Draft guidance has a particular quality that makes compliance planning easier than it should be: it lets teams defer hard decisions. There’s always the possibility the final document will change something important. That quality expired on June 10, 2026, when the European AI Office published the final Code of Practice on Transparency of AI-Generated Content. What’s in the document now is what Article 50 compliance looks like in practice, not what it might look like.
This deep-dive doesn’t cover what Article 50 requires at the provision level. Prior coverage has addressed that. The question this piece answers is more specific: what does the shift from draft to final mean for compliance teams that have already been planning, and what does the Code add to the picture that wasn’t settled before?
What “Final” Actually Changes
The finalization event matters because it closes the interpretation gap. During the consultation period, organizations had two legitimate planning strategies: build to the draft requirements and accept some rework risk, or wait for the final document and compress their implementation timeline. Both were defensible in March. Neither is a good strategy in June with August 2 on the calendar.
The final Code resolves the approach question on machine-readable marking. It requires techniques that prioritize combining C2PA-aligned digitally-signed metadata with imperceptible watermarking, according to the published guidance. “Prioritizes combining” is the operative phrase, this isn’t a menu of equivalent options where teams can pick the easiest one. Organizations that built their plans around metadata-only approaches or watermarking-only implementations need to assess whether their technical architecture satisfies both components of the preferred approach or has a documented rationale for deviation.
That’s a non-trivial compliance question. C2PA implementation requires tooling, credential management, and content provenance workflow changes. Watermarking requires either licensing a third-party watermarking solution or building one. Neither is a configuration switch. For teams that haven’t started, six weeks is a tight window. For teams already in implementation, the finalization event is a signal to validate their approach against the final document rather than the draft they started from.
The Voluntary/Binding Distinction, What It Actually Means for Compliance Posture
The Code is voluntary to sign. Article 50 is not voluntary to comply with. This distinction creates three distinct compliance postures, and organizations need to know which one they’re in.
Posture 1: In-scope, non-signatory. Article 50 applies. The Code doesn’t bind you, but it establishes the technical standard the AI Office has endorsed. An organization in this posture that implements something meaningfully different from the Code’s approach may face scrutiny about whether their approach satisfies the Article 50 requirement. This is the riskiest posture for teams that haven’t engaged with the Code at all.
Posture 2: In-scope, signatory. Article 50 applies. The Code also applies as a voluntary commitment. Two deadlines govern: August 2 for Article 50 compliance, and February 2, 2027 for the Code’s interoperability implementation requirement. Signing creates the interoperability obligation; it doesn’t change the August 2 date. The upside is that the Code provides a safe harbor pathway, documented Code compliance is likely to be the clearest demonstration of Article 50 compliance in an enforcement scenario.
Article 50 Pre-August 2 Compliance Checklist
- Confirm scope: does your system qualify as in-scope under Article 50?
- Validate plans against final Code text (not prior draft guidance)
- Assess C2PA metadata implementation: tooling, credential management, provenance workflow
- Assess watermarking implementation: third-party solution or in-house build
- Make signatory decision before July list publication
- Document scope and compliance rationale for enforcement record
The Compliance Planning Shift: Draft vs. Final
Posture 3: Out of scope. Neither applies. The scoping questions here, whether a system qualifies as a “general-purpose AI system” under Article 3, and whether the deployer qualifies as a “professional deployer”, are legal questions that require jurisdiction-specific analysis. Teams that haven’t formally confirmed their scope status should treat this as an urgent item before August 2.
The Signatories Question
OpenAI has stated its commitment to sign the Code, according to the company’s global affairs communications. The company’s pattern supports the claim: it was reportedly the first US company to sign the EU’s General-Purpose AI Code of Practice in 2025, and it’s a C2PA steering committee member. But the competitive significance of signatory status won’t be visible until the European AI Office publishes the first official signatory list in July 2026.
That list matters for reasons beyond individual compliance. It makes visible which organizations have publicly committed to the Code’s technical approach, and which haven’t. For enterprise customers and deployers evaluating AI providers for EU-facing applications, the signatory list becomes a vendor qualification input. For non-signatories, the list creates a comparison point. The voluntary structure of the Code means non-signatories haven’t violated anything. But the reputational calculus shifts once names are public.
The July list is also the first opportunity to see whether the Code has achieved critical mass among major generative AI providers or whether it remains a partial commitment with significant holdouts. That distinction will shape how the AI Office treats the Code in enforcement conversations, a Code with broad industry adoption is a different instrument than one with selective participation.
The Two-Deadline Compliance Map
August 2, 2026 and February 2, 2027 serve different compliance functions and apply to different populations.
August 2 is the Article 50 effective date. It applies to all in-scope providers and professional deployers regardless of Code signatory status. The core requirements: AI-generated content must be labeled in a machine-readable format, deep fakes require specific disclosure, and chatbot interactions require disclosure that the user is interacting with an AI system. These aren’t new requirements in the sense that Article 50 has been law, they’re newly enforceable.
February 2, 2027 is the Code’s interoperability deadline. It applies only to signatories. By that date, signatories must implement at least one publicly available interoperable solution for watermark and metadata detection. The “publicly available” and “interoperable” requirements are specific: the solution must work across systems, not just within a single provider’s ecosystem. This is the requirement that demands the most technical coordination, and the one where the Code’s network effect matters. Interoperability works better when more providers participate.
Warning
Most compliance teams will focus the next 51 days on technical implementation and underinvest in scope documentation and compliance record-building. Enforcement conversations don't begin with a watermark audit, they begin with a documentation review. The technical output and the paper trail need to advance together.
What Compliance Teams Must Do Differently Now
Three actions that should be on the immediate compliance agenda.
First, validate existing Article 50 plans against the final Code text, not prior drafts. The finalization event is the trigger for a gap check. Any plan built before June 10 was built against guidance the AI Office could still change. That’s no longer true.
Second, make the signatory decision before the July list. The Code’s voluntary structure means the decision doesn’t have a legal deadline. But deciding after the July list is published means deciding in a different competitive environment, one where peer companies’ choices are already public. Organizations that want to sign should move before July so they appear on the first list; organizations that have decided not to sign should document their Article 50 compliance rationale before July so they’re prepared for the comparison.
Third, confirm scope. The August 2 date focuses attention on implementation, but scope is the predicate question. An organization that hasn’t formally confirmed it’s in scope can’t know whether its August 2 posture is adequate. Given that Article 99 fine exposure is reported at up to €15 million or 3% of global annual turnover, verify against Article 99 of the EU AI Act text before treating that figure as confirmed, scope misclassification is a material risk.
The catch is that most organizations will spend the next 51 days on technical implementation and underinvest in scope documentation. Enforcement conversations don’t begin with “show me your watermark.” They begin with “demonstrate that you understood your obligations.” The compliance record matters as much as the technical output. Start building it now.