A Deadline With a Manual Attached
Regulation tends to arrive as obligation first and instruction later, which is what makes the European Commission's June 10 publication worth marking on the calendar. With the AI Act's transparency rules set to apply from August 2, 2026, the Commission has now released the final Code of Practice on marking and labelling AI-generated content, a document whose entire purpose is to translate a legal requirement into operational steps. The Code is voluntary, but that word should not be mistaken for optional. It exists to help providers and deployers demonstrate that they are meeting the binding obligations in Article 50, and signing up to it is the cleanest available path to showing a regulator good faith.
We read the timing as deliberate and, frankly, considerate. Enterprises have spent months asking what compliant labelling actually looks like in production, and the honest answer until now has been that nobody was entirely sure. By shipping the Code with roughly two months of runway before the rules apply, Brussels has given engineering and legal teams a concrete reference rather than leaving them to guess at the regulator's expectations. That is a meaningful improvement over the all too common pattern of obligations landing with no implementation guidance, and it gives compliance leaders something specific to build against.
What Article 50 Actually Requires
The substance sits in Article 50 of the AI Act, which splits the burden between two roles. Providers of generative AI systems must mark AI-generated or manipulated content in a machine-readable format, the kind of embedded signal that other software can detect even when a human cannot. Deployers, meaning the organizations and professionals who put those systems to use, carry a different duty: they must clearly label deepfakes and AI-generated or AI-manipulated text published on matters of public interest, and they must inform people when they are interacting with an AI system such as a chatbot. The split acknowledges that responsibility for disclosure is shared along the value chain.
This division is more consequential than it first appears. A model provider can embed a watermark, but it cannot control how a downstream marketing team, newsroom, or political campaign uses the output. Conversely, a deployer cannot retrofit machine-readable provenance into content that arrived without it. The Code therefore tries to make the handshake between these roles workable, so that a signal created at the point of generation survives long enough to support a disclosure at the point of publication. Whether that chain holds in messy real world workflows, where content is copied, edited, and stripped of metadata, is the question that will determine if the regime has teeth.
The Machine-Readable Marking Problem
Machine-readable marking is the most technically fraught requirement in the package, and it is where we expect the most friction. Watermarking text remains an unsolved problem at scale, since signals embedded in language are fragile and easily destroyed by paraphrasing, translation, or a simple copy and paste into a different application. Cryptographic provenance standards for images and video are further along, but they depend on an ecosystem of tools that preserve rather than discard the metadata, and most of the internet's plumbing was not built to honor that contract. The Code can specify what a good marking looks like, but it cannot by itself force every platform and editor to respect it.
The deepfake provisions sharpen the stakes. Labelling synthetic media on matters of public interest is precisely the use case where bad actors have the strongest incentive to remove the label, and the law's reach over a malicious anonymous publisher is limited. We therefore see the transparency regime as most effective against the legitimate middle of the market, the enterprises, agencies, and publishers who want to comply and simply need clarity on how. For that audience the Code is genuinely useful. Against determined manipulators it will function more as a forensic and liability framework than a preventive one, which is a realistic outcome rather than a failure.
Why Enterprises Should Care Beyond Europe
The instinct to treat this as a narrowly European concern is a mistake we would urge leaders to resist. The AI Act applies to systems placed on the EU market regardless of where the provider sits, which means a US or Asian company serving European users inherits these obligations whether or not it has a single employee on the continent. We have watched this dynamic before with data protection, where a European rule became the de facto global baseline because building two versions of a product is more expensive than building one compliant version. AI content labelling is on the same trajectory, and the pragmatic move is to design for the strictest regime and apply it everywhere.
There is also a competitive and trust dimension that runs deeper than compliance. As synthetic content saturates every channel, the ability to prove that a given piece of media is authentic, or to disclose cleanly when it is not, becomes a feature customers and regulators reward. Enterprises that treat labelling as a checkbox will do the minimum and move on. Those that treat provenance as part of their brand integrity will build the tooling once, wire it through their content pipelines, and turn a regulatory cost into a credibility asset. The Code of Practice is the moment to decide which kind of organization you intend to be.
An Unfinished Map for the Agentic Era
For all its usefulness, the Code lands against an awkward backdrop: the AI Act was not written with autonomous agents in mind, and the gap is widening. Transparency rules built around a person prompting a model and publishing the result strain when the actor is software that generates, edits, and distributes content with no human in the immediate loop. Who labels the output of an agent acting on a vague instruction. How does disclosure work when a chain of agents produces a final artifact, each adding a layer. The Code addresses the world as it was specified, not the agentic world that is arriving, and that mismatch will have to be closed.
We expect this to be the first iteration rather than the last word. The transparency obligations apply from August, but the practical norms around them will be litigated, refined, and very likely amended as agents become the dominant mode of AI use inside the enterprise. For now, the right posture is to adopt the Code, build the marking and labelling machinery it describes, and stay close to how the guidance evolves. The organizations that engage early will help shape the standards that bind them, while those that wait will inherit rules written by others. In a domain moving this fast, presence at the table is its own form of compliance strategy.
