Contents
EU AI Act Article 50, which applies from 2 August 2026, places two transparency duties on AI-generated content: providers must mark synthetic audio, image, video or text so it is machine-readable and detectable as AI, and deployers must disclose when they publish a deepfake, and a breach can be fined up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher. It is the part of the AI Act that turns AI labelling from good practice into a legal obligation. This explainer sets out what the article requires, who it binds, what the penalty is, and what it does not solve. It is a practitioner guide, not legal advice.
What Article 50 is, and when it bites
Article 50 is the transparency article of Regulation (EU) 2024/1689, the European Union’s Artificial Intelligence Act, headed “Transparency obligations for providers and deployers of certain AI systems”. The Regulation states that it “should apply from 2 August 2026”, which is the date these obligations start to bite (Regulation (EU) 2024/1689). It splits the transparency duty in two, along the line between who builds the AI system and who publishes its output. The provider is the company whose AI system generates the content, for example an image or audio generator; the deployer is whoever puts that content, specifically a deepfake, in front of people. The provider marks; the deployer discloses.
The provider mandate: machine-readable marking
The provider mandate is the watermarking hook. Article 50(2) requires that “Providers of AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content, shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated” (Regulation (EU) 2024/1689, Article 50). Machine-readable and detectable is exactly what provenance and watermarking standards provide. The article does not name a specific technology, so two candidates fill the gap and they solve different parts of the same problem. C2PA Content Credentials is the strongest fit when the goal is provenance: it stores signed information about origin and edits in a machine-readable manifest. SynthID is the stronger fit when the goal is an invisible watermark that may persist when metadata is lost. That is why a generator or platform may use both, and the technical distinction is drawn in C2PA vs SynthID.
The deployer mandate: disclose deepfakes
The deployer mandate is the human-readable half. Article 50(4) requires that “Deployers of an AI system that generates or manipulates image, audio or video content constituting a deep fake, shall disclose that the content has been artificially generated or manipulated” (Regulation (EU) 2024/1689, Article 50). This is the visible notice a viewer sees, the same job the platform disclosure tools do. YouTube’s altered-content disclosure, TikTok’s AIGC label and Meta’s AI labelling all sit on this visible-disclosure side, even when they are helped by machine-readable metadata underneath. The duty is to tell the audience the content is artificially generated or manipulated, not to prove anything about how it was made.
Provider vs deployer, side by side
| Duty | Who it binds | What they must do | The clause |
|---|---|---|---|
| Marking | Providers, the system that generates the content | mark outputs machine-readable and detectable as AI | Article 50(2) |
| Disclosure | Deployers, whoever publishes a deepfake | disclose that the content is artificially generated or manipulated | Article 50(4) |
| Penalty | Providers or deployers who breach Article 50 | face administrative fines | Article 99(4) |
The penalty
The obligation has teeth. Under Article 99, a breach of the Article 50 transparency obligations is subject to administrative fines of up to 15 million euros or, for a company, up to 3 percent of total worldwide annual turnover for the preceding financial year, whichever is higher (Regulation (EU) 2024/1689, Article 99). The enumerated list of breaches in that tier explicitly includes the “transparency obligations for providers and deployers pursuant to Article 50”. It is worth being precise here: this is not the higher tier of up to 35 million euros or 7 percent that applies only to the Article 5 prohibited-practices breaches. Article 50 sits in the lower penalty band, but 3 percent of worldwide turnover is still a material figure for any sizeable business.
What satisfies it
In practice, satisfying Article 50 is the two-layer job the platforms already implement. The provider side is met by attaching a machine-readable marking such as C2PA Content Credentials or a SynthID watermark to generated output; the deployer side is met by the visible disclosure that platforms already provide. YouTube asks creators to disclose realistic altered or synthetic content in Creator Studio (YouTube), while TikTok reads C2PA Content Credentials to “instantly recognize and label AIGC” (TikTok, 2024) and Meta reads the “AI generated” information in the C2PA and IPTC technical standards to label across its apps (Meta, 2024). That is the Article 50 split in operational form: mark the file, then disclose the publication. The platform-by-platform mechanics are in How to label AI-generated content.
The enforceability caveat
There is a structural weakness worth naming. A machine-readable mark is only as good as its survival, and platforms that re-encode on upload routinely strip or invalidate C2PA as a side effect of ordinary processing, so a mandate to mark output collides with a distribution chain that removes marks. A stripped credential is silent, because a hash has no inverse and the first changed byte invalidates the binding, which is 100 percent invalidation on any real edit (C2PA Specification v2.4). A missing credential is therefore weak evidence: it might mean the file was never marked, or that the mark was lost in transit, treated in Do Content Credentials survive social media or a screenshot? and Can C2PA be removed?. And even an intact mark proves provenance, not truth: “C2PA provides provenance signals, not proof of authenticity” (Golaszewski, Krawetz, Sherman, 2026). Article 50 makes marking and disclosure important, but it does not make a signed file honest, and it does not make an unsigned file fake. None of this is legal advice; for a specific obligation, check the Regulation text and take counsel.
Sources
- Golaszewski, Krawetz, Sherman, et al. (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short. arXiv:2604.24890.
- European Parliament and Council (2024). Regulation (EU) 2024/1689 (Artificial Intelligence Act), Articles 50 and 99.
- Meta (2024) Labeling AI-Generated Images on Facebook, Instagram and Threads. Available at: https://about.fb.com/news/2024/02/labeling-ai-generated-images-on-facebook-instagram-and-threads/ (Accessed: 3 July 2026).
- TikTok (2024) Partnering with our industry to advance AI transparency and literacy. Available at: https://newsroom.tiktok.com/en-us/partnering-with-our-industry-to-advance-ai-transparency-and-literacy (Accessed: 3 July 2026).
- YouTube (2024) How we’re helping creators disclose altered or synthetic content. Available at: https://blog.youtube/news-and-events/disclosing-ai-generated-content/ (Accessed: 3 July 2026).
- Coalition for Content Provenance and Authenticity (C2PA) (2026) C2PA Technical Specification, version 2.4. Available at: https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html (Accessed: 3 July 2026).