparency is how we protect trust.”
What the code asks of AI providers
Section 1 of the code addresses providers of generative AI systems, who must ensure under Article 50(2) that outputs in audio, image, video and text formats are marked in a machine-readable way and detectable as artificially generated or manipulated. The AI Act requires that technical solutions be “effective, interoperable, robust and reliable as far as technically feasible.”
According to the code text as quoted in an analysis by the International Press Telecommunications Council (IPTC), the standards body for the news industry, signatories will rely on two core marking mechanisms: digitally signed metadata, recorded in a secure and tamper-evident manner, and imperceptible watermarking embedded in the content itself. A third mechanism, fingerprinting or logging against a registry database, is optional. Brendan Quinn, the IPTC’s managing director, wrote in the June 10 analysis that the signed-metadata requirements align in practice with the C2PA provenance standard, which in his reading is the only current technology meeting the code’s criteria, even though the code does not name it.
Signatories also commit to preserving existing provenance markings when content passes through their systems, to writing metadata-stripping prohibitions into their terms and conditions, and to making detection tools available to the public at no cost in at least one form, whether an open specification, downloadable software or a cloud service accessible through an API. Providers that sign must implement an interoperability solution for their detection mechanisms by Feb. 2, 2027, according to the code text quoted by the IPTC, so that the public is not forced to query each provider’s system individually.
Labeling duties and a new set of EU icons
Section 2 covers deployers, defined under the AI Act as any organisation using an AI system under its authority for professional purposes. Article 50(4) requires deployers to disclose two categories of content: deepfakes, meaning AI-generated or manipulated images, audio or video that resemble real persons, objects, places, entities or events and would falsely appear authentic, and AI-generated text published to inform the public on matters of public interest.
To support those disclosures, the AI Office released a set of EU labelling icons alongside the code: a basic icon, a “fully AI-generated” variant and a “partially AI-modified” variant, each available in four visual treatments. The Commission said the icons underwent user testing, which found comprehension improved when the icon appeared with a short text label such as “modified.” Use of the icons is optional, and the Commission said displaying an icon does not by itself establish legal compliance.
The disclosure rules carry exceptions. Deepfake content that is evidently artistic, satirical or fictional triggers only a lighter disclosure duty that must not spoil enjoyment of the work. Content authorised by law for detecting or prosecuting criminal offences is exempt. And AI-generated text escapes the labelling requirement when it has undergone human review or editorial control and a natural or legal person assumes editorial responsibility for its publication.
Voluntary code, mandatory obligations
Adherence to the code is voluntary, but the obligations it implements are not. Non-compliance with Article 50 exposes providers and deployers to administrative fines of up to 15 million euros or three per cent of total worldwide annual turnover, whichever is higher, under Article 99 of the AI Act. For small and medium-sized enterprises, the lower of the two figures applies.
The code is now open for signature, with providers and deployers signing the relevant chapter through a form submitted to the AI Office. Once the Commission and the AI Board complete an adequacy assessment, signing offers companies a recognised way to demonstrate compliance, and the Commission said future enforcement will focus on monitoring adherence to the code, giving signatories greater predictability and legal certainty. Parallel guidelines clarifying the scope of the legal obligations, drafted for consultation on May 8, are expected in final form ahead of August 2.
The code did not arrive without friction. During drafting, creative-industry stakeholders said the text fell short of addressing the risks generative content poses to their sector, and smaller developers worried about the cost of building marking and detection capabilities, according to an analysis of the first draft by law firm Ashurst.
Timing carries more nuance than the headline deadline suggests. Current Commission guidance treats August 2, 2026, as the operative date, with AI systems placed on the market before that date benefiting from a transitional compliance period running until December 2, 2026, according to the Commission’s published questions and answers on the code. Separately, the provisional Digital Omnibus agreement reached by European Parliament and Council negotiators in May 2026 could postpone the Article 50(2) marking obligations, but only once formally enacted, according to reporting by the Brussels-based outlet Eunews. Compliance teams should plan against the August 2 date and treat any extension as found time.
Why service and software providers should pay attention
For cybersecurity, information governance and eDiscovery providers, the code lands on both sides of the business. Companies that embed generative AI in their platforms, from document summarisation to chat-based review assistants, may qualify as providers or deployers of generative AI systems when serving EU markets, and the marking expectations will flow into product roadmaps, procurement questionnaires and client contracts. Vendors should expect customers to ask whether AI-generated work product carries machine-readable provenance markings and whether those markings survive export, processing and production workflows.
The code also creates an evidentiary opportunity. Digitally signed, tamper-evident provenance metadata is precisely the kind of artefact that authentication disputes in litigation turn on, and discovery teams that preserve C2PA-style manifests during collection will be better positioned when a court asks whether an image, recording or document is what it purports to be. Information governance programs, for their part, will need retention and handling policies that treat AI-transparency metadata as a record component rather than digital debris to be scrubbed. Security teams gain a new verification signal as well: free, API-accessible detection services from major AI providers offer a practical check against deepfake-enabled fraud, from synthetic executive voices to fabricated documents.
Different stakes for marketing teams and newsrooms
Marketing organisations face a narrower but real exposure. Routine AI-assisted ad copy is generally outside Article 50(4)’s text rule, which targets publications informing the public on matters of public interest. But synthetic spokespeople, AI-altered product imagery depicting real places or persons, and AI-driven chatbots all sit squarely within the disclosure framework, and the EU icons give brand teams a ready-made vocabulary for labelling.
News organisations received the clearest carve-out and the sharpest warning at once. Text that passes through human review and carries editorial responsibility is exempt from labelling, a structure that rewards traditional editorial process. Fully automated outputs, including AI-generated news summaries, are listed by the Commission among the use cases for the “fully AI-generated” icon. Quinn wrote that the code’s detection commitments will let third-party validators build automated tools to check whether media originated from an AI system even after metadata has been stripped, a capability fact-checkers currently lack.
As of June 2026, the signature window is open and the August deadline remains the operative date under current Commission guidance. The practical question for every organisation touching AI-generated content in Europe is no longer whether to label, but how, and whose mark readers, regulators and courts will trust.
As AI-generated content becomes easier to produce and harder to verify, the organisations best prepared for Europe’s transparency rules will be those that can label, detect and preserve provenance information before regulators, clients or courts ask for it.
Read the complete article at Europe’s AI labelling rules arrive with a voluntary code and a hard deadline.
Photo: Dreamstime.