On June 10, 2026, the European Commission published a Code of Practice on marking and labeling of AI-generated content (the Code) following a public consultation that took place last year. The Code is divided into two sections:
Background
The European Union’s Artificial Intelligence Act (EU AI Act) sets out a series of transparency obligations for AI systems. The Code is a voluntary set of measures published by the EU Commission’s AI Office, which allow providers and deployers who are signatories to the Code to demonstrate compliance with these obligations. Complying with the Code will create a presumption of compliance. Companies can adopt an alternative approach to the transparency obligations, but they will bear the burden of showing they achieve equivalent compliance.
On May 8, 2026, the EU Commission released draft guidelines on the implementation of the EU AI Act’s transparency obligations. These draft guidelines discuss a wider set of obligations and focus on the scope of transparency obligations, whereas the Code details the methods companies can implement to comply with these obligations.
Provenance Requirements for Generative AI Systems
Mandatory Marking. The AI Act requires providers to implement a machine-readable marking on AI-generated audio, image, video, and text. The Code acknowledges that, under the current state of the art, there is no single solution that can provide sufficient reliability. The Code indicates that in most cases signatories will need to implement a multi-layered marking approach including at least two methods. The Code describes the following methods:
The Code lists fingerprinting or logging as an optional third method that signatories could implement in addition to the above. Fingerprinting reduces content to a condensed digital descriptor (similar to a hash) that can later be checked against previously generated content, even if the content has since been altered. Logging, by contrast, requires recording each instance of content generation to maintain a record of the content that was generated by the AI system’s output. The Code notes these measures must be implemented in a secure and privacy-preserving manner, although it does not explain in detail how these measures should operate in practice.
Detection Solutions. Providers must make available a detection solution enabling deployers, end-users, competent authorities, and other stakeholders to verify whether content has been generated or manipulated by their AI system. Key requirements include:
Quality Requirements. Providers must ensure that both their marking and detection solutions satisfy the following key requirements:
Providers may satisfy these requirements through third-party or upstream model-level marking solutions, while retaining ultimate responsibility for compliance. This means that in many cases, companies that market AI systems based on third-party AI models will need to seek assistance from their vendors to be technically able to comply with these rules.
AI systems placed on the market after August 2, 2026, must comply from the time they are placed on the market. Systems already on the market before that date have until December 2, 2026, to comply (a deadline extended from August 2026 by the recent amendments to the EU AI Act adopted via the AI Omnibus Regulation—see our client alert here).
Key Requirements for Deployers of AI Systems
Mandatory disclosure of deepfakes and AI-generated published text. Subject to limited exceptions, users of generative AI tools must disclose the artificial origin of:
The Code introduces a publicly available EU icon as the primary disclosure mechanism. Deployers may alternatively use equivalent labels complying with the Code’s design and placement specifications. For instance, these alternative labels must feature the capitalized acronym “AI” and be immediately perceivable without user interaction. Labels must appear at the beginning of and at regular intervals throughout videos, above or near the headline of published text, and alongside a plain-language disclaimer at the beginning of audio outputs.
Companies are also encouraged to include a second interactive layer providing additional information on the type and extent of AI involvement (e.g., text next to a deepfake picture disclosing that a face has been altered by AI).
Deployers must maintain documentation of how they implement disclosure obligations and put in place processes to verify correct labeling, proportionate to their size and resources. Deployers are encouraged to provide feedback channels for flagging mislabeled content and to cooperate with competent authorities. These obligations will apply from August 2, 2026.
Next Steps
The transparency requirements come into effect on a staggered basis. These deadlines set concrete milestones for a broad range of companies. Recommended actions include:
Non-compliance with EU AI Act transparency requirements can result in enforcement action under the EU AI Act’s supervisory framework, including requests for information, fines, and corrective orders.
For more information or if you have any questions regarding the EU AI Act, please contact Laura De Boel, Cédric Burton, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.
Wilson Sonsini’s AI Working Group assists clients with AI-related matters. Please contact Laura De Boel, Maneesha Mithal, Manja Sachet, or Scott McKinney for more information.
Roberto Yunquera Sehwani, Karol Piwonski, Hugh Ó Laoide Kelly, and María Rodríguez Hernández contributed to the preparation of this alert.