In June, the European Commission published the final version of the Code of Practice on Transparency of AI-Generated Content (Code). Its release nearly completes the largest part of the Commission’s broader effort to develop supporting documents aimed at facilitating compliance with the transparency obligations under Article 50 of the AI Act before those obligations take effect. The Code is an essential part of this work, alongside the Guidelines on the implementation of the transparency obligations (Guidelines) for certain AI systems, which are currently available only in draft form.

The Code was developed by independent experts in a multi-stakeholder process coordinated by the AI Office. Although it has now been published, the Commission and the AI Board must still assess it before it can serve as a formal compliance tool. Once endorsed, signatories may rely on their adherence to the Code to satisfy the relevant transparency obligations under the AI Act, thereby relieving them of the need to demonstrate compliance by other means. Adherence does not, however, affect other obligations under the AI Act, including those that apply to high-risk AI systems and general-purpose AI (GPAI) models.

When the Code goes into effect

Article 50 will become applicable on August 2, 2026. This means that providers and deployers within its scope will be required to comply with a range of transparency obligations from that date. However, the timeline remains uncertain for providers. If adopted, the proposed Omnibus package may extend the compliance deadline for providers already on the market from August 2, 2026, to December 2, 2026.

In addition to providers and deployers of generative AI systems, the Commission identifies other stakeholders that may consider signing the Code. These include providers of generative AI models, which enable the creation of synthetic content, and providers of marking and detection solutions that support content provenance, watermarking, and the identification of AI-generated or manipulated media. Therefore, the Code is open not only to the providers and deployers of AI systems subject to Article 50 obligations, but also to the actors that are not directly bound by them

Adherence to the Code should not be understood as a guarantee of compliance, as competent authorities will ultimately remain responsible for assessing whether the requirements of Article 50 have been met. Nevertheless, the Code is expected to serve as the main reference point for those assessments, while providers and deployers who choose not to sign will need to demonstrate compliance through other means and may face greater scrutiny.

In addition, the signing procedure allows for partial participation. The Code consists of two separate sections—one for providers and one for deployers—which may be signed independently. The Commission encourages stakeholders to submit the completed signatory form by 18:00 CET on July 22, 2026. Those who do will be included in the list of initial signatories, which will be published before the Article 50 obligations take effect. However, missing that deadline does not prevent stakeholders from joining the Code later.

What is in the Code

Before turning to the substance of the Code, it is important to understand how it differs from the Guidelines on the implementation of the transparency obligations for certain AI systems under Article 50 of the AI Act. While the Code is a voluntary compliance tool, the Guidelines serve an interpretative function, clarifying the scope of the legal obligations and addressing issues not covered by the Code.

The Code focuses specifically on provisions 50(2), 50(4), and 50(5), whereas the Guidelines clarify the full range of requirements set out in Article 50. Those provisions concern providers and deployers of AI systems that generate or manipulate synthetic content, including deepfakes, specifically content marking obligations for providers and labeling obligations for deployers. The Guidelines, by contrast, address other transparency obligations under Article 50 that apply to different categories of AI systems, including virtual assistants, automated telephone systems, AI agents and other systems that interact directly with individuals, as well as emotion recognition and biometric categorization systems.

Compared with the first draft of the Code, which I analyzed in January, the final version is considerably more detailed and operational. Whereas the initial draft focused on setting out the overall structure and commitments, the final text introduces more specific implementation measures and compliance expectations. Nevertheless, several aspects of the framework are still in progress and will likely require further clarification.

Obligations for providers

The Code establishes a comprehensive compliance framework for providers of AI systems that generate or manipulate synthetic audio, image, video, or text content (Article 50(2) and (5) AI Act). It does not prescribe a single technical solution for marking AI-generated content, as no single marking technique can currently meet all four requirements set out in Article 50(2) of the AI Act: effectiveness, interoperability, robustness, and reliability. Instead, providers are encouraged to implement layered transparency solutions that combine metadata, watermarking, content provenance mechanisms, and other tools. The focus is on whether the chosen approach can satisfactorily meet those requirements.

The framework is further built around four core commitments. First, providers are expected to implement machine-readable marking to identify AI-generated or manipulated content. Second, the Code requires providers to make detection mechanisms available so that users and relevant stakeholders can verify whether content has been generated or manipulated by AI. Third, it establishes quality requirements for marking and detection solutions – expecting providers to ensure that transparency measures are effective, reliable, robust, and interoperable across different systems and use cases. Finally, providers must establish and maintain documented compliance, cooperate on an ongoing basis with market surveillance authorities and contribute to broader efforts to advance technical standards and best practices for AI content transparency.

A notable feature of the Code is that it sets out how to meet the transparency obligations before common evaluation standards have fully emerged. In the absence of widely accepted benchmarks, providers will initially rely on internal testing methodologies and evolving industry practices to evaluate the effectiveness of their transparency measures. The Code places significant emphasis on further investment in technical solutions, standardization efforts, and industry cooperation.

Obligations for deployers

Section 2 establishes a framework for the labeling of deepfakes and AI-generated or AI-manipulated published text by deployers of AI systems (Article 50(4) and (5) AI Act). This part of the Code applies to two categories of deployers. Firstly, it covers those who deploy AI systems that generate or manipulate synthetic audio, image, or video content, including deepfakes. Secondly, it applies to those who deploy AI systems that generate or manipulate text intended for publication. Text generated or manipulated by AI does not qualify as a deepfake under the AI Act.

The Code establishes two core commitments for deployers. First, it provides a framework for disclosing deepfakes and AI-generated or manipulated text through a harmonized set of EU “AI” labels or an equivalent disclosure mechanism. The Code specifies both design and placement requirements, and an EU icon for visual disclosure is publicly available for use by every deployer. Deployers must ensure that disclosures are clear, accessible, and visible at the time of first exposure, encouraging platforms and other actors in the distribution chain to preserve those disclosures. Second, the Code encourages deployers to establish internal compliance processes and documentation, staff awareness and training, mechanisms for addressing missing or incorrect labels, and cooperation with market surveillance authorities.

In addition, the Code includes two qualifications that limit deployers' disclosure duty. It introduces a more flexible disclosure regime for artistic, creative, satirical, fictional, and similar works and implements the exemption in the AI Act for AI-generated or AI-assisted published text that has undergone human review or editorial control.

The Commission further recognizes that the current labeling framework is not a final solution but rather a starting point that will continue to evolve through the governance and standard-setting process. For example, there is no detailed guidance on what the flexible disclosure regime should look like for artistic, creative, satirical, and fictional works.

What is clarified by the guidelines

Although the Guidelines have not yet been finalized, stakeholders submitted their input by June 3; they may serve as a useful reference when interpreting the Code. A number of practical and legal questions remain unresolved, and the document provides helpful clarifications.

The Commission does not present the Guidelines as a final interpretation of Article 50. The Guidelines and the broader transparency framework are expected to evolve in light of technological developments, enforcement practice, stakeholder feedback, and future CJEU case law, meaning that further clarification can be expected over time.

The draft guidelines contain several important clarifications. Here, I focus on those that appear to be most relevant to understanding the practical application of the Code.

First, both providers and deployers fall within the scope of the AI Act even when established outside the EU, provided that the output of the AI system is used in the Union. At the same time, actors whose role is limited to hosting, transmitting, or disseminating AI-generated content created by third parties, including online platforms, are generally not considered deployers. Individuals who merely receive or are exposed to AI-generated content without controlling the use of the underlying AI system do not fall within the scope of these obligations, although they are encouraged to preserve existing markings and labels. Publicly disseminated deepfakes relating to matters of public interest may be subject to the disclosure obligations even if they are done by an individual who is not acting as a provider or deployer in a broader sense.

The Guidelines also clarify that the transparency obligations apply broadly to both AI-generated and AI-manipulated content, including content that combines human-created and AI-generated elements. Ordinary editing activities, such as spellchecking, grammar correction, quality improvements, or format conversion, generally fall outside the scope of Article 50.

With regard to deepfakes, the key question is whether the content would falsely appear authentic or truthful; not every AI-generated or AI-modified image, audio, or video constitutes a deepfake. AI-generated videos of politicians or celebrities, AI-generated voice clones, and AI-manipulated images portraying real people in fabricated situations will most likely qualify. By contrast, clearly fictional content that would not reasonably be perceived as authentic, such as talking animals or impossible imaginary scenes, generally falls outside the definition. Routine technical modifications, such as color correction, noise reduction, compression, or minor editing, will generally not trigger the disclosure obligation, although the assessment remains context-specific.

The Guidelines clarify the interaction between the AI Act and the Digital Services Act. Both address content moderation, but the actors differ. While the AI Act imposes labeling obligations on deployers of AI systems that generate or manipulate deepfakes, DSA imposes separate obligations on providers of very large online platforms (VLOPs) and search engines (VLOSEs) that disseminate such content. In practice, deployers may rely on labeling tools provided by VLOPs and VLOSEs to comply with their obligations under Article 50(4).

Overall, although the Guidelines provide valuable clarification, a number of important concepts remain subject to case-by-case assessment, including the distinction between deepfakes and ordinary editing, the scope of artistic and analogous works, and what constitutes an appropriate form of disclosure. As a result, some legal uncertainty is likely to remain until enforcement practice develops.

Will the Code be effective?

Compliance with the transparency obligations under Article 50 of the AI Act is mandatory. Adherence to the Code, however, remains voluntary. Providers and deployers within the scope of Articles 50(2), (4), and (5) can sign the relevant section of the Code, and once it is endorsed, they will be able to rely on it to demonstrate compliance with those obligations. At the same time, adherence to the Code does not eliminate other obligations under the AI Act. Providers and deployers remain responsible for complying with any other applicable requirements, including obligations relating to high-risk AI systems or GPAI models.

Given the substantial fines for non-compliance that are likely under Article 50 (up to EUR 15 million or 3% of worldwide annual turnover for undertakings), adherence to the Code will be an attractive option for many providers and deployers. The Code offers a structured framework that may simplify interactions with regulators and reduce the burden of demonstrating compliance on their own.

But despite its practical value, the Code leaves several important issues unresolved. Beyond the procedural caveats—that the guidelines have not yet been finalized and the code still requires endorsement—several key concepts rely on case-by-case assessments rather than clear criteria. These include the distinction between deepfakes and ordinary editing, the scope of artistic, creative, fictional, satirical, and analogous works, and what constitutes an appropriate form of disclosure in a given context.

In addition, the Code itself acknowledges the current technological limitations of AI content transparency tools. No single marking technology can meet all the requirements of Article 50. Forensic detection mechanisms are not yet considered reliable enough, and common evaluation benchmarks have yet to emerge. Finally, significant uncertainty remains regarding enforcement. While the Code provides a framework for demonstrating compliance, much will depend on how market surveillance authorities interpret and assess compliance in practice once the obligations take effect.