EU AI Act Article 50: August 2 Watermarking Deadline for Devs

August 2 is 54 days away. On that date, EU AI Act Article 50 becomes enforceable — and if your app generates, displays, or distributes AI-generated images, video, audio, or text to users in the EU, you need machine-readable watermarks and visible disclosures in place. Fines reach €15 million or 3% of global annual turnover, whichever stings more. Most developers building on OpenAI or Google are further along than they realize. Most are also less compliant than they assume. Here is what is actually required and what you still need to do.

Provider vs. Deployer: The Gap That Will Bite You

The most dangerous assumption in developer circles right now is: “I use OpenAI, they’re compliant, so I’m fine.” Half right.

OpenAI and Google have already done the provider work. Since May 2026, images generated through ChatGPT, the OpenAI API, and Google Imagen embed both C2PA metadata (a cryptographically signed provenance manifest) and a SynthID watermark (an imperceptible pixel-level signal). That covers the provider layer of Article 50 — the obligation to mark AI-generated content at the point of creation.

But Article 50 creates a second, separate set of obligations for deployers — anyone using AI APIs to build a product. You are a deployer. Your obligations are:

• Display a visible “AI-generated” disclosure to users in your UI before or alongside the content
• Preserve the watermarks — do not run outputs through pipelines that destroy SynthID’s pixel-level signal
• Implement the EU common icon or an equivalent clear disclaimer
• Maintain compliance documentation for at least three years

The API provider cannot display a badge in your app. That part is on you.

No Single Technique Is Enough

The EU’s draft Code of Practice on AI-Generated Content Transparency is explicit: “no single active marking technique suffices.” The regulation mandates a layered approach, and understanding what each layer does matters for implementation.

C2PA metadata is a cryptographically signed manifest baked into the file (JPEG, PNG, MP4). It is tamper-evident — you can tell if it was stripped — but it can be stripped. Careless processing pipelines will remove it. OpenAI and Google already attach C2PA to their outputs.

Imperceptible watermarking (SynthID from Google DeepMind, now also used by OpenAI, Nvidia, and ElevenLabs) works differently. It makes micro-adjustments to pixels that survive cropping, compression, and format conversion. Unlike metadata, it cannot be removed simply by saving the file in a different format. It is a durable fingerprint baked into the pixels themselves.

Fingerprinting — hash-based content identifiers for tracking — rounds out the required stack. Less commonly discussed but part of the mandate.

If you are using OpenAI or Google generation APIs, layers one and two are handled at source. The UI disclosure, watermark preservation, and documentation remain your responsibility.

Two Deadlines, Not One

The AI Omnibus agreement from May 2026 introduced a grace period that many developers have heard about but half-understand:

• August 2, 2026: New AI systems going to market must comply from day one
• December 2, 2026: AI systems already live before August 2 get additional time

The grace period only applies if your AI-generation feature is already live today. If you are launching a new AI generation feature after August 2 — a new image creator, a new AI video tool, a new chatbot — there is no grace period. Compliance is required from launch.

Scope Is Broader Than Deepfakes

Many developers assume Article 50 is a deepfake law. It is not exclusively. The scope covers AI-generated images, video, and audio; AI chatbots (users must know they are talking to an AI); AI-generated text published to inform the public on matters of public interest; and deepfakes, which carry additional disclosure obligations on deployers.

There are exceptions. Artistic, satirical, and fictional works have a lighter disclosure requirement. Human editorial oversight exempts some AI-assisted text. Clearly fantastical content falls outside the deepfake definition. What the exceptions do not cover: commercial products generating AI content for end users, SaaS tools producing AI output for customers, apps with AI image or video generation features. If that describes your product, the full Article 50 obligations apply.

What to Actually Do in the Next 54 Days

For teams building on OpenAI or Google, the path is shorter than it looks:

1. Verify your generation pipeline returns C2PA-signed output. For OpenAI API, images.generate now embeds C2PA by default. Confirm at openai.com/verify. For Google, check your Vertex AI or Gemini API response metadata.
2. Add UI disclosure. An “AI Generated” label visible to end users before or alongside the content. Clear text is acceptable now; the EU common icon is coming.
3. Audit your image processing pipeline. Aggressive compression, format conversion, or pixel manipulation can destroy SynthID’s signal. Identify any post-processing steps that might strip watermarks.
4. For custom generation stacks not using OpenAI or Google: integrate c2pa-rs (Rust) or the Python bindings to sign outputs. Add a SynthID-compatible watermarking library at the generation step.
5. Document everything. Your provider, your disclosure implementation, your processing pipeline. Keep records for three years. Under the broader EU AI Act developer documentation requirements, this is a separate obligation from Article 50 itself.

Verify what you have built using the Content Credentials Verify tool — it reads C2PA manifests from any file you upload and shows what provenance data is present or absent. The full text of Article 50 is worth reading directly; it is shorter and clearer than most legal commentary suggests.

54 days is enough time to get this right. It is not enough time to assume someone else handled it.