In partnership with
Most of the AI Act's hardest obligations now live in late 2027 and 2028. The Digital Omnibus moved them there, and the relief was real. But it left one obligation standing on August 2, 2026 — and it is the one that reaches the widest set of teams inside an enterprise. Article 50 transparency is not a problem for the legal department to absorb quietly. It touches every product that talks to a customer, every marketing team that generates an image, every communications function that publishes AI-assisted text on a matter of public interest. It is the first AI Act deadline that lands on people who have never read the AI Act.
For months "Article 50" has been shorthand for a vague instruction: label your AI. As of two weeks ago it is no longer vague. On June 10, the European AI Office published the Code of Practice on marking and labelling of AI-generated content, and it specifies a technical regime, not a principle. Two layers: cryptographically signed provenance metadata, and an imperceptible watermark embedded in the content itself. Watermarking now reaches free-form text above roughly 200 tokens, not just images and video. The only technology that meets the metadata criteria in practice is the C2PA provenance standard. "Label your AI" has become "embed signed provenance and a durable watermark in everything your models produce, and be able to detect it later."
There is also a date almost nobody has in their plan. Under the Omnibus, generative systems already on the market before August 2 get a grace period on the machine-readable marking obligation — but only until December 2, 2026, and only for systems that already exist. Anything you ship from August 2 onward must comply from day one. The grace window was quietly compressed from six months to three during the May negotiation. It is a genuine planning gift if you know it is there, and a trap if you assume it covers the product you launch in September.
This edition is the build. What Article 50 actually requires, who owns each piece, what the June 10 Code means in engineering terms, and the five-week plan to be ready. Provenance is becoming infrastructure. The enterprises that treat labelling as a trust feature rather than a compliance sticker will get something back for the work.
TL;DR
August 2 is the first AI Act deadline that touches product, marketing, and communications — not just legal. Article 50 transparency reaches anyone who ships AI that talks to the public or generates content. Brief the non-legal owners this week; they are the ones who have to build it.
"Label your AI" is now a technical spec, not a principle. The June 10 marking Code defines a two-layer regime: C2PA-style signed metadata plus an imperceptible watermark, with watermarking extended to free-form text over ~200 tokens. Your implementation target is concrete now.
There is a December 2 grace window — and it is narrower than it sounds. Pre-existing generative systems get until December 2, 2026 for the machine-readable marking obligation. Anything launched from August 2 must comply immediately. Map your systems into "before" and "after" buckets before you rely on the grace.
Detection is a standing operation, not a one-time mark. Article 50.2 requires output to be detectable as AI-generated. Marking once is not enough; you need verification you can run, and that survives format conversion and re-encoding. Budget for it as infrastructure.
Build it as trust, not theatre. Provenance done properly is a consumer-trust and procurement asset, not a compliance cost. The European requirement is, again, a forcing function for something worth having.
The Brief
1. August 2 Transparency: The Deadline the Omnibus Did Not Move
While the Omnibus pushed high-risk obligations to December 2027 and August 2028, the Article 50 transparency obligations remain in force from August 2, 2026. These are horizontal duties: they apply across sectors to specific AI uses — systems that interact with people, generative systems, emotion recognition and biometric categorisation, and deepfakes or AI-generated public-interest text — regardless of whether the system is "high-risk." Non-compliance sits in the AI Act's middle penalty tier: up to €15 million or 3% of global annual turnover.
Why it matters: This is the AI Act becoming visible to the public for the first time. High-risk obligations are an internal governance project; transparency is a user-facing change to your products. It is also the deadline most likely to generate a complaint, because non-compliance is observable by any user, journalist, or competitor who notices an unlabelled deepfake or an undisclosed chatbot. The reputational surface is larger than the fine. Watch: The final Article 50 guidelines from the AI Office, expected before August 2 — they fix the operational definitions. Source: EU AI Act — Article 50 · aiactblog — The Article 50 deadline that was not postponed
2. The Four Duties of Article 50 — and Who Owns Each
Article 50 splits cleanly into four obligations with two different owners. Providers carry the first two: systems that interact directly with people must make clear the person is dealing with AI (50.1); generative systems must mark their outputs in a machine-readable format, detectable as artificially generated (50.2). Deployers carry the second two: informing individuals exposed to emotion recognition or biometric categorisation systems (50.3); and disclosing deepfakes — AI-generated or manipulated image, audio, or video — and AI-generated text published to inform the public on matters of public interest (50.4).
Why it matters: The provider/deployer split is where compliance programmes fragment. If you build AI products, you own 50.1 and 50.2 for your users. If you use AI products — to generate marketing media, to run a service chatbot, to publish content — you own 50.3 and 50.4 as a deployer, even for models you did not build. Most enterprises are both, on different systems, and need both owners named. A single "Article 50 owner" is usually a sign no one has mapped the systems. Source: EU AI Act — Article 50 · Greenberg Traurig — Deepfakes, chatbots, AI-generated text
3. June 10: The Marking Code Turns Principle Into Spec
On June 10, the European AI Office published the Code of Practice on marking and labelling of AI-generated content — the voluntary compliance pathway for Article 50.2 and 50.4. Its core is a two-layered marking approach: digitally signed metadata attached to the content, and an imperceptible watermark embedded in the content itself, with optional fingerprinting and logging, plus protocols for detection and verification. The Code is voluntary, but it is the recognised route to demonstrating compliance, and it defines what "machine-readable marking" means in practice.
Why it matters: Until June 10, enterprises could reasonably say the technical requirement was undefined. That excuse is gone. The Code gives engineering teams a concrete target: signed provenance plus a durable watermark, not a visible "made with AI" badge alone. The two-layer design is deliberate — metadata can be stripped by a screenshot or a re-upload, so the embedded watermark is the layer that survives. Building only the visible label, or only the metadata, will not meet the standard the Code describes. Watch: The Code's signatory list as it forms — a signal of which providers are committing to a recognised marking method. Source: European Commission — Code of Practice on marking and labelling of AI-generated content · IPTC — AI Office releases transparency Code
4. The C2PA Reality — and Why Text Just Got Harder
The Code does not name a vendor, but the metadata criteria — cryptographically signed, tamper-evident provenance — describe the C2PA (Coalition for Content Provenance and Authenticity) standard in all but name. The more demanding change is in scope: imperceptible watermarking now extends to free-form text longer than roughly 200 tokens, with a carve-out only for very short text below that threshold. Image, audio, and video watermarking is comparatively mature; robust, invisible text watermarking that survives editing and paraphrasing is a harder, less settled engineering problem.
Why it matters: Many teams assumed Article 50.2 was a synthetic-media problem — deepfake images and cloned voices. The text threshold pulls in chatbots, drafting assistants, and any system that emits substantial generated prose. If your product writes more than a couple of sentences at a time, text watermarking is now in scope, and it is the part of the build with the most technical uncertainty. Start the engineering spike here, not on the images. Source: ComplianceHub — Watermarks and metadata: how to actually comply with Article 50 · Bird & Bird — The final transparency Code of Practice
5. The December 2 Grace Window — Real, but Narrow
Under the Omnibus, generative AI systems already placed on the market before August 2, 2026 get a grace period on the Article 50.2 machine-readable marking obligation, running until December 2, 2026. The window was compressed from six months to three during the May negotiation. Critically, it applies only to pre-existing systems: anything placed on the market or put into service from August 2 onward must comply from the date of placement, with no grace.
Why it matters: This is the most actionable planning fact in the edition, and the easiest to get wrong. If your generative features are already live, you have until December 2 for the marking layer — useful breathing room for the harder watermarking work. But if you are launching or materially changing a generative product after August 2, the grace does not apply, and "we'll add marking in Q4" is non-compliant from launch. Sort every system into "before August 2" and "after August 2" now; the two buckets have different deadlines. Source: Gibson Dunn — Omnibus: postponed deadlines and key changes · William Fry — Omnibus deal: watermarking compromise
6. The Exceptions That Will Shape Your Implementation
Article 50 carries carve-outs that matter operationally. The 50.1 disclosure does not apply where it is obvious to a reasonably well-informed person that they are interacting with AI — but "obvious" is a high bar the guidelines will tighten, not a loophole. The 50.4 deepfake and text duties are disapplied where use is authorised by law to detect or prosecute criminal offences. And where content is part of an evidently artistic, creative, satirical, or fictional work, the obligation is limited to disclosing the existence of generated content in a way that does not spoil the work — a lighter-touch label, not an exemption.
Why it matters: The exceptions are where over-compliance and under-compliance both hide. Teams that assume "everyone knows our bot is a bot" may be leaning on the 50.1 carve-out further than the guidelines will allow. Teams in media, film, or advertising need to understand the artistic carve-out precisely — it changes the form of the label, not the duty to disclose. Get legal to map your use cases against the exceptions before engineering builds a one-size label. Source: EU AI Act — Article 50 · Global Policy Watch — 10 takeaways on the draft transparency guidelines
7. The Penalty Tier — and the Bigger Reputational Surface
Article 50 non-compliance sits in the AI Act's middle enforcement band: up to €15 million or 3% of global annual turnover, not the 7% / €35 million reserved for prohibited practices. The number is meaningful, but for transparency the larger exposure is reputational. Unlike a high-risk documentation gap, an Article 50 failure is visible: an unlabelled deepfake in a campaign, a chatbot that hides that it is one, AI-generated "news" without disclosure. Any user or journalist can spot it, and the AI Act gives them a framework to complain about it.
Why it matters: The board conversation about Article 50 should not be framed only as fine exposure. It should be framed as brand and trust exposure. The first enforcement actions and public call-outs after August 2 will set the reputational tone, and you do not want to be the worked example. Map the penalty tier correctly — middle band — but argue the case internally on trust, which is where the real cost sits. Source: EU AI Act — Article 99 penalties · EU AI Act — Transparency rules: a practical guide to Article 50
8. Fable 5 / Mythos 5: Still Dark, and the Reason Got Sharper
Two weeks after the US export-control suspension, Anthropic's Fable 5 and Mythos 5 remained unavailable as of June 22 — ten days of global blackout. The justification also escalated: reports of a Senate Intelligence Committee briefing describe the NSA disclosing that Mythos identified vulnerabilities across nearly all of the agency's classified systems within hours of testing. Anthropic has signalled confidence that access could return in the coming days, with two markers ahead: its government-ID verification policy (early July) and the 60-day frontier-model framework deadline (around August 1).
Why it matters: Last edition's thesis — model access is a regulatory variable a government can switch off — has only hardened. The new detail reframes the stakes: the capability that triggered the ban was not a hypothetical, but a model finding real holes in classified infrastructure. For enterprises, the continuity lesson is unchanged and more urgent: a frontier model in your stack can be removed on a national-security timeline, and your only protection is a tested fallback. If you have not run that drill since June, run it this week. Watch: Early July (ID-verification policy) and ~August 1 (EO framework deadline) as the likeliest restoration triggers. (NSA briefing claim: verify before citing — see checklist.) Source: Anthropic — Statement on the directive to suspend Fable 5 and Mythos 5 · Korea JoongAng Daily — Anthropic confident of re-enabling access
9. Provenance Is Becoming Infrastructure — and a European Advantage
Step back from the deadline and a larger shift is visible: content provenance is moving from a nice-to-have into infrastructure. The C2PA standard, signed metadata, durable watermarking, and detection tooling are becoming a layer that sits under every generative product, the way TLS sits under every website. The EU is the first jurisdiction to make that layer mandatory at scale, which means European enterprises will build it first — and provenance, once built, is a trust asset: it lets you prove what your organisation did and did not generate, in a market filling with synthetic content and deepfake fraud.
Why it matters: This is the recurring thesis with a fresh proof. The transparency requirement is a cost on the deadline and an asset afterwards. In a market where deepfake fraud and synthetic-content disputes are rising, being able to cryptographically prove the provenance of your own communications is worth more than the compliance it satisfies. Build the provenance layer as a capability, not a checkbox, and it pays back beyond August 2. Source: IPTC — AI Office releases transparency Code · EU AI Act — Transparency rules: a practical guide to Article 50
ChatGPT gives you generic answers because you give it generic prompts.
You know the fix: longer prompts, more context, clearer constraints. But typing all that takes five minutes per prompt, so you shortcut it. Every time.
Wispr Flow lets you speak your prompts instead of typing them. Talk through your thinking naturally — include context, constraints, examples — and get clean text ready to paste. No filler words. No cleanup.
Works inside ChatGPT, Claude, Cursor, Windsurf, and every other AI tool. System-level, so there's nothing to install per app. Tap and talk.
Millions of users worldwide. Teams at OpenAI, Vercel, and Clay use Flow daily. Free on Mac, Windows, and iPhone.
Deep Dive
What August 2 Actually Requires
The high-risk tier slipped to 2027. Transparency did not move — and as of June 10 it is no longer a principle. It is a technical spec with a five-week clock and a hidden second deadline.
What Changed
For most of the year, Article 50 was something enterprises could acknowledge without acting on, because the operative question — what does "machine-readable marking" actually require? — had no settled answer. On June 10 the European AI Office answered it. The Code of Practice on marking and labelling of AI-generated content sets out a two-layer technical approach: cryptographically signed provenance metadata attached to each piece of content, and an imperceptible watermark embedded in the content itself, supported by detection and verification protocols and optional fingerprinting and logging. The same period clarified the timeline. Transparency obligations apply from August 2, 2026; pre-existing generative systems get until December 2, 2026 for the marking obligation specifically; new systems get no grace at all.
So the picture as of late June is concrete in a way it was not in May. There is a deadline, a technical standard, a narrower-than-expected grace window, and a penalty tier. The ambiguity that justified waiting is gone.
Why It Matters
The reason Article 50 deserves a dedicated build — rather than absorption into a general compliance backlog — is that it is the first AI Act obligation to cross out of the legal function and into product, engineering, marketing, and communications. High-risk compliance is documentation, risk management, and conformity assessment: heavy, but contained within governance and legal teams. Transparency is different. It changes what users see and what content carries. It requires engineering to embed marks, product to design disclosures, marketing to label generated media, and communications to disclose AI-assisted public-interest text. None of those teams reports to the DPO, and most have not read the AI Act.
That breadth is also why the deadline is risky. An obligation that touches six functions fails at the seams between them. The classic failure mode is a marking layer built by engineering that marketing does not know how to invoke, or a disclosure standard set by legal that product never implements in the UI. The work is not technically enormous, but it is organisationally distributed, and distributed work needs an owner with authority across functions, not a single compliance analyst.
What Enterprises Usually Miss
Three things, in ascending order of consequence.
First, the grace window is a system-by-system question, not a company-wide one. December 2 applies only to generative systems already on the market before August 2. The product you launch or materially change in September gets no grace. Enterprises that hear "December" and relax will miss that their roadmap — the new features shipping after the summer — are precisely the systems with no breathing room. The grace protects your past, not your future.
Second, detection is an ongoing operation, not a one-time act of marking. Article 50.2 requires output to be detectable as artificially generated. Marking content at creation is the easy half; being able to verify the mark later, after the content has been screenshotted, re-encoded, cropped, or converted, is the hard half — and it is the half that makes the metadata layer fragile and the embedded watermark essential. This is why the Code specifies two layers. A programme that marks but cannot reliably detect has built half the requirement.
Third, text is the frontier of the build. The extension of watermarking to free-form text over roughly 200 tokens pulls chatbots and drafting tools into scope, and robust text watermarking — invisible, surviving edits and paraphrase — is materially less mature than image or audio watermarking. The teams that assume Article 50 is a synthetic-media problem will discover late that their highest-volume generated output is text, and that it is the hardest piece to mark durably. The engineering spike belongs here first.
The Governance / Infrastructure Implication
The connective insight is that Article 50 is asking enterprises to build a provenance layer — and a provenance layer is infrastructure, not a feature. Done once, properly, it sits beneath every generative product the way authentication or logging does: a shared service that signs, watermarks, and verifies content across the organisation. Built that way, it satisfies the obligation and becomes reusable capability. Built as a series of per-product stickers, it satisfies nothing durably and has to be redone each time.
This is where the European-constraint-as-advantage thesis stops being rhetorical. The EU is forcing the provenance layer into existence first, and provenance is becoming valuable independently of the regulation — as defence against deepfake fraud, as proof of authorship in disputes, as a trust signal to customers drowning in synthetic content. The enterprises that build C2PA-grade provenance now, because Brussels requires it, will hold a capability that the rest of the market will want and not yet have. The deadline is the cost. The infrastructure is the return.
What Leaders Should Do Next
Name a single accountable owner for Article 50 with authority across product, engineering, legal, marketing, and communications — not a compliance analyst, but someone who can direct work in all six functions. Have that owner produce the system map this week: every AI system that interacts with people or generates content, sorted into provider duties (50.1, 50.2) and deployer duties (50.3, 50.4), and into "before August 2" and "after August 2" for the grace window. Then start the text-watermarking engineering spike, because it is the longest pole. The checklist below is the artifact to run all of it.
Enterprise Playbook
For the CPO / Head of Product (Article 50 owner): Take accountability for Article 50 across functions and produce the system map this week — every AI system that talks to people or generates content, tagged by obligation (50.1–(4)) and by grace bucket (before/after August 2). A distributed obligation needs one owner with cross-functional authority; appoint them now.
For the Head of AI Engineering: Start the text-watermarking spike immediately — it is the least mature and highest-volume part of the build. In parallel, stand up the provenance layer as a shared service (C2PA-style signed metadata + embedded watermark + a detection/verification endpoint) rather than per-product marking. Target the December 2 grace date for existing systems and August 2 for anything new.
For the DPO / Legal: Map each use case against the Article 50 exceptions — the 50.1 "obvious AI" carve-out, the law-enforcement disapplication, and the artistic/creative limited-disclosure rule — and issue a one-page ruling per use case so engineering and marketing build the right label, not a blanket one. Do this before the final guidelines land so you can adjust on publication.
For the CMO / Head of Communications: Inventory every place your teams generate public-facing media or publish AI-assisted text on matters of public interest, and define the disclosure standard now — wording, placement, and the artistic carve-out where it applies. Marketing and comms are 50.4 deployers whether or not they realise it; the disclosure is theirs to implement.
For the CISO: Treat the provenance layer as security infrastructure. Signed provenance and durable watermarking are also fraud and impersonation defences — they let you prove what your organisation did and did not produce. Fold detection/verification into your incident response for deepfake and synthetic-content events.
For the Board: Reframe Article 50 from fine exposure to trust exposure. The €15M / 3% tier is real, but the visible nature of transparency failures makes brand and reputation the larger surface. Ask for the system map and the before/after-August-2 split at the next governance update.
Artifact: Article 50 Transparency & Labelling Implementation Checklist
Run this per AI system. The goal is a complete map with an owner, an obligation, a deadline bucket, and a marking method for every system that talks to people or generates content.
Step 1 — Classify each system by obligation
Obligation | Trigger | Owner role | Applies to you? |
|---|---|---|---|
50.1— disclose AI interaction | System interacts directly with people (chatbots, voice agents) | Provider | [ ] |
50.2 — machine-readable marking | System generates synthetic content (text >~200 tokens, image, audio, video) | Provider | [ ] |
50.3 —emotion / biometric notice | Deploys emotion recognition or biometric categorisation | Deployer | [ ] |
50.4 — deepfake / public-interest text disclosure | Deploys AI to generate deepfakes or publish public-interest text | Deployer | [ ] |
Step 2 — Sort by deadline bucket
[ ] On market before August 2, 2026 → marking obligation (50.2) due December 2, 2026; all other 50 duties due August 2, 2026.
[ ] Placed on market / materially changed from August 2, 2026 → all 50 duties due at placement. No grace.
Step 3 — Choose the marking method (for 50.2 systems)
[ ] Layer 1 — Signed provenance metadata (C2PA-grade, cryptographically signed, tamper-evident).
[ ] Layer 2 — Imperceptible watermark embedded in the content (survives screenshot / re-encode / crop).
[ ] Text systems: confirm watermarking applies to free-form output over ~200 tokens; spike durability against editing/paraphrase.
[ ] Detection/verification: stand up an endpoint or process to verify marks later — marking without detection is half-built.
Step 4 — Apply the exceptions (per use case, signed off by legal)
[ ] 50.1 "obvious AI" — only where a reasonably informed person would clearly know; do not over-rely.
[ ] Law-enforcement disapplication where authorised to detect/prevent/investigate/prosecute crime.
[ ] Artistic / creative / satirical / fictional — disclosure limited to non-hampering form, not removed.
Step 5 — Design the user-facing disclosure
[ ] 50.1: clear "you are interacting with AI" notice in the UI.
[ ] 50.4: deepfake and public-interest-text labels — wording, placement, persistence defined.
[ ] Map who invokes the marking layer in each workflow (engineering builds it; marketing/product must trigger it).
Filing note: A completed checklist per system, with owner, obligation, bucket, and method, is your Article 50 evidence pack — and the document an auditor or complainant will probe first.
What to Watch Next
Before August 2: Final Article 50 guidelines from the AI Office. The draft guidelines (May 8) closed consultation June 3; the final text fixes the operational definitions, including how strict the 50.1 "obvious AI" exception is. Adjust your legal rulings on publication.
August 2, 2026: Article 50 transparency obligations apply. Five weeks out. New systems comply from placement; pre-existing systems start the clock on everything except 50.2 marking.
December 2, 2026: Marking grace window closes for pre-existing generative systems. The hidden second deadline. Existing-system marking must be live by this date.
Early July / ~August 1: Fable 5 & Mythos 5 restoration markers. Anthropic's ID-verification policy and the 60-day EO framework deadline are the likeliest triggers. Whether access returns, and on what terms, sets precedent for government control of frontier models.
The marking Code's signatory list. Which model providers commit to the recognised two-layer method — a procurement signal for buyers choosing generative vendors.
Next Steps
What to read now?
The Story
Regulation
EU AI Act — Article 50 — The text itself. Read the four obligations and the exceptions; everything downstream is interpretation of these paragraphs.
Greenberg Traurig — Deepfakes, chatbots, AI-generated text — The clearest practitioner walk-through of who owns what under 50.1–(4).
Implementation
European Commission — Code of Practice on marking and labelling of AI-generated content — The June 10 Code itself. The two-layer marking approach is the spec your engineering team needs.
ComplianceHub — Watermarks and metadata: how to actually comply with Article 50 — The most practical translation of the Code into engineering terms, including the text-watermarking threshold.
Timeline / Strategy
Gibson Dunn — Omnibus: postponed deadlines and key changes — The authoritative read on what moved and what did not, including the December 2 marking grace window.
Infrastructure
IPTC — AI Office releases transparency Code of Practice — Useful on the provenance-as-infrastructure angle and the C2PA connection from the standards community's perspective.
That’s it for this week.
Before next Thursday, name the single accountable owner for Article 50 — someone with authority across product, engineering, legal, marketing, and communications — and ask them for one thing: a list of every AI system that talks to your users or generates content, sorted into "live before August 2" and "launching after August 2." Reply to this email with how many systems are in the "after" bucket.
Why this, not the other twenty things you could do: The Deep Dive argued that Article 50 fails at the seams between functions, and that the December grace protects your past but not your future. The "after August 2" bucket is the one with no grace and the hardest build — and it is the bucket most teams have not separated out. You cannot plan the five weeks until you know which systems are actually on the clock.
If no one can produce the list: That is the finding. An obligation touching six functions with no cross-functional owner is the failure mode in the Deep Dive, already present. Naming the owner is the fix, and it costs you one email.
If you skip it: August 2 arrives, a new generative feature ships in September with no marking, and the first person to notice is a user, a journalist, or a competitor — because unlike a high-risk gap, an Article 50 failure is visible to everyone.
Until next Thursday, João
OnAbout.AI delivers strategic AI analysis to enterprise technology leaders. European governance lens. Vendor-agnostic. Actionable.
If this landed in your inbox from a forward — subscribe here to get the full picture every week.
