Skip to main content

Policy brief · July 2026

Machine-readable marking under EU AI Act Article 50: a plain-language brief

What Article 50 of Regulation (EU) 2024/1689 requires, who it applies to, when it takes effect, and how machine-readable content provenance fits. Written for policy and compliance readers; no technical background needed.

Ungated. Print or save as PDF from your browser.

What content provenance is

Content provenance is a cryptographic record of a piece of content's origin, authorship, and history, embedded so the record travels with the content wherever it goes. The record is created when the content is generated or published, is signed with standard cryptographic certificates, and can be checked by anyone with free, open tools. Because the record can be read by software as well as by people, embedded provenance is one of the marking techniques discussed in the Code of Practice on Transparency of AI-Generated Content. The EU AI Act does not prescribe a specific technical standard; the open standard for embedded content provenance is C2PA, published by the Coalition for Content Provenance and Authenticity.

How it works

The record is attached where the content is created. Verification is open to anyone: a regulator, a platform, a journalist, or a member of the public.

Article 50 obligations at a glance

Article 50 sets out four distinct transparency obligations. Two fall on providers (the organizations that build or supply AI systems) and two fall on deployers (the organizations that use them). They are separate duties: the provider marking duty in Article 50(2) covers synthetic output generally, while the narrower public-interest-text scope belongs to the deployer disclosure duty in Article 50(4).

ProvisionWhoWhat is requiredWhen it applies
Article 50(1)ProviderAI systems that interact directly with people, such as chatbots, must inform the person that they are interacting with an AI system, unless that is already obvious from the context.August 2, 2026 for new systems; December 2, 2026 for systems already on the market.
Article 50(2)ProviderAI systems that generate synthetic audio, image, video, or text must mark their outputs in a machine-readable format so the outputs are detectable as artificially generated or manipulated. This duty covers synthetic output generally; it is not limited to news or public-interest text.August 2, 2026 for new systems; December 2, 2026 for systems already on the market.
Article 50(3)DeployerOrganizations operating an emotion recognition system or a biometric categorisation system must inform the people exposed to it about its operation.August 2, 2026 for new systems; December 2, 2026 for systems already on the market.
Article 50(4)DeployerDeepfakes (AI-generated or manipulated image, audio, or video resembling existing persons, places, or events) must be disclosed as artificially generated or manipulated. AI-generated or manipulated text published to inform the public on matters of public interest must also be disclosed, except where the content has undergone human review and a natural or legal person holds editorial responsibility for its publication.August 2, 2026 for new systems; December 2, 2026 for systems already on the market.

Timeline and penalties

  • August 2, 2026: Article 50 transparency obligations apply to AI systems placed on the market or put into service on or after this date.
  • December 2, 2026: End of the transitional period for systems already on the market before August 2, 2026, under the AI Omnibus agreement of May 2026.

Non-compliance with Article 50 is subject to administrative fines under Article 99(4): up to EUR 15 million or, if the offender is an undertaking, up to 3% of its total worldwide annual turnover for the preceding financial year, whichever is higher.

The Code of Practice on Transparency of AI-Generated Content

The final Code of Practice on Transparency of AI-Generated Content was published on June 10, 2026. It is a voluntary instrument drawn up under Article 50(7): signatories can use adherence to the Code to demonstrate how they meet their Article 50 obligations. Signing is optional, and the Code does not replace or narrow Article 50 itself. Organizations that do not sign remain fully subject to the Article and must show compliance by other means.

The C2PA standard and Encypher's role

C2PA is an open standard for embedded content provenance, governed by the Coalition for Content Provenance and Authenticity, a standards body whose member organizations span technology, media, and hardware companies. C2PA manifests are machine-readable, remain with the content when embedded, and can be verified without an account or a vendor relationship.

Encypher authored Section A.7 of the C2PA 2.3 specification, published January 8, 2026. Section A.7 defines text provenance: how provenance records are embedded in articles, posts, and other unstructured text. Encypher co-chairs the C2PA Text Provenance Task Force. Encypher is C2PA conformant and trusted in all four program categories: Generator, Validator, Certificate Authority, and Time Stamp Authority (passed June 30, 2026).

What Encypher provides: infrastructure to sign, embed, and verify C2PA provenance records across 44 media types, including text.

Primary sources

Related resources on this site

How to cite this brief: Encypher, "Machine-readable marking under EU AI Act Article 50: a plain-language brief," July 2026, encypher.com/policy/article-50-brief.

This brief is informational and is not legal advice. Whether and how Article 50 applies depends on your systems and your role. Verify against the text of Regulation (EU) 2024/1689 and the final Code of Practice, and consult your counsel.

Policy inquiries: (subject line: Policy).

More policy briefs

Published July 2026.