EU AI Act Unpacked #33: The final Code of Practice on Transparency of AI-generated content
The final Code of Practice on transparency of AI-Generated Content (final Code) was published on 10 June 2026, following a first draft published in December 2025 and a second draft published in March 2026. The final Code provides updated guidance on Article 50 AI Act integrating written feedback from multiple stakeholders on both earlier drafts, and is expected to set the tone for compliance with Article 50 AI Act across the EU. Below, we outline the most notable changes in the final Code to the previous drafts.
The final Code strikes a mixed balance: it steps back from certain prescriptions in the first draft, while at the same time offering greater granularity on technical requirements and concrete marking labels.
Main changes to provider obligations
The first section of the final Code addresses the provider obligations set out under Articles 50 (2) and (5) AI Act. It now clearly separates mandatory from voluntary measures and tempers down some of the obligations set out in the first draft.
- Multi-layered marking of AI-generated Content: The first draft required a multi-layered approach to marking but left the specifics undefined. The final Code clarifies that this multi-layered approach applies where a single marking technique cannot, under the state of the art, ensure on its own compliance with the four requirements of effectiveness, interoperability, robustness and reliability. In practice, this requires at least two layers of machine-readable marking to fulfil the obligations under Article 50(2). The final Code also introduces two exceptions where a single layer suffices: where a generative AI system is embedded in a closed, technically controlled physical product, and for free-form text, which cannot transport metadata. For text, it adds a concrete threshold: watermarking must be applied to free-form text longer than 200 tokens, while "very short text" (under 200 tokens) need not be watermarked.
- Further details on marking techniques: The final Code sets out more prescriptive requirements for marking techniques. Metadata must be digitally signed and time-stamped in a secure and tamper-evident manner. Notably, the publicly readable watermark for audio, image and video content - which the second draft treated as a standalone mandatory requirement - has been softened: it now appears within the interoperability measure as one of several options (see below). Fingerprinting and internal logging are framed as optional supplementary measures, while the first draft required them "where necessary." The model-level marking requirements are softened.
- Requirements for marking and detection techniques: The final Code develops the requirements of effectiveness, interoperability, robustness and reliability. Most notably, it hardens the interoperability obligation. While digitally signed metadata is already covered by existing standards, the final Code requires providers to make their watermark detection mechanisms interoperable by 2 February 2027. Providers can satisfy this through one of four defined options: (i) a publicly available industry-standard access method (API) routing detection queries to the relevant mechanism; (ii) a publicly readable "signpost" embedded in the content indicating which detection solution to use; (iii) a shared, provider-agnostic detection solution operated by a consortium of signatories (open to others, including SMEs); or (iv) another solution achieving comparable interoperability. The aim is to enable verification of content without having to run each provider's detector in turn.
- Detection of the marking of AI-generated content: Under the final Code, providers must continue to make available a detection solution for content generated or manipulated by their AI system, and the relevant interfaces or tools must be hosted within the EU or be locally implementable and comply with EU data protection law. The detection solution must in principle be free of charge. However, the final Code introduces a new carve-out: providers of generative AI systems with fewer than 1,000,000 monthly users, whose detection solution incurs substantial operational costs, may charge a reasonable, fair and proportionate fee where a single user's requests exceed a reasonable volume. Free access without volume restrictions is always guaranteed to market surveillance authorities, regulators, law enforcement, media, fact-checkers, trusted flaggers, independent researchers, and civil society organisations.
Main changes to deployer obligations
The second section of the Code addresses the deployer obligations set out under Articles 50 (4) and (5) AI Act. It has been substantially restructured compared to the first draft, moving away from a taxonomy-based approach and towards more detailed design and placement rules for disclosure labels and icons.
- Disclosure of AI-generated and manipulated content: The first draft required deployers to classify deepfakes and AI-generated or manipulated published text using a common taxonomy, distinguishing between "fully AI-generated" and "AI-assisted" content, ultimately by means of a common EU icon. The final Code removes this common taxonomy and instead focuses on detailed design and placement requirements for icons, labels and disclaimers, without distinguishing between AI assisted and fully AI generated content for marking purposes. Crucially, the EU icon is now finalised: the final Code provides three ready-to-use EU icons - one for fully AI-generated content, one for AI-modified content, and a basic icon to be supplemented with an interactive second layer. These icons were validated through empirical user testing across several Member States, which showed that variants including an explicit text label (e.g. "modified") performed significantly better in terms of noticeability and clarity. Use of the EU icon remains voluntary, as deployers may use an equivalent icon or label that meets the design and placement specifications.
- Structured design and placement rules: The final Code largely carries forward the obligations from the second draft, but restructures the deployer disclosure requirements into a clearer two-tier framework. It first sets out a set of overarching principles for placement that apply across all content modalities and contexts - for example, that the icon or label must be placed so as to ensure immediate recognition without requiring user interaction, remain visible for a sufficient duration, be directly embedded into the content (unless equivalent alternatives are available), and be clearly perceivable at the latest at the time of first exposure. These principles are then supplemented by additional, modality-specific specifications, distinguishing in particular between cases where visual disclosure is possible (e.g. images, video, published text) and where it is not (e.g. audio-only content, requiring an audible disclaimer).
- Sectoral good practices: The final Code newly invites signatories and their associations to jointly establish common good practices for their sector or industry, provided these are fully aligned with the Code and made publicly available online. This gives deployers flexibility to tailor disclosure practices to sector specificities.
- Internal processes: The final Code requires deployers to adopt proportionate internal processes, awareness and literacy measures, and review and feedback mechanisms for the labelling of deepfakes and text publications (Commitment 2). These build on the measures set out already in the first draft. Accessibility is no longer a standalone commitment but is integrated across the other commitments, with more detailed accessibility requirements embedded directly into the design specifications.
- Human review of text and artistic content: Compared to the first draft, the provisions on potential exceptions to the marking obligations (e.g. human review and artistic content) are now elevated to standalone commitments. For human review, the final Code clarifies that deployers must identify the person holding editorial responsibility and document the organisational measures ensuring adequate review, but expressly need not to record individual instances of human review for each text publication.
Next steps
Although the Code is now final, the Commission is preparing additional guidance on Article 50. It has recently published draft Guidelines on Article 50, which were open for consultation until 3 June 2026, with the final version expected just before Article 50 becomes applicable. Originally, the transparency obligations were scheduled to apply from 2 August 2026. However, the recently agreed upon Digital Omnibus Regulation alters this timeline: the provider obligations set out in Article 50 (2) AI Act will only apply from 2 December 2026 for AI systems that have been placed on the market before 2 August 2026, introducing a four-month transitional period allowing providers to adapt their practices. Under the final agreement, deployer obligations under Article 50 (4) AI Act are not subject to the same deferral. Notably, this creates a staggered timeline: while deployer obligations start on 2 August 2026, the Digital Omnibus defers the provider obligations under Article 50(2) AI Act to 2 December 2026, and the Code's interoperability obligation for watermark detection only bites on 2 February 2027.
