The Final Code of Practice on AI Content Marking Is Here — What's Actually In It

On June 10, 2026, the European Commission published the final Code of Practice on marking and labelling of AI-generated content. It had been working through draft stages since late 2025, and the final text landed with just under two months to spare before the Article 50 transparency obligations become enforceable on August 2.

If you build or deploy generative AI that serves EU users, this is the most concrete guidance you're going to get on what "mark your AI content" actually means in practice. Here's what's in it and what to do about it.

What the Code of Practice actually is

The Code of Practice is a set of practical, agreed-upon measures that help providers and deployers of generative AI meet the transparency obligations in Article 50 of the EU AI Act. Think of it as the bridge between the law (which says "mark AI content in a machine-readable way") and your engineering backlog (which needs to know how).

It was developed through a multi-stakeholder process — AI providers, civil society, academics, and the AI Office — across three drafts. The final version is the one that counts.

Voluntary — but it matters

Here's the part people get wrong: the Code is voluntary. You are not legally required to sign it. But signing it is the single cleanest way to demonstrate you're acting in good faith to comply with Article 50.

The mechanism mirrors how the GPAI Code of Practice works. If you adhere to the Code, regulators treat that as evidence you're meeting your obligations. If you don't, you have to prove compliance some other way — and when enforcement starts, "we did our own thing" is a much harder conversation than "we follow the Commission's own Code."

Section 1: marking and detection (providers)

The Code is split into two sections by who they apply to. Section 1 is for providers of generative AI systems — the companies that build the models and tools that produce synthetic content.

This section operationalises Article 50(2): the requirement that outputs of generative AI (audio, image, video, and text) be marked in a machine-readable format and be detectable as artificially generated or manipulated. The approach is layered rather than relying on any single technique:

• Machine-readable metadata. Provenance information embedded in the content following recognised standards (the C2PA / Content Credentials family for images and media is the obvious reference point).
• Watermarking. Markers embedded into the content signal itself, designed to survive ordinary processing — so the signal isn't lost the moment someone screenshots or re-encodes it.
• Detection and verification. Providers are expected to support ways for the markings to be read back and verified, not just written.

The reason for the layered approach is simple: any single marker can be stripped. Metadata gets removed when a file is re-saved. Watermarks can degrade. Using more than one method means the signal is more likely to survive real-world use — which is the actual legal test. A marking that a casual user destroys by accident doesn't do its job.

Section 2: labelling (deployers)

Section 2 is for deployers— the companies that use generative AI to produce and publish content. This is the part that catches a much wider audience, because you don't have to build AI models to be a deployer. If you use generative AI in your business, this is probably you.

It covers two Article 50 obligations:

• Deepfake labelling (Article 50(4)). If you generate or manipulate image, audio, or video content that resembles real people, objects, places, or events and could falsely appear authentic, you must disclose that it's artificially generated.
• Public-interest text. AI-generated or AI-manipulated text published to inform the public on matters of public interest must be labelled as such — unless it's gone through human review with editorial responsibility.

And running underneath both sections is the obligation most people already know: when someone interacts with an AI system like a chatbot, they have to be told they're dealing with AI.

Should you sign it?

For most companies building or deploying generative AI for the EU market, yes — and here's the honest reasoning. You have to comply with Article 50 either way. The Code is the Commission's own blueprint for how to do that. Signing it converts an open-ended "are we doing enough?" question into a defined checklist you can actually complete and point to.

The case for notsigning is narrow: if your marking approach is genuinely more rigorous than the Code, or if you have specific technical constraints that the Code doesn't accommodate, you might document your own compliance instead. But for the 90% of companies who just want to know what to build and move on, the Code is the answer.

What to do before August 2

• Figure out if you're a provider, deployer, or both. It determines which section applies. Most SaaS companies using a foundation model are deployers; if you fine-tune or build your own generative models, you're also a provider. See our deployer vs provider guide.
• Inventory your generative AI outputs. Every place your product generates text, images, audio, or video that an EU user sees. That's your labelling surface.
• Add interaction disclosures now. Chatbot and assistant disclosures are the easiest piece and have no grace period. Our chatbot disclosure guide has copy you can use.
• Plan your marking for synthetic media. Metadata plus watermarking. If you use a third-party model, check what marking the provider already applies and what you need to add on top.
• Build the human-review carve-out into text workflows so you're not labelling everything by default.

One important nuance: the machine-readable marking requirement (Article 50(2)) has a grace period for systems already on the market — but the disclosure obligations do not. People are badly misreading what that grace period covers, so we wrote a separate breakdown of the grace period — read it before you assume you have until December.