Transparency of AI-Generated Content – EU Publishes Code of Practice

After consulting on two previous drafts in the last six months, the Commission published its Code of Practice on Transparency of AI-Generated Content (Code) on 10 June 2026. 

The Code is intended to support signatories’ compliance with the transparency obligations relating to AI-generated or manipulated content (AI Content) under the AI Act (Act).  Those rules require providers of AI systems to ensure that certain AI Content is marked or otherwise machine-detectable as AI-generated or manipulated, and require deployers of such systems to disclose where “deep fake” content and certain text has been artificially generated or manipulated. Taken together, such requirements of the Act should, in theory, help users to understand which content has been touched by AI, and which hasn’t.  

Background

The Code was drafted iteratively by a range of stakeholders who replied to a public call (with drafts published in December 2025 and March 2026 – see our blog), drawing on input from a wide spectrum of perspectives, including from academic experts, generative AI system providers and very large online platforms (VLOPs). Their drafting process considered responses to the public consultation from last September, as well as a number of expert studies commissioned by the AI Office on the current state of the art of technical solutions for marking and detecting AI Content. 

The publication of the Code comes shortly before the relevant provisions come into force on 2 August 2026, though providers of AI systems already on the market on this date are expected to benefit from a 4-month grace period to comply with their marking obligations (assuming that the Digital Omnibus is adopted in time - see our blog).

The Code is split into two parts (summarised below), each containing commitments, measures and (in some cases) sub-measures to illustrate how to comply with the relevant obligations. These are clearly signposted as mandatory (“will”), recommended (“encouraged”) or optional ("may”).

Section 1 - Providers

The first section of the Code guides providers of AI systems (including general purpose AI systems) on their obligations under the Act relating to the marking and detection of AI Content.

It includes a commitment to implement a system for AI outputs (i.e., audio, image, video or text content) to be marked in a machine-readable format, including digitally signed metadata and imperceptible watermarking. The Code generally requires signatories to implement a multi-layered approach to marking, given that no single technique currently ensures compliance with Article 50(2) for audio, images, video, and containerised text. 

The Code also encourages providers to implement measures that would facilitate downstream compliance by deployers with their obligations (see Section 2 below), including functionality that would allow deployers to be able to add visible watermarks to AI Content and to display labels and metadata.  So, for example, where a retail business uses third-party generative AI to produce a marketing campaign, it should be able readily to use tools from that provider to add watermarks to the campaign content. 

In terms of making outputs detectable as AI Content, signatories will need to provide detection mechanisms to relevant stakeholders (e.g., deployers, users, researchers) and present detection results clearly and accessibly. Notably, forensic detection mechanisms (that detect AI Content stripped of its marking) remain optional, as the Code notes that such mechanisms are not (yet) mature enough to meet the Act’s quality requirements. In most cases, these detection mechanisms need to be provided free of charge, though the Code permits smaller signatory providers to charge a fee where those detection solutions incur substantial operational costs.

Finally, the Code requires that the relevant technical solutions used for marking and detection be (as far as technically feasible) effective, interoperable, robust and reliable. The Code sets out a staged approach to the adoption of interoperability requirements, noting that these are yet to be developed (apart from digitally signed metadata). It also encourages signatories to invest in research to advance the state of the art, clearly signalling that this remains an emerging area that requires further industry and academic collaboration.

Section 2 - Deployers

The second section guides deployers of AI systems (a wider category, capturing organisations that use AI technologies provided by other companies) in relation to labelling: (i) deepfakes (image, audio or video which resemble existing people, objects, places, events etc., and falsely appear to be authentic or truthful); and (ii) certain AI-generated or manipulated text (publications informing the public on matters of public interest, that have not undergone a human review).

Notably, the Code obliges deployers to use the AI Content icon that the Commission itself has created (EUAI Icon) for these purposes (or an equivalent icon/label) where visual disclosure is possible, in accordance with the relevant placement specifications. Audible disclaimers are to be deployed where visual disclosure is not possible. 

Comment

Whilst the Code provides greater clarity for providers and deployers on compliance, it inevitably leaves key questions unanswered, including around a key intersection of AI and the online environment: the proliferation of generative AI content on social media and other online platforms. In this context, the Code indicates that transparency can be maintained end‑to‑end through technical measures, but provides limited comfort on how that assumption plays out in a fragmented online environment.

For example:  

1. The Code requires providers to ensure marking solutions are robust to typical processing operations (e.g., screenshotting) and malicious behaviour (e.g., removal or modification), and that they include prohibitions on removal or tampering in their acceptable use policies (without implying responsibility for third-party compliance). The Code also encourages online platform operators to preserve metadata markings for AI Content uploaded to their sites.  But if a bad actor still manages to remove or modify the markings for an AI-generated deepfake (even if the marking solution used by the provider is robust) and disseminates that unmarked and unlabelled deepfake widely online, this could raise difficult questions about which party(ies) are liable under the Act and how that liability is apportioned along the supply chain.
2. In this context, the Code explicitly refers to the Digital Services Act (DSA) as a key piece of the EU rulebook that regulates online platforms. Under Article 35 of the DSA, VLOPs are required to put in place measures to mitigate systemic risks on their platforms. In this regard, the Code encourages platforms to make the EU AI Icon, or an equivalent solution, readily available to deployers within upload interfaces – implying that this may help VLOPs comply with their Article 35 obligations. But it is unclear that this would be adequate to defend against enforcement action around deepfake content.  Should the platform be liable for carrying the content, or the provider liable for failures in their marking solution?  Given the growing intensity of DSA enforcement against VLOPs (see our blog), this may become a key question as AI content becomes ever more prevalent online. 

Finally, it is also notable that, while the Code imposes requirements on providers and deployers at a system level, it specifically recognises the importance of providers of generative AI models placed on the market independently from AI systems. Such model providers may adhere to the Code on a voluntary basis and are encouraged to implement marking and detection techniques at a model level, with a view to facilitating compliance by downstream providers of AI systems built on those models. This marks a significant change from the initial draft of the Code, which sought to impose hard obligations on model provider signatories. Although the final wording of the Code aligns with the fact that Article 50 of the Act imposes system-level obligations only, the language of the first draft of the Code and the continued shoe-horning of model-level recommendations into the final draft does highlight the central role that those model providers play in this process. 

Next steps 

As with the equivalent code for the Act’s GPAI rules (see our blog), and once its adequacy assessment by the Commission is complete, organisations will be able to sign up to the Code in order to seek to demonstrate compliance, but do so in the knowledge that: (i) alternative routes to compliance may exist; and (ii) adherence to the Code does not guarantee compliance.   

In addition, a final version of the Commission’s accompanying guidelines on Article 50 are yet to be published, following publication of an initial draft on 8 May 2026 and a targeted consultation that closed on 3 June 2026. Such guidelines are expected to clarify the scope of the legal obligations and address areas that are not otherwise covered in the Code – these guidelines may therefore shed some further light on how these obligations will work in practice.