
EU AI Act Article 50: a Decision Framework for the Countdown
· Mahdi Kazempour, Founder, Original Pictures
Definition: An Article 50 decision framework is a structured way to determine your obligations: whether you are a provider or deployer, which deadline applies, and which marking layers to implement first.
TL;DR: Answer four questions: are you a provider or deployer; is your system already on the EU market; what share of output is in scope; and which layers do you have. New systems must comply from 2 August 2026; legacy systems may have until 2 December 2026 under the provisional Digital Omnibus, which is not yet adopted.
Question 1: provider or deployer?
If you place a generative system on the EU market, you are a provider under Article 50(2) and must mark output machine-readably. If you use such a system to publish deepfakes, you are a deployer under Article 50(4) and must disclose. Many platforms are both. Decide this first, because it sets which obligation drives your build.
Question 2: what is your deadline?
A system not yet on the EU market has no grace and must comply from 2 August 2026. A legacy system already on the market may have until 2 December 2026 under the 7 May 2026 provisional Digital Omnibus agreement. That agreement is not yet formally adopted, so plan for August and treat December as a contingency that could revert.
Question 3: what is in scope?
Identify the share of your output that is synthetic and reaches the EU. For most generation platforms that is all of it. For mixed pipelines, scope the AI-generated portion and mark at the boundary where it is produced.
Question 4: what do you build?
The Code of Practice second draft points to three layers: signed metadata, an imperceptible watermark, and fingerprint recovery. If you have none, the fastest path is one signing call that attaches all three. If you have some, fill the gaps. Document the posture, because authorities will ask what you did and when.
FAQ
Is the December grace period safe to rely on?
No. It depends on formal adoption of the Digital Omnibus before 2 August 2026. If adoption slips, the original date can revert. Plan for August.
Does the Code of Practice bind me?
It is voluntary, but signatory status is likely to function as a presumption of compliance, shifting the burden to non-signatories.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Decide provider versus deployer, fix your real deadline as August, scope your in-scope output, and implement the three marking layers now. Treat the December grace as conditional, not granted.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.