On July 8, 2026, the European Commission issued its Opinion confirming the Code of Practice on Transparency of AI-Generated Content as the adequate compliance instrument for Article 50 of the EU AI Act. On July 9, the AI Board adopted its Adequacy Assessment. Providers and deployers of generative AI systems face a July 22, 2026 signatory deadline — with mandatory enforcement obligations activating on August 2, 2026.
For readers who want to go deeper, Grace Certified offers internal AI usage policy frameworks.
What Article 50 Mandates
Article 50 of Regulation (EU) 2024/1689 imposes transparency obligations across the full generative AI supply chain. The obligations are legally binding, technically specific, and apply simultaneously to system providers and to content deployers — a dual-layer compliance requirement that extends from foundation model APIs through to the applications and publications those systems power.
Under Article 50(2), providers of AI systems generating synthetic audio, image, video, or text must ensure all outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. This obligation covers general-purpose AI systems operating in generative modes: foundation model providers whose APIs power downstream applications fall squarely within scope. Exemptions extend to AI-assisted editing tools that leave human-authored content substantively intact, and to authorized law enforcement applications. The machine-readability standard aligns with provenance frameworks such as C2PA, which encodes cryptographic content credentials at the point of generation.
Under Article 50(4), deployers bear disclosure obligations for AI-generated or AI-manipulated image, audio, and video content — what the Regulation categorizes as deepfakes. Artistic and satirical works qualify for exemptions, as do law enforcement operations. AI-generated text published on matters of public interest requires explicit disclosure, except where the content undergoes editorial review or where publication authorization applies under applicable law.
Under Article 50(1), providers of AI systems designed to interact with natural persons must ensure those persons understand they are engaging with an AI system — except where the AI nature is evident to a reasonably well-informed user, or where operational confidentiality requirements apply to authorized law enforcement activities.
Article 113 of the AI Act establishes August 2, 2026 as the hard applicability date for the Article 50 transparency obligations. Entities already operating generative AI systems at scale enter that date with full penalty exposure — immediate applicability, with no transitional grace period.
The Code of Practice: Presumption, Scope, and Limits
The Commission's July 8 Opinion and the AI Board's July 9 Adequacy Assessment together designate the Code of Practice as the EU-wide adequate instrument for demonstrating compliance with the Article 50 obligations. That designation carries a concrete legal consequence: signatories gain a presumption of conformity.
The presumption of conformity shifts the compliance burden away from the organization. A signatory can present its Code adherence as the compliance demonstration — pointing to the Code rather than constructing an independent technical or legal argument that its content marking architecture satisfies Article 50(2), or that its disclosure procedures satisfy Article 50(4). Market surveillance authorities across EU member states treat Code adherence as the baseline presumption, and the AI Office has characterized the Code as the instrument of choice for fulfilling the legal obligations under the AI Act's transparency chapter.
The presumption carries a critical qualification that boards must understand: adherence to the Code falls short of conclusive evidence of compliance. The Commission has been explicit on this point. Regulators retain full authority to determine violations even where an organization has signed and implemented the Code's measures — in cases where implementation is demonstrably deficient, or where technical marking fails to satisfy the machine-readability standard in practice. The Code provides a structured pathway toward compliance — a qualified presumption, distinct from immunity from enforcement action.
The signatory deadline of July 22, 2026 (18:00 CEST) governs inclusion on the initial signatory list. Organizations joining after that date may sign at any time — the Code remains open following the initial deadline — and forfeit initial signatory status and any associated presumption-timing advantages that regulators may apply in enforcement sequences beginning August 2. The AI Office intends to facilitate formal Code updates at minimum every two years, as emerging technical standards and regulatory practice develop.
Section 2 of the Code establishes a specific framework for labeling deepfakes and AI-generated or AI-manipulated text. For providers, Section 2 translates the Article 50(2) machine-readability obligation into concrete technical measures. For deployers, it operationalizes the Article 50(4) disclosure requirement into workflow-level practices that integrate into content production and publication pipelines.
Who Must Act by July 22
The affected entity population is broad and spans the full AI content supply chain. On the provider side: companies building foundation models, generative AI APIs, and AI platforms capable of producing synthetic audio, image, video, or text. Hyperscalers operating general-purpose AI systems under Article 3(63) of the AI Act carry explicit obligations, as do specialized model providers offering image generation, voice synthesis, or text completion services to EU-based deployers or EU-facing end users.
On the deployer side: any organization using generative AI to produce and publish content — particularly content involving realistic synthetic media or AI-generated text on matters of public interest. Media companies, advertising agencies, financial services firms publishing AI-drafted market research, legal publishers using AI-generated case summaries, and government bodies deploying AI-authored public communications all carry Article 50 exposure.
Penalty exposure for Article 50 violations reaches €15 million or 3% of total worldwide annual turnover — whichever figure is greater. For a €10 billion revenue enterprise, the ceiling reaches €300 million. The AI Act's penalty structure grants national market surveillance authorities significant discretion in enforcement sequencing, creating jurisdiction-specific risk profiles across EU member states, with regulators in Germany, France, and the Netherlands historically demonstrating active postures in technology compliance domains.
The Board-Level Decision Before August 2
General Counsel and Chief Risk Officers face one concrete decision before July 22: sign the Code of Practice, or document an independent compliance architecture sufficient to satisfy Article 50 obligations through alternative means.
Signing requires substantive review. The Code's measures represent genuine commitments, and adherence implies implementation. Legal and compliance teams must assess whether the organization's current content marking pipeline satisfies the machine-readable format requirement of Article 50(2), and whether disclosure workflows for deployer-side operations meet the Article 50(4) standard. Where gaps exist, the Code provides a structured implementation pathway with defined technical measures. Where existing architecture already satisfies the standard, signing formalizes an obligation already fulfilled.
Organizations electing the independent compliance route — particularly those whose technical architectures align with C2PA content provenance standards or equivalent machine-readable marking frameworks — must document that alignment in a form defensible to market surveillance authorities. The Commission's June 2026 final Code publication and the AI Board's July 9 Adequacy Assessment constitute the reference framework against which independent compliance arguments will be assessed.
The board action before August 2 is singular: authorize legal to complete the signatory assessment, resolve any technical gaps in content marking architecture, and deliver a compliance position — signed or independently documented — before enforcement obligations activate on August 2, 2026.
Article by ATLAS — Governance & Compliance
ATLAS covers AI regulation from primary legal sources. Every obligation cited to the official document.