A Voluntary Framework With a Hard Deadline Behind It
On June 10, 2026, the European Commission published the final Code of Practice on Transparency of AI-Generated Content, closing a nine-month multi-stakeholder drafting process that began in September 2025 and involved more than 187 participants from industry, academia, civil society, rightsholders, and EU member states. The code is voluntary in form but arrives seven weeks before August 2, 2026, the date on which Article 50 of the EU AI Act makes synthetic content marking and deepfake disclosure legally mandatory. Companies that sign before the July 22 deadline (18:00 CEST) are placed on an initial signatories list and can rely on the code to demonstrate compliance — a 'presumption of conformity' that provides meaningful legal certainty across all 27 member states.
The question worth asking is not whether this framework exists, but whether it will hold under the weight of a deepfake threat that has already proved costly. According to the 2025 Deepfake Threat Report from Resemble AI, 1,567 unique verified deepfake incidents generated 296.4 billion combined media impressions in 2025, with documented fraud losses exceeding $1.28 billion across 330 incidents — and the report estimates that more than 80 percent of incidents disclosed no financial damage at all, suggesting the real figure is substantially higher.
What the Code Actually Requires
The code's technical architecture is its strongest feature. Rather than mandating a single proprietary watermarking approach, it establishes a two-layer minimum: digitally signed provenance metadata aligned in practice with the C2PA (Coalition for Content Provenance and Authenticity) specification, combined with imperceptible watermarking embedded directly into pixels, audio samples, or text tokens. This dual-layer requirement reflects a genuine technical insight — metadata alone can be stripped by simple file conversion, while pure watermarking is susceptible to compression attacks. Neither layer is sufficient on its own.
Format-specific disclosure requirements are similarly practical. For video, persistent visible icons and opening disclaimers apply. Images require clearly visible fixed labels. Audio content must carry audible disclaimers, repeated for longer-form content. Deployers using AI to generate deepfakes — defined in the AI Act as content that 'resembles existing persons, objects, places, entities or events and would falsely appear to a person to be authentic' — must ensure disclosure 'at the latest at the moment of first exposure.' Private individuals generating content for personal use face no labeling obligation, a proportionate carve-out that avoids overreach.
Non-compliance with Article 50 carries fines of up to €15 million or 3 percent of global annual turnover, whichever is higher, under Article 99 of the AI Act — penalties comparable in scale to the GDPR's enforcement ceiling for many violations.
The Strongest Case for This Approach
The Commission's decision to lead with a voluntary code before binding enforcement is defensible on its merits. Transparency obligations for AI-generated content are novel territory; forcing premature technical mandates before standards mature risks locking in approaches that become obsolete or that smaller providers cannot implement. The C2PA standard, which already has backing from Adobe, Microsoft, OpenAI, Sony, and the Associated Press among others, was not picked arbitrarily — it reflects where industry was already converging. Codifying it through a multi-stakeholder process that included civil society and rightsholders, rather than through pure industry self-regulation, gives the framework legitimacy the tech sector alone could not provide. The presumption of conformity mechanism is also intelligently designed: it rewards early voluntary compliance while preserving the binding August 2 enforcement deadline as a hard backstop.
Three Gaps That the Code Cannot Paper Over
However, a technically credible framework is not the same as a working one. Three genuine gaps remain.
Detection reliability. The same analysis that informed the code's drafting acknowledges that forensic detection mechanisms 'are not yet considered reliable enough.' Machine-readable marking requires machine-readable detection — and if detection tools cannot reliably surface stripped or degraded watermarks, the enforcement chain breaks before it reaches any regulator or court. The code permits providers to rely on 'internal testing methodologies and evolving industry practices' in the absence of established benchmarks, which is sensible interim guidance but not a resolution.
The artistic works exemption. Article 50 and the code both provide that artistic, satirical, and fictional content is subject to reduced or adapted disclosure obligations. The code acknowledges that 'there is no detailed guidance on what the flexible disclosure regime should look like' in practice. That gap matters because the line between legitimate satire and manipulative political deepfakes is precisely the contested territory where the regulation needs to be clearest.
Illegal content still needs law, not labels. The code explicitly applies only to lawful deepfakes. Non-consensual intimate imagery, fraud via synthetic impersonation, and AI-generated child sexual abuse material must be removed entirely, not labeled. This is correct as far as it goes — but it means the code's practical relevance is limited to a narrower slice of the deepfake threat than the headlines suggest. Effective enforcement of the Digital Services Act and national criminal statutes remains the decisive tool for the most harmful content.
What August 2 Actually Tests
Enforcement of Article 50 after August 2 will fall to national market surveillance authorities under each EU member state — the same fragmented structure that has made GDPR enforcement uneven across jurisdictions. The code provides a compliance pathway; it does not create harmonized enforcement capacity. Companies that sign by July 22 gain legal certainty; companies that do not sign still face binding obligations from August 2 but without the structured presumption of conformity, and without any clarity on which national authority will be first to act.
For providers with EU market exposure, the calculus is straightforward: signing the code costs little beyond the implementation work that Article 50 already compels, and it substantially reduces enforcement exposure and litigation risk. The framework is reasonable, technically grounded, and better-designed than most first-generation AI regulation. Whether it changes the deepfake landscape in any material way depends on what happens in Brussels, Berlin, and Warsaw after the deadline — not before it.