
EU AI Act Article 50: How to Mark AI-Generated Content by 2 August 2026
Definition: EU AI Act Article 50 imposes transparency duties on providers and deployers of generative AI, requiring synthetic outputs to be marked in a machine-readable format and detectable as artificially generated, with penalties reaching EUR15 million or 3% of worldwide annual turnover.
TL;DR: Article 50(2) requires providers to mark AI outputs machine-readably from 2 August 2026; legacy systems may get to 2 December 2026 under the provisional Digital Omnibus agreement of 7 May 2026. Article 50(4) requires deployers to disclose deepfakes. The Code of Practice second draft expects layered marking: signed metadata, an invisible watermark, and fingerprint recovery.
What exactly does Article 50 require?
Two sub-articles drive the market. Article 50(2) tells providers that outputs of generative AI "shall be marked in a machine-readable format and detectable as artificially generated or manipulated." That reaches anyone placing a generative system on the EU market. Article 50(4) tells deployers who publish deepfakes to disclose them. The penalty sits in Article 99(4): up to EUR15 million or 3% of worldwide turnover. A Series-B platform at EUR50M revenue faces EUR1.5M of exposure per violation.
What is the 7 May 2026 grandfather?
The Commission proposed a six-month grace for legacy systems; Parliament's March mandate compressed it; the 7 May 2026 provisional trilogue split the difference at four months, to 2 December 2026. Two cautions: a system not yet on the EU market gets no grace and must comply from 2 August 2026, and the agreement is provisional, so plan for August and treat any extension as contingency.
What does machine-readable actually mean?
The Act is deliberately technology-neutral, but the 5 March 2026 second-draft Code of Practice is explicit about the credible baseline: digitally signed metadata, imperceptible watermarking robust to compression and crop, and fingerprint logging that recovers provenance when the first two are stripped. No single technique meets all four criteria of effective, interoperable, robust, and reliable. That layered architecture is exactly what Original Pictures delivers.
Who is liable, provider or deployer?
The provider places the system on the market and must mark at the source. The deployer uses it under their authority and must disclose deepfakes at first exposure. A platform can be both. The safest posture is to mark everything at the API boundary and let downstream customers decide whether to preserve or augment the mark.
What should you do before August 2026?
From late May 2026 there are about ten weeks. Audit which outputs are in scope, sign at the model boundary, add a watermark layer, anchor the audit trail, and get legal review of the disclosure UX. The Original Pictures API collapses the engineering window to days: one POST /v1/sign with a disclosure flag returns a marked asset carrying all three Code of Practice layers.
The incident behind this
Romania's Constitutional Court annulled the first round of its presidential election on 6 December 2024 after a coordinated TikTok influencer campaign. The European Commission opened DSA proceedings against TikTok on 17 December 2024 (IP/24/6051). Sources: Atlantic Council, Romanian Constitutional Court, EU Commission.
Implementation
curl -X POST https://api.originalpictures.com/v1/sign \ -H "Authorization: Bearer $OP_KEY" \ -F "[email protected]" \ -F 'assertions={"c2pa.created":{"actions":[{"action":"c2pa.ai_generated","softwareAgent":"sdxl-1.0"}]}}' \ -F "disclosure=art50.2" \ -F "watermark=trustmark" \ -F "anchor=true"
Regulatory mapping
| Regime | Effective | Bite | Why it applies |
|---|---|---|---|
| EU AI Act Art. 50(2) | 2 Aug 2026 (legacy 2 Dec 2026) | EUR15M or 3% | Provider marking obligation |
| EU AI Act Art. 50(4) | 2 Aug 2026 | EUR15M or 3% | Deployer deepfake disclosure |
| EU Code of Practice | 2nd draft, 5 Mar 2026 | Voluntary benchmark | Multi-layer marking expectation |
| Digital Omnibus | Provisional, 7 May 2026 | N/A | Legacy grace period |
FAQ
Is the Code of Practice legally binding?
No, it is formally voluntary. But authorities are likely to treat signatory status as a rebuttable presumption of compliance, leaving non-signatories to prove their alternative meets the four criteria.
Does C2PA satisfy Article 50?
C2PA is not named in the Act, which is technology-neutral, but the Code of Practice working group treats it as the reference. A C2PA manifest with an ai_generated assertion, a watermark layer, and timestamping is the strongest available evidence of marking.
What if my system was on the EU market before 2 August 2026?
Under the provisional Digital Omnibus you may have until 2 December 2026. The agreement is not yet adopted, so plan for August.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Article 50 is a countdown, not a future risk. Mark outputs at the model boundary, watermark them, anchor the audit trail, and document the posture before regulators ask.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.