EU AI Act Article 50 Compliance Checklist: Every Duty, Deadline and Fix

If your product generates images, text, audio or video with AI and you have users in the European Union, Article 50 of the EU AI Act applies to you from 2 August 2026. This guide translates the regulation — and the European Commission's draft Guidelines and draft Code of Practice published in 2026 — into a checklist an engineering team can execute.

1. Who Article 50 actually applies to

The most expensive misunderstanding in this entire regulation is one sentence long: "We just use the OpenAI API, so this is OpenAI's problem."

It isn't. Under the AI Act, the entity that places an AI system on the market under its own name is a provider — and a SaaS product with an integrated generation feature is exactly that. Article 50(2) puts the marking obligation on the provider of the AI system, which is your product, not the underlying model.

The Commission's draft Guidelines (May 2026) do allow downstream providers to rely on marking implemented upstream — by the model provider or by a third-party solution — but only where that marking is actually effective when content reaches your users. As we'll see in section 5, that condition fails far more often than teams expect.

2. The four transparency duties, in plain language

Most product teams are surprised to learn these are cumulative: a single product can owe duties under several paragraphs at once. An avatar-video tool, for instance, typically engages 50(1), 50(2) and — through its customers — 50(4).

3. The two deadlines

• 2 August 2026 — Article 50 applies. AI systems placed on the market from this date must comply immediately.
• 2 December 2026 — grace deadline for the marking duty only (Art. 50(2)) for generative AI systems already on the market before 2 August 2026. The other three duties get no transition period.

4. What counts as machine-readable marking

The draft Code of Practice names three families of acceptable techniques, which may be used alone or combined:

• Metadata identification — embedding provenance data in the file. C2PA Content Credentials (now ISO/IEC 22144) are the example the Commission's documents treat as satisfying all four legal criteria: effective, interoperable, robust and reliable.
• Watermarking — imperceptible signal embedded in the content itself (e.g. SynthID for images).
• Cryptographic methods — signed provenance attestations.

Two common wrong answers: a visible "AI-generated" label (that addresses 50(4), not 50(2)), and "our model provider handles it" (only valid if the marking survives your delivery pipeline).

Text is the hard case: there is no C2PA for plain text, and watermarking text robustly remains unsolved. The draft guidance acknowledges feasibility limits — but expects providers to implement what is technically feasible and document their reasoning. "We never assessed it" is the indefensible position.

5. The pipeline trap

Here is the failure mode we see most often, and the reason a team can be non-compliant without making a single bad decision:

1. Your model provider (say, DALL-E via API) embeds a C2PA manifest in every generated image. So far, compliant.
2. Your backend downloads the image and resizes it for your layout. Most image libraries write a brand-new file. The manifest is gone.
3. Your CDN re-encodes it to WebP for performance. Any surviving metadata is gone again.
4. The image reaches your user with no marking whatsoever. Under Article 50(2), as the system provider, the gap is yours.

Thumbnails, crops, compression, format conversion, social-media re-upload — every one of these steps strips metadata by default. If your product post-processes generated media in any way, assume your upstream marking is destroyed until you have verified otherwise.

6. The complete Article 50 checklist

Scope and inventory

• List every feature that generates or modifies content with AI (including "minor" ones: avatars, summaries, smart replies).
• Determine your role per feature: provider (your name on the system) or deployer (using someone else's system).
• Confirm EU nexus: EU users, EU customers, or EU enterprise prospects with AI Act procurement clauses.

Marking (Art. 50(2))

• Identify what marking your model providers embed at generation time, per output type.
• Trace each output pipeline end-to-end and verify the marking survives to the user (the step almost everyone skips).
• Where marking is destroyed or absent, implement re-marking before delivery (C2PA manifest insertion is the best-documented path).
• For text outputs, document a feasibility assessment — what you implemented, what wasn't technically feasible, and why.

Disclosure and labelling (Art. 50(1), (4))

• Add clear AI-interaction disclosure to chatbots and voice features.
• Add visible labelling for realistic generated depictions of people, places or events.
• If customers publish content made with your tool, give them labelling controls and document that you did.

Evidence

• Keep a dated record of every assessment and fix — diligence documented early is your cheapest legal asset.
• Re-check against the final Code of Practice (expected mid-2026) and the final Guidelines.

7. Penalties, and what enforcement will really look like

Article 99 sets fines for transparency violations at up to €15 million or 3% of global annual turnover, whichever is higher, with reduced caps for SMEs under the simplified regime. Honest context: many member states' enforcement authorities are still being stood up, and regulators will move gradually.

But two forces move faster than regulators. Enterprise procurement — AI Act compliance clauses are already appearing in vendor questionnaires, and "we haven't assessed it" loses deals today. And competition — the first product in your category that can say "Article 50 compliant" will say it loudly. The deadline that matters commercially arrives before the legal one.