AI Act transparency obligations: Code of Practice and draft Guidelines

In Brief

On 2 August 2026, four categories of obligations relating to transparency for certain AI systems become applicable under Article 50 of the EU AI Act. Each of the obligations apply to different types of AI systems or their outputs, and impose obligations on providers of relevant AI systems, as well as deployers.
On 10 June 2026, the European Commission published the final version of its Code of Practice on Transparency of AI-Generated Content. The Code is a voluntary tool setting out practical steps that both providers and deployers of in-scope AI systems placed on the market in the EU can take in order to demonstrate compliance with their respective transparency obligations.
The Code must now be assessed for adequacy by the Commission and the AI Board, but providers and deployers should proceed on the basis that this assessment will be completed before 2 August 2026 with no changes being made.
Separately, the Commission published draft Guidelines on the implementation of the transparency obligations on 8 May 2026, which were open for stakeholder consultation. Once finalised, the Guidelines will be the primary interpretive document for Article 50 as a whole and will complement the Code.

What are the transparency obligations under the EU AI Act and when do they become applicable?

The rules on transparency in the EU AI Act (found in Article 50) become applicable on 2 August 2026. There are four categories of transparency obligation in Article 50:

Providers of AI systems that directly interact with natural persons	must ensure those systems are designed and developed in such a way that users are informed that they are interacting with an AI system e.g., a chatbot or an agent summarising meeting notes (unless this is obvious to a natural person who is reasonably well-informed, observant and circumspect) (Article 50(1)).
Providers of AI systems that generate or manipulate synthetic images, video, audio or text content	must implement machine-readable marking in generative AI systems to enable that content to be detected as such (Article 50(2)).
Deployers of AI systems that expose natural persons to emotion recognition or biometric categorisation systems	must inform those persons (Article 50(3)).
Deployers of AI systems that generate or manipulate deepfakes (as defined) or text published to inform the public on matters of public interest	must disclose that the relevant content has been artificially generated or manipulated (Article 50(4)).

Providers and deployers of open-source AI systems still need to ensure compliance with relevant transparency requirements.

There is one potential carve-out on timing in relation to the marking and detection obligation on providers in Article 50(2). The AI Omnibus proposal (discussed in our article: EU AI Act simplified? Unpacking the AI Omnibus Agreement of May 2026 ) proposes a limited transitional period for providers of generative AI systems that were already placed on the EU market or put into service before 2 August 2026, who will have until 2 December 2026 to comply with the marking and detection obligation. However, the other Article 50 obligations will still all take effect on 2 August 2026 without any transition, including for legacy systems. Generative AI systems newly placed on the EU market from 2 August 2026 must also comply with all four transparency categories from that date.

What are the consequences of non-compliance with the EU AI Act transparency obligations?

Non-compliance with Article 50 can attract fines of up to €15 million or 3% of worldwide annual turnover, whichever is higher. Compliance with the Article 50 transparency obligations is therefore a significant legal and commercial priority for both providers and deployers operating in the EU.

What is the difference between the Code of Practice and the Guidelines?

The two instruments have a different scope:

The Code addresses only the transparency obligations in Articles 50(2) and 50(4), i.e., providers' marking and detection obligations, and deployers' deepfake and text labelling obligations.
In contrast, the draft Guidelines address the full scope of Article 50, including additionally: Article 50(1) (re interactive AI systems) and Article 50(3) (re emotion recognition and biometric categorisation systems). Providers and deployers subject to these obligations must look to the Guidelines, not the Code, for practical guidance.

The Code is voluntary and does not replace the AI Act or the Guidelines. Where a provider or deployer does not sign the Code, they will need to demonstrate compliance with their transparency obligations through other means after 2 August 2026 (or 2 December 2026 for Article 50(2) in the case of legacy systems). Non-signatories will be assessed individually by national market surveillance authorities and will be expected to benchmark their approach against the Code in any event.

Signing the Code will assist providers and deployers to demonstrate compliance with their transparency obligations, and give them the benefit of a streamlined compliance pathway. Signatories will also be able to participate in Signatory Taskforces, to share practices and advance implementation of marking and labelling requirements.

What does the Code say? Section 1 — Providers

Section 1 of the Code focuses on the obligations of providers who develop an AI system capable of generating synthetic audio, image, video or text content (as set out in Article 50(2)). It details four commitments relating to marking of AI-generated content and related detection mechanisms, including through machine-readable methods that are effective, interoperable, robust and reliable.

Whilst the relevant transparency obligations in the EU AI Act do not apply to them, providers of general-purpose AI (GPAI) models and providers of marking and detection solutions may also choose to sign Section 1. This will facilitate compliance by downstream providers of AI systems built on those models and/or using third-party detection mechanisms. The draft Guidelines encourage providers of GPAI models to implement appropriate transparency measures at the model level, even where they do not formally fall within Article 50.

Section 1 contains the following four commitments by providers, and supporting measures:

Commitment 1: Marking of AI-generated or manipulated content

Signatories commit to implementing a marking solution for AI systems they place on the market in the EU. The commitment is expanded upon through various measures.

Machine-readable marking techniques

Signatories will implement a marking solution consisting of at least one machine-readable mechanism that is effective, reliable, robust and interoperable. Until a single marking technique meets all four requirements, signatories should adopt a multi-layered marking system (a single layer may still be sufficient in specific cases, for example in closed industrial environments where the risk of deception is low). The Code discusses the use of digitally signed metadata, imperceptible watermarking and optional fingerprinting or logging.

Non-removal of markings

Signatories should adopt cumulative measures to effect best efforts to preserve metadata markings, including retaining existing metadata markings and not intentionally altering or removing them. Acceptable use policies and terms and conditions should prohibit intentional removal of or tampering with metadata markings, other than for legitimate purposes.

Optional measures relating to marking

Signatories are encouraged to record richer provenance information and also to adopt optional functionality to allow deployers and other users to directly apply a perceptible label to relevant content, facilitating compliance by downstream deployers with their own labelling obligations.

Commitment 2: Detection of markings of AI-generated or manipulated content

Signatories commit to providing means to enable detection of machine-readable markings, and to present detection results in a clear, distinguishable and accessible manner.

Detection mechanisms for markings

Detection solutions should be made available as either a public specification allowing any third party to implement a detection mechanism, a piece of software, or a cloud-based service. They should be free (though signatories with fewer than one million monthly users receiving detection requests from a single user exceeding a reasonable threshold may charge a fee).

Clear and accessible disclosure of detection results

Signatories will ensure that detection results, however generated, are presented in a clear and accessible way to natural persons, and in compliance with applicable accessibility requirements.

Optional measures relating to detection

As part of their detection solution, signatories may include a forensic detection tool to detect content for which marking has been stripped. They are also encouraged to provide information to deployers to support informed decisions on what marking and detection solutions to use, together with end-user literacy resources.

Commitment 3: Measures to meet marking and detection solution requirements

Signatories commit to ensuring their marking and detection solutions are effective, achieve a high degree of reliability, maintain intended performance levels under varying conditions (including adversarial robustness), and are interoperable. The Code envisages a staged implementation in relation to interoperability.

Commitment 4: Testing, Verification and Compliance

Finally, signatories commit to setting up and maintaining compliance, testing, verification and monitoring processes.

What does the Code say? Section 2 - Deployers

Section 2 of the Code focuses on the obligations of deployers of generative AI systems, in particular those who use generative AI systems for professional purposes and who are subject to the transparency obligations in Article 50(4) relating to labelling of: (1) deepfakes; and/or (2) AI-generated or manipulated text published with the purpose of informing the public on matters of public interest (which has not undergone human review or editorial control by a natural or legal person holding editorial responsibility for the content).

There are important limits to deployers’ relevant transparency obligations. For example, deepfakes in scope comprise images, audio or video content that are AI-generated or manipulated to resemble existing persons, objects, places, entities or events, and which would falsely appear to a person to be authentic or truthful. The draft Guidelines clarify that the test is whether the subject resembles something that can exist or could have existed in reality. For example, simulated persons or events etc that defy the laws of nature or physics (such as humans flying without mechanical aids, dragons or elephants driving cars) would be considered unrealistic and fall outside the scope of the transparency obligation.

The draft Guidelines also confirm that any intent to deceive by the deployer is irrelevant: the test is whether the content would falsely appear authentic to the audience that may be exposed to the content, including vulnerable groups such as children (where the threshold for deception will be lower).

The transparency obligation is attenuated where deepfake content forms part of an evidently artistic, creative, satirical, fictional or analogous work or programme. The draft Guidelines note that this requires that the content's categorisation as artistic etc is neither potentially unclear nor ambiguous. Commercial usages involving AI-generated deepfakes of celebrities, for example, would not fall within the attenuated exception. Importantly, this 'exception' relates only to the form of disclosure; it does not remove the transparency obligation. The AI origin must still be disclosed, but in an appropriate manner that does not hamper the display or enjoyment of the work. This will require a case-by-case assessment of all relevant factors, such as the nature of the work, the audience and context.

The draft Guidelines give as examples of an artistic/fictional work AI-generated special effects in movies such as simulations of actors, de-aging of actors and digital replicas of deceased actors; and AI-generated gaming imagery involving deepfake simulations of existing persons or locations. However, an AI-generated image of a celebrity implying their involvement in an activity, with no fictional, satirical or analogous purpose, would not fall within the category.

Aside from the requirements of the EU AI Act, of course, deployers should consider personality rights, intellectual property, data protection provisions and other appropriate measures (as discussed in our article on deepfake regulation in the UK).

Deployers make four commitments in the Code of Practice as follows:

Commitment 1: Disclosure of deepfakes and published text

Deployer signatories commit to ensuring consistent and effective disclosure of the artificial origin of deepfakes or published AI-generated text. In particular, they should use the 'EU icon' (or an equivalent icon complying with the Code). Annex 1 to the Code contains representations of optional icons, with examples of specific use cases, and style variations (including accompanying text to capture content that is both fully AI-generated (AI + GENERATED) and partially AI-modified (AI + MODIFIED)).

There is also detailed practical guidance on how to use the icons (or an equivalent label), including design and placement specifications, timing and visibility/audibility of disclosure, and requirements around accessibility measures. The design and placement specification requirements are detailed and deployers should analyse them carefully to ensure compliance.

Commitment 2: Internal processes

Deployer signatories are required to put in place appropriate internal processes to ensure compliance and to publish information on their disclosure solution. They also commit to making proportionate efforts to ensure awareness of the disclosure obligations among their staff and external contractors.

Commitment 3: Disclosure for artistic, creative and similar works

As noted above, for artistic, creative, satirical, fictional or similar works, the transparency obligation is limited to disclosing the existence of AI-generated or manipulated content in an appropriate manner that does not hamper the display or enjoyment of the work. For example, in a digital context, the icon may be placed outside, but adjacent to, the video or image frame, provided it remains perceivable by the end user without additional engagement.

Commitment 4: Human review and editorial control for published text

Media service providers may rely on an exception to the disclosure obligation where AI-generated or manipulated text has undergone human review or editorial control, by applying their existing review and editorial procedures. However, the draft Guidelines construe this exception narrowly: human review must involve deliberate examination of the substance of the content by persons with relevant competence and professional judgement. Superficial, solely formal or procedural checks (such as spell-checking etc) without substantive engagement will not satisfy the exception. Media service providers should therefore assess whether their existing editorial workflows involve substantive review of AI-generated text, and that they can demonstrate the adequacy of their processes if required.

AI agents that are capable of generating texts, such as emails or posts on social media may not always go through human review or editorial control due to their autonomous nature. They are unlikely to benefit from the exception above.

Analysis on marking and detection obligations

There are some further points to note in relation to providers/deployers' transparency obligations. First, the draft Guidelines recognise an exception from the requirement to mark and detect AI generated outputs in limited cases of "industrial AI applications" and B2B applications. The exception will cover outputs such as engineering drawings, industrial production workflows, and similar content. However, this exception is narrow and will only apply where two cumulative requirements are met:

The generated output is strictly technical in nature; and
It is only intended to be perceived by a limited pre-defined number of natural persons acting in a professional capacity within the provider/deployer's organization. If the output is shared with an external party, such as a customer, supplier or contractor, the full marking obligation will apply.

Article 50(2) also contains certain exceptions to providers' transparency requirements. One relates to assistive functions for standard editing. The draft Guidelines distinguish between editing that is exempt from marking obligations and editing that triggers them:

Exempt (standard editing): e.g., grammar correction, spellchecking, format conversions, technical compression, noise reduction; minor cropping, rotating or rescaling; minor colour adjustments; limited sharpening; removing red-eye caused by flash photography etc.
Marking required (substantive alteration): substantial alterations of content including AI-generated translations and summaries; addition or removal of objects; face alteration; converting black-and-white images to colour; creation of composite images or video clips.

Interactive AI systems and emotion recognition/biometric categorisation systems

The Code of Practice does not deal with the two other transparency obligations in Article 50, concerning interactive AI systems and emotion recognition/biometric categorisation systems.

Article 50(1): Interactive AI systems

Providers of AI systems designed to interact directly with natural persons (such as chatbots, AI agents, virtual assistants and AI companions) must inform users that they are interacting with an AI system. This obligation applies from 2 August 2026.

The test is whether it would be obvious to the reasonably well-informed, observant and circumspect natural person that they are directly interacting with an AI system, which will depend upon the nature of the interaction and the composition of the target audience. For example, the draft Guidelines suggest that AI-powered code assistance chatbots available only to professional developers and AI-enabled Non-Playable Characters (NPCs) in video games would meet the obviousness exception. However, AI companion pets, AI systems embedded in immersive environments using realistic avatars, and AI chatbots embedded in online platforms or assistance support tools where users directly interact and receive AI outputs they may perceive as neutral or human generated (including via agentic AI systems) would not.

The draft Guidelines also confirm that certain techniques will not, on their own, satisfy the transparency requirements e.g., disclosures contained only in terms and conditions, machine-readable markings which are not perceivable by users at the point of interaction, unclear or ambiguous signals (e.g., generic references to an "assistant") or technical or capability-based descriptions (e.g., "this system uses LLMs"). Disclosure protocols will therefore need reviewing and updating in advance of 2 August 2026.

Article 50(3): Emotion recognition and biometric categorisation systems

Deployers of emotion recognition and biometric categorisation systems must inform all natural persons exposed to the system’s operation, at the latest at the time of first exposure, unless an exception applies.

Importantly, this obligation covers all biometric categorisation systems, not just those classified as high-risk. The format for providing the disclosure is flexible, provided it is clear and distinguishable and meets applicable accessibility requirements. The example is given of a centrally placed pop-up onboarding message before a computer game is launched indicating that the player's face is recorded, capturing their emotions.

General requirements for all of the transparency requirements

Article 50(5) is a horizontal provision applying to all of the transparency obligations. It requires that disclosures are made to natural persons in a clear and distinguishable manner at the latest at the time of first interaction or exposure and conform to applicable accessibility requirements. The draft Guidelines provide further insight:

‘Clear’ means noticeable and easy to understand, including for people with accessibility needs.
‘Distinguishable’ means easily identifiable as separate from surrounding content and the environment in which it is presented. Disclosures cannot therefore be hidden in terms and conditions, manuals or layered menus.
‘First exposure’ does not focus on just the first viewer but applies to each natural person who encounters the content for the first time. This means, for example, that disclosures in a live broadcast should be made at the beginning of the broadcast and also at later stages.

Interaction with other laws

The transparency provisions in the EU AI Act focus on how content has been created and its artificial origin. Providers and deployers must also, of course, comply with data protection laws, and other regimes, including intellectual property rights and criminal law regimes. The provisions also facilitate effective implementation of the EU's Digital Services Act, as very large online platforms (VLOPs) and very large online search engines (VLOSEs) may make labelling tools available to deployers (who may use them to fulfil their labelling obligations). Further, platforms may remove a non-labelled deepfake under the DSA on the basis that it constitutes 'illegal content'.

Next steps for developers and deployers

To be included in the initial list of signatories to the Code, completed forms must be submitted by 22 July 2026 (6pm CEST). Signatories may sign the entire Code, or just Section 1 (providers), Section 2 (deployers), or both, but cannot sign individual commitments within each Section.

More generally, given the approaching compliance date of 2 August 2026 for the majority of the transparency obligations, providers and deployers should prioritise:

Scope assessment: Identify all AI systems in use and determine which Article 50 obligations apply.
Chatbot etc disclosures: Review all customer-facing AI interfaces and consider whether disclosure design changes are required.
Deepfake and text labelling: Review content creation and publication workflows and implement the required disclosures, including e.g., through adopting the EU icon.
Emotion recognition or biometric categorisation: identify relevant systems in use and implement the required disclosures, including for systems not classified as high-risk.

How Mishcon can help

If you would like more guidance on transparency obligations under the EU AI Act, please get in touch with a member of our AI team. You can also track developments via our AI resource centre.