Article 50 has had an enforcement date for months. What it didn’t have was content.
The EU’s Code of Practice on Transparency of AI-Generated Content, published June 28, 2026,
changes that. It translates the transparency obligations that Article 50 established in
principle into specific technical and operational requirements: a watermarking threshold, a
named visual standard, an access framework for third-party detection, and a two-tier
deadline structure that runs from August 2, 2026 through February 2, 2027. Compliance
teams that treated Article 50 as a future problem now have five weeks to the first
deadline.
This deep-dive answers a different question than the daily brief: not what was published,
but what a compliance team actually has to build before each deadline, and where the Code
itself acknowledges it hasn’t finished the job.
—
What the Code requires of providers vs. deployers
The Code draws a clean structural line. Providers of generative AI systems carry the
technical obligations. Deployers, the businesses and platforms that integrate and publish
AI outputs, carry the labeling and disclosure obligations. Both groups face August 2, but
the work looks different.
Provider obligations before August 2:
Watermarking. For free-form text exceeding 200 tokens, watermarking is mandatory. That
threshold, roughly 150 words, will be the most operationally consequential line in the
Code for most GenAI product teams. AI outputs that stay under 200 tokens are exempt. Those
above it aren’t. If a provider’s product generates summaries, drafts, or completions that
routinely cross that line, the product needs watermarking infrastructure before August 2.
Detection access. According to Pearl Cohen’s analysis of the Code, providers must offer
detection solutions, APIs or standalone software, free of charge to regulators,
fact-checkers, and civil society organizations. The access architecture here matters: this
isn’t a best-effort gesture. It’s an obligation to make working detection infrastructure
available to external parties before the August deadline. Providers who haven’t already
built detection tooling will find this requirement more demanding than the watermarking
threshold.
Deployer obligations before August 2:
The EU icon. Deployers publishing deepfakes or AI-generated text intended to inform the
public on matters of public interest must apply a standardized EU icon featuring the “AI”
acronym at first interaction. The European Commission’s digital strategy portal
confirms the icon set is available now. This is a visible, auditable requirement, the kind
that generates enforcement signals quickly when missed, because the absence of the icon is
observable without technical investigation.
—
The 200-token line: what it means technically
Two hundred tokens isn’t a natural editorial unit. It doesn’t map cleanly to “a
paragraph” or “a short article.” In standard tokenization for large language models, 200
tokens translates to approximately 150 words in English, though that varies by model and
language.
The practical implication: a lot of AI-assisted content sits right at that boundary. Short
product descriptions, social media drafts, and automated email copy often fall in the
100-300 token range. Providers can’t assume their typical outputs are safely below the
threshold without actually measuring them.
What watermarking means technically is also underspecified in the Code. C2PA (Coalition for
Content Provenance and Authenticity) metadata standards are the most widely discussed
approach, but the Code doesn’t mandate a specific implementation. That flexibility is
useful for providers with existing infrastructure, and genuinely difficult for those
building from scratch in five weeks.
August 2 Readiness Checklist
- Map all product outputs against the 200-token watermarking threshold
- Implement watermarking infrastructure for outputs above threshold
- Build and document detection API access for regulators, fact-checkers, civil society
- Apply EU icon to qualifying deployer-facing surfaces
- Update privacy notices and terms of service to reflect Article 50 obligations
Unanswered Questions
- How does the 200-token threshold apply when AI output is substantially edited by a human before publication?
- What's the usability standard for 'free' detection APIs, is a rate-limited or poorly documented API compliant?
- What happens if CEN-CENELEC specifications aren't finalized before the February 2, 2027 deadline?
- Does the Code's detection access obligation extend to open-source model providers?
The Code acknowledges a reliability challenge: watermarking shorter texts is harder to do
without detectable degradation. This is documented technically in existing research on
text-based watermarking, signal-to-noise ratios degrade as text length shrinks. The 200-
token floor partly reflects this constraint.
—
The February 2027 gap: building to an unfinished standard
The second deadline is the harder planning problem.
According to multiple analyses of the published Code, providers must implement interoperable
detection standards by February 2, 2027. The intent is that detection mechanisms across
providers should work together, a fact-checker using one tool should be able to verify
content produced by any compliant system, regardless of which provider generated it.
The problem: technical specifications for those interoperability standards are reportedly
still under development by CEN-CENELEC, the European standardization bodies responsible
for producing the technical norms the EU AI Act depends on. Providers are expected to
implement a standard that hasn’t been finalized.
That isn’t unusual in EU regulatory implementation, the gap between a regulatory deadline
and the readiness of underlying technical standards is a recurring feature of EU
technology law. But it creates a real choice: build now toward the most likely standard
(C2PA-adjacent metadata interoperability) and accept revision risk, or wait for finality
and compress the implementation window.
The real question is which risk is larger for a given provider. For large providers with
dedicated compliance engineering capacity, building early and adjusting is manageable. For
smaller providers with limited technical resources, waiting for the final spec before
committing engineering effort has real logic, even if it means a tighter runway.
—
The free detection access requirement: what it means for civil society
The access obligation for regulators, fact-checkers, and civil society deserves more
attention than it typically receives in Code coverage.
If providers must deliver working detection APIs to these groups free of charge, that’s not
just a compliance checkbox. It creates an external auditing infrastructure that providers
have no direct control over. Fact-checking organizations and civil society groups will have
the technical means to test whether provider watermarking is functioning, and to publish
their findings. The Code effectively deputizes these organizations as informal enforcement
partners.
Providers who build detection APIs that are technically compliant but practically unusable
– poor documentation, rate-limited to the point of dysfunction, or requiring complex
integration, will face scrutiny. The “free of charge” requirement is confirmed in Pearl
Cohen’s analysis; the usability standard isn’t specified, which means it’ll be contested.
Warning
The free detection access requirement creates an external enforcement layer that doesn't depend on EU regulators. Fact-checking organizations and civil society groups with detection API access can surface non-compliance publicly before any formal enforcement action. For providers, this means reputational risk from civil society findings may arrive before any formal enforcement timeline.
What to Watch
—
Compliance calendar: what to do before each deadline
August 2, 2026, 35 days:
– Map all product outputs against the 200-token threshold. Categorize by output type and
typical length. – Implement watermarking infrastructure for outputs above the threshold. – Build and document detection API access for designated third parties. – Apply the EU icon to all qualifying deployer-facing surfaces. – Update privacy notices and terms of service to reflect Article 50 obligations.
February 2, 2027, approximately 7 months:
– Monitor CEN-CENELEC standardization outputs for the interoperability specification. – Assess C2PA implementation as the baseline interoperability architecture. – Build or procure interoperability-capable detection infrastructure. – Test detection mechanism interoperability against other compliant providers where possible.
—
TJS synthesis
The Code of Practice is the EU AI Act’s transparency chapter moving from legislation to
engineering specification. The August 2 deadline is real and near. The February 2027
deadline is real and structurally complicated. Compliance teams that understand both
clearly, the concrete August requirements and the deliberately ambiguous February
requirements, are positioned to make better resource allocation decisions than those
treating the whole Code as a single deadline event.
The non-obvious downstream consequence worth tracking: the free detection access
requirement, combined with the external verification infrastructure it creates, means that
Article 50 enforcement won’t depend entirely on EU regulators. Fact-checkers and civil
society organizations with detection API access can surface non-compliance publicly before
any formal enforcement action. The Code’s first enforcement signals are more likely to come
from civil society reporting than from the EU AI Office, and they’ll come faster.