AI-Generated Content in the European Union: What the Adherence to Code of Practice Means for Article 50 Compliance—Special Focus on Luxembourg's Financial Sector
With Article 50 of the EU AI Act1 transparency obligations taking full effect on 2 August 2026, the European AI Office’s finalized the Code of Practice on Transparency of AI-Generated Content2 (the Code), which reshapes how providers and deployers across the European Union—including Luxembourg’s financial sector—must mark, disclose, and detect AI-generated content.
The Code’s Section 1 covers providers of generative AI systems; Section 2 covers deployers of AI systems that generate or manipulate deepfakes or text published with the purpose of informing the public on matters of public interest. The Code makes significant structural changes to the first draft published in December 2025, including: (i) several previously mandatory measures are now optional, (ii) marking flexibility is expanded, (iii) a finalized EU icon is introduced, and (iv) a concrete interoperability deadline of 2 February 2027 is set. Adherence to the Code by providers and deployers serves as a guiding (although not conclusive) document for (i) demonstrating compliance with Article 50(2) and (5) EU AI Act obligations, and (ii) reducing administrative burden and giving predictability, legal certainty, and trust across all EU member states. Providers and deployers falling within the scope of Article 50 EU AI Act transparency obligations should assess their position now and are encouraged to become signatories of the Code.
Interaction With EU AI Act Transparency Obligations
The Code operationalizes Article 50 of the EU AI Act, which imposes transparency obligations on two distinct actors.
First, providers of AI systems that generate synthetic audio, image, video, or text output must ensure those outputs are marked in a machine-readable format and detectable as artificially generated or manipulated.
Second, deployers must disclose to natural persons that they are interacting with an AI system where this is not evident from context. Where deployers use AI to generate deepfake content, they must label it as such. Finally, deployers that generate text published with the purpose of informing the public on matters of public interest must disclose the artificial origin of that text, unless the content has undergone human review and a natural or legal person holds editorial responsibility for the publication.
Adherence to the Code serves as a guiding reference for compliance with these Article 50(2) and (5) EU AI Act obligations and provides a structured basis for engagement with market surveillance authorities, but it does not in itself constitute conclusive evidence of conformity. Nonsignatories remain bound by the same statutory obligations and must demonstrate compliance through alternative means.
Key Changes From The First Draft: How These Translate Into Obligations for Signatories
Marking Flexibility Expanded
The Code introduces proportionate carve-outs: A single layer of marking suffices for AI systems embedded in physically controlled, closed environments, as well as for free-form text that cannot transport metadata. In the first draft,3 a strict multilayered approach was mandatory across the board. In the future, signatories may also demonstrate compliance through alternative or single marking techniques, provided they can prove equivalent levels of robustness, reliability, effectiveness, and interoperability to market surveillance authorities.
Several Measures Made Optional
Key items demoted from mandatory to optional in the Code include: (i) transparency of provenance information, (ii) functionality for perceptible markings, and (iii) forensic detection mechanisms, which are explicitly acknowledged as not yet mature enough to meet Article 50(2) EU AI Act quality requirements.
EU Icon Finalized
The first draft proposed only interim “AI/KI/IA” acronym solutions. An EU icon following the design specifications for visual disclosure is publicly available for everyone to use freely. The icon will comprise, as the main visual element, the capitalized acronym “AI” in English, unless use of English is incompatible with applicable national laws on the use of languages in commercial or administrative matters, in which case the acronym may be disclosed in the national language.
Concrete Interoperability Deadline
Signatories must implement an interoperability solution for watermark detection mechanisms by 2 February 2027, choosing from four specified pathways, including standardized application programming interface methods, signpost solutions, or shared consortium detection solutions.
New Privacy Protections for Detection
The Code introduces a detailed new sub-measure absent from the first draft: Content submitted for detection must be stored only for the duration of detection and permanently deleted immediately thereafter (known as “zero retention”), with only minimal traffic logs retained.
The above translate into the following obligations for signatories:
- Generative AI providers: They must implement at minimum: (i) digitally signed metadata and imperceptible watermarking (or prove an equivalent single-technique alternative), (ii) a publicly accessible detection solution, and (iii) a compliance process proportionate to their size.
- General-purpose AI model providers: They are encouraged to implement marking at model level to facilitate downstream compliance, though this is not strictly mandatory under the Code.
- Deployers: They must disclose deepfakes and AI-generated published text using the EU icon or an equivalent compliant label, and they must implement internal compliance processes and awareness training.
Impact on Financial Market Participants
Given the uncertainty in the interpretation of “matters of public interest,” financial market participants who, as deployers, use generative AI to produce publicly available communications and reports that may attract public interest (e.g., macroeconomic outlooks; sector reports; commentary on market conditions; environmental, social, and governance reports) will need to (i) determine whether disclosure obligations under Article 50 of the EU AI Act are triggered, and (ii) assess whether such use of generative AI would justify adherence to the Code with a view to enhance regulatory compliance. The Code also permits firms to integrate the EU icon into existing disclosure frameworks under sectoral EU financial legislation rather than building parallel processes, and it encourages industry associations to develop coordinated, sector-specific good practices. To offer a different angle, the European Securities and Markets Authority (ESMA) interestingly considered in its supervisory briefing4 that in the context of AI used in algorithmic trading, Article 50 EU AI Act requirements may be triggered for both providers and deployers of AI systems.
With Article 50 obligations applying in full from 2 August 2026, financial market participants that act as deployers are encouraged to act promptly. Our Investment Funds practice group and Finance practice team advises financial market participants on Luxembourg fund law and the EU AI Act regulatory framework.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.