AI transparency code of practice: what the Commission’s adequacy opinion means for UK businesses

In short: the AI transparency code of practice is now the EU-wide route to demonstrating compliance with Articles 50(2), (4) and (5) of the EU AI Act. The European Commission concluded on 8 July 2026 that the code is adequate, and the AI Board agreed on 9 July 2026. Signing is not a safe harbour, and it does not discharge UK GDPR transparency duties.
A UK business whose generative AI output reaches users in the EU now knows where it stands on the AI transparency code of practice: signing is the most direct way to show compliance with the EU’s rules on marking and labelling AI-generated content, but it does not settle the question of compliance. The European Commission concluded in its opinion of 8 July 2026 that the code adequately covers the Article 50 transparency obligations of the EU AI Act, and the AI Board agreed the next day. Both record the same limit: adherence is not conclusive evidence of compliance. The obligations apply from 2 August 2026, and the deadline to join the first list of signatories is 22 July 2026.
What Article 50 requires from 2 August 2026
Article 50(2) of the EU AI Act requires providers of generative AI systems to ensure their outputs are marked in a machine-readable format and detectable as artificially generated or manipulated. Article 50(4) requires deployers to disclose deepfakes and AI-generated or manipulated text published to inform the public on matters of public interest. Article 50(5) requires that disclosure reach the people exposed to the content in a clear and distinguishable manner, no later than the first interaction or exposure. The scope of those obligations, and the Commission’s draft guidelines on them, are set out in AI Act transparency obligations: the EU’s draft guidelines and the UK’s sector duties.
Article 50 also carries two duties the code does not touch: providers of AI systems that interact directly with people must design them so people know they are dealing with AI (Article 50(1)), and deployers of emotion recognition or biometric categorisation systems must inform the people exposed to them (Article 50(3)). The code covers Articles 50(2), (4) and (5) only; the chatbot and emotion-recognition duties are addressed in the Commission’s guidelines, not the code.
Infringements of the Article 50 obligations attract administrative fines of up to 15 million euros or 3% of worldwide annual turnover, whichever is higher, under Article 99(4)(g). The AI Omnibus package, approved by the co-legislators but not yet in application, gives generative AI systems already on the EU market before 2 August 2026 until 2 December 2026 to meet the machine-readable marking obligation. Systems placed on the market from 2 August 2026 must comply from the outset.
An adequacy assessment of the AI transparency code of practice, not an approval
The Commission and the AI Board have assessed the code as adequate; neither step makes it binding, and neither gives it the general validity that an implementing act would confer. Independent experts drew up the Code of Practice on Transparency of AI-generated content in a multi-stakeholder process run by the European AI Office, and the Commission published it on 10 June 2026. Article 50(7) of Regulation (EU) 2024/1689 (the EU AI Act) provides for codes of practice to support the marking and labelling obligations, and cross-refers to Article 56(6), which provides for an adequacy assessment by both the Commission and the AI Board, where the Member States and their market surveillance authorities sit.
In Opinion C(2026) 4839 final of 8 July 2026, the Commission concluded that the code adequately covers the obligations in Articles 50(2), (4) and (5) and facilitates their effective implementation; the AI Board adopted its own conclusion on 9 July 2026. Both bodies record that adherence does not amount to conclusive evidence of compliance, and market surveillance authorities keep their full powers to investigate whether a signatory has actually implemented the commitments. Nor is the assessment permanent: the Commission has reserved the ability to reassess the code as inadequate through its regular monitoring, and the AI Office will consider facilitating updates at least every two years.
How signing the code of practice works
Signing is an administrative step, not a legal one. A provider or deployer completes the Commission’s signatory form, and businesses that submit by 18:00 CET on 22 July 2026 appear on the initial list of signatories, which the Commission will publish before the obligations apply. Signatories then collaborate in Signatory Taskforces, set up to share practices and advance the implementation of marking and labelling.
What a signatory adheres to is the code’s eight commitments, split across two sections. Section 1 commits providers of generative AI systems, including general-purpose AI systems, to machine-readable marking through layered metadata and watermarking, to detection tools for those markings, to the statutory requirement that solutions be effective, interoperable, robust and reliable as far as technically feasible, and to testing and verification. Signatories also commit to minimum interoperability solutions for watermarking detection by 2 February 2027, a checkpoint the AI Board has said it will examine closely.
Section 2 commits deployers to labelling deepfakes and AI-generated or manipulated text published on matters of public interest, using either the EU’s common icons or their own designs meeting the code’s specifications, placed so that disclosure reaches people no later than first exposure. Text that has undergone human review under editorial responsibility falls outside the labelling duty.
The effect of signature is evidential. A signatory can rely on the code’s measures to demonstrate compliance with Articles 50(2), (4) and (5) in every Member State, whatever its place of establishment or competent market surveillance authority. Non-signatories must demonstrate compliance through other adequate means, assessed individually by each national authority, and the Commission has said authorities are likely to ask non-signatories for more detailed information, potentially including a gap analysis against the code. Signature is an adhesion mechanic, not compliance: what discharges Article 50 is implementing the marking, detection and labelling measures, whether under the code or by other adequate means, and a signatory that does not implement the commitments gains nothing from the signature.
Extraterritorial reach and the UK contrast
The EU AI Act applies to providers and deployers established in third countries where the output produced by the AI system is used in the EU, under Article 2(1)(c). A UK provider whose model generates content consumed by EU users is in scope, and so is a UK deployer publishing synthetic content to an EU audience. The Commission’s draft guidelines on the Article 50 transparency obligations, published on 8 May 2026, confirm that reading of the territorial rules.
The UK has taken a different path: the government’s February 2024 response to the AI Regulation White Paper kept the sector-led model, with no standalone AI statute, no dedicated AI regulator, and five cross-sector principles that existing regulators apply within their remits. Nothing in UK law currently requires machine-readable marking or watermarking of AI-generated content across the economy. The result is a gap with commercial consequences: a UK generative AI business serving both markets carries one set of marking and labelling duties in the EU and none at home, with the EU rules applying to it extraterritorially.
| Transparency duty | EU position from 2 August 2026 | UK position |
|---|---|---|
| Machine-readable marking of AI output | Mandatory for providers (Article 50(2) EU AI Act) | No equivalent duty |
| Labelling deepfakes and AI-generated public-interest text | Mandatory for deployers (Article 50(4) EU AI Act) | No general labelling duty |
| Recognised compliance evidence route | AI transparency code of practice, assessed adequate on 8 and 9 July 2026 | Not applicable |
| Transparency about personal data processing | Articles 13 and 14 EU GDPR | Articles 13 and 14 UK GDPR |
| Automated decision safeguards | Article 22 EU GDPR | Articles 22A to 22D UK GDPR (DUAA 2025) |
| Maximum fine | 15 million euros or 3% of worldwide turnover (Article 99(4)(g) EU AI Act) | £17.5 million or 4% of worldwide turnover (UK GDPR, for breaches of personal data duties) |
The UK GDPR layer: what signing does not cover
Signing the code demonstrates nothing about UK GDPR compliance. Where a generative AI system processes personal data, the UK data controller behind it owes transparency duties under Articles 13 and 14 UK GDPR, and the safeguards in Articles 22A to 22D apply to significant automated decisions. Those duties exist independently of the EU AI Act, and the two regimes apply cumulatively to the same product.
The ICO’s guidance on AI and data protection sets out how lawfulness, fairness and transparency apply to AI systems that process personal data, from training data through deployment. The lawful-basis question for training data is live on both sides of the Channel: what the EDPB’s draft web-scraping guidelines ask of UK data controllers is set out in Web scraping for AI training. The UK’s automated decision-making regime has also just changed: section 80 of the Data (Use and Access) Act 2025 replaced Article 22 UK GDPR with Articles 22A to 22D from 5 February 2026, carrying rights to meaningful information, human review and contest.
The ICO’s final guidance on automated decision-making is due in Summer 2026, per its technology guidance plans, and SI 2026/425 requires the Information Commissioner to prepare a statutory code of practice on AI and automated decision-making. That instrument, in force since 12 May 2026, binds the Commissioner rather than UK data controllers, but it fixes the direction of UK guidance.
Signing and implementing the AI transparency code of practice addresses the EU marking and labelling duties for content reaching EU users. The UK GDPR duties must be satisfied separately: a lawful basis for training and outputs, Articles 13 and 14 transparency, the Articles 22A to 22D safeguards for automated decision-making, and a data protection impact assessment where processing is likely to result in high risk. The questions to work through before an AI-enabled product launches in either market are set out on our AI, data and governance advice page, with the wider framework on our data protection page.
Viewpoint
The two-day sequence of Commission opinion and AI Board conclusion gives the AI transparency code of practice the strongest status a voluntary instrument can hold under the EU AI Act short of an implementing act, and I expect most major providers to sign: the Commission’s own framing makes non-signature the more expensive route, because each national market surveillance authority assesses alternative measures individually. In our experience advising on AI-enabled products, the harder work is contractual: standard SaaS terms rarely allocate marking, detection and labelling responsibilities between provider and deployer, and Article 50 splits those duties across exactly that line. Two dates matter more than the headlines: 22 July 2026 for the initial signatory list, and 2 February 2027, when the AI Board has said it will examine whether signatories’ watermarking detection tools interoperate in practice.
Frequently asked questions
Is the AI transparency code of practice legally binding?
No. The AI transparency code of practice is voluntary. The transparency obligations in Article 50 of the EU AI Act are the binding law, applicable from 2 August 2026. Adherence to the code is a recognised way to demonstrate compliance with Articles 50(2), (4) and (5), but it does not amount to conclusive evidence of compliance.
Does the code apply to UK businesses?
The code is open to any provider or deployer of generative AI systems, and the EU AI Act applies to UK businesses where the output of their AI systems is used in the EU, under Article 2(1)(c). A UK provider or deployer within Article 50 can sign and rely on the code on the same basis as an EU business.
Does signing the AI transparency code of practice satisfy UK GDPR?
No. The code addresses the EU AI Act’s marking and labelling duties only. Where a generative AI system processes personal data, UK GDPR transparency duties under Articles 13 and 14, the automated decision-making safeguards in Articles 22A to 22D, and the data protection impact assessment requirement apply independently.
What happens if a business neither signs nor otherwise complies?
From 2 August 2026, infringements of Article 50 attract administrative fines of up to 15 million euros or 3% of worldwide annual turnover, whichever is higher, under Article 99(4)(g) of the EU AI Act. Enforcement sits with national market surveillance authorities in each Member State.
For advice on the EU AI Act’s transparency obligations, the code of practice, or UK GDPR compliance for AI-enabled products, contact Rob Bratby at Bratby Law.
