EU issues AI Act guidance, expected to become de facto global standard

The EU’s AI Act is starting to look less like a principles document and more like a build sheet. That is the real news here. Brussels is no longer just saying “be transparent” about AI-generated content — it is spelling out what transparency is supposed to look like in practice, who owns it, and what evidence companies should be able to show if regulators come asking. The immediate trigger is the Commission-backed code of practice work around Article 50, plus the already-published GPAI code for foundation-model providers. Together, they show the same shift — from broad obligations to operational checklists. (digital-strategy.ec.europa.eu) ### What changed this week? The freshest move is the Commission’s publication of the second draft of the Code of Practice on Marking and Labelling of AI-generated content on March 5, 2026, with feedback collected through March 30 and a final version planned for June 2026. This code is meant to help providers and deployers comply with Article 50 of the AI Act before those transparency rules kick in on August 2, 2026. (([digital-strategy.ec.europa.eu)cond-draft-code-practice-marking-and-labelling-ai-generated-content)) ### What is Article 50 actually about? Article 50 is the AI Act’s transparency section. It covers systems that interact with people, systems that generate or manipulate content, emotion-recognition and biometric-categorisation systems, and deepfakes or certain AI-generated public-interest text. The basic idea is simple — people should know when they are dealing with AI or AI-made content. But the implementation burden is not simple at all. (digital-strategy.ec.europa.eu) ### Why are people calling this a de facto standard? Because companies hate ambiguity more than they hate rules. The code is formally voluntary, but the Commission has already taken that route with the General-Purpose AI Code of Practice published on July 10, 2025, and said signatories can use it to demonstrate compliance with the AI Act with lower administrative burden and more legal certainty. Once regulators bless a template like that, many companies treat it as the safest default. (digital-strategy.ec.europa.eu) ### What does the draft code ask firms to do? More than just slap a label on an image. The second draft points toward multi-layered marking — metadata, watermarking, and in some cases fingerprinting or logging — plus detection mechanisms, readable disclosures, and cooperation with authorities. For deployers, it goes into where labels should appear, how deepfakes should be disclosed, and how exceptions for artistic or journalistic contexts should still be handled without misleading people. (datenschutzarchiv.org) ### Why does that matter for engineering teams? Because this is no longer a pure policy memo problem. If a company has to prove content was marked, detected, logged, and disclosed properly, somebody needs systems that actually do those things — reliably, at scale, and across product surfaces. The draft code also leans on governance, monitoring, training, and review. Basically, compliance starts looking like a controls stack, not a PDF in a legal folder. (ashurst.com) ### Is this only about European companies? Not really. The AI Act applies based on placing systems on the EU market or affecting people in the EU, so non-EU firms get pulled in fast. And even where the law does not strictly require it, multinational companies usually do not want one transparency architecture for Europe and another for everyone else. The cheapest path is often to build once to the(ashurst.com)ules, and global product teams standardize around them. This last sentence is an inference from how the code is positioned and used. (digital-strategy.ec.europa.eu) ### What is the catch? The code still does not settle every technical argument. The Commission’s own materials list several possible marking and detection methods rather than mandating one standard, and legal analysis around the drafts notes that firms may need layered techniques because no single method is robust enough in every medium or use case. That gives flexibility, but it also means more design work, more testing, and more judgment calls. (digital-strategy.ec.europa.eu) ### Bottom line? The story is not just that Europe issued more AI paperwork. It is that the EU is translating the AI Act into operational norms that product, security, and compliance teams can actually be audited against. Once that happens, “trustworthy AI” stops being a slogan and starts becoming evidence — logs, labels, ownership, test results, and documented controls. (digital-strategy. ([digital-strategy.ec.europa.eu)-ai-generated-content))