The EU AI Act takes effect tomorrow.
Are your AI outputs compliant?

What the August 2 deadline actually means

The EU AI Act has been law for over a year, but the operative provisions for synthetic content come into force on August 2, 2026. The grace period ended. For any platform, agency, or creator whose AI output reaches a single person in the European Union, Article 50 is now enforceable.

What Article 50 requires

The Act creates a binary obligation: every AI-generated piece of content, where "content" means image, video, audio, or text, must carry markers that allow any third party to identify it as artificially generated. Two markers, not one:

• Machine-readable. A cryptographic format that automated systems can parse. The Commission has named C2PA Content Credentials as the reference implementation. EXIF metadata and alt-text do not satisfy the obligation.
• Human-readable. The person consuming the content must be informed it is AI-generated. On social platforms, a visible label suffices. On creator websites, a disclosure adjacent to the asset is required.
• Persistent through derivation. Adobe TrustMark watermarking, named in the reference implementation, survives recompression, resizing, screenshots, and most edits short of pixel-level rewriting.
• Verifiable without authentication. Any regulator, journalist, or counter-party must be able to verify the provenance via a public URL, without an account or privileged access.

This is not a recommendation. It is the structure of the operative regulation.

Most AI platforms have been told this is months away. It is not. It is operative as of yesterday. The compliance officers who selected an implementation in March 2026 are running their pipelines today. The teams who did not are exposed.

The penalty exposure

Article 99 sets the penalty ceiling at €15 million or 3% of worldwide annual turnover, whichever is higher. For Article 50 specifically (synthetic content marking), the maximum applies. The lower bound varies by infringement type, but on a credible enforcement action a mid-size AI platform should budget €2 to €5 million as the realistic first-round fine ceiling.

By the time the supervisory authority opens a file on your platform, you are already months past the operative date. The grace period is not a runway.

For comparison: the largest GDPR fine to date (against Meta in 2023) was €1.2 billion. The AI Act enforcement architecture is the same. Expect comparable enforcement scale within 18 to 24 months as national supervisory authorities ramp up.

The five marking duties, mapped to operations

Article 50 unfolds into five concrete duties. Each one has its own enforcement pathway and its own implementation surface in a production AI pipeline:

• Mark at creation, not at publication. The marker must be cryptographically bound to the asset at the moment of generation, before the file leaves the generator. Post-hoc disclosure workflows do not satisfy the obligation.
• Maintain provenance through derivation. The marker must survive editing, resizing, recompression, and republishing. This is the technical case for Adobe TrustMark watermarking.
• Disclose the AI model used. The marker must identify the model that produced the content, referenced to the EU AI Office's public registry, not generically as "AI-generated".
• Verification accessible without authentication. Public URL, no account, no API key, no special access. Walled-garden verification does not satisfy Article 50.
• Audit log retained for 72 hours retrieval. A formal request from a national supervisory authority triggers a 72-hour response window. The records must be queryable and tamper-evident.

How Shield certificates map 1:1

Shield was built to implement Article 50 from day one. Every Shield certificate covers all five marking duties in a single cryptographic operation: C2PA signing at creation (duty 1), Adobe TrustMark embedding for derivation persistence (duty 2), AI model identifier in the C2PA manifest (duty 3), public verification URL (duty 4), and a tamper-evident audit log on Polygon (duty 5). The mapping is published as a public dossier, audited quarterly, and documented field by field against the regulation paragraphs.

What to do this week

If you are a compliance officer and you have not yet selected an Article 50 implementation, the timeline is short: this week, decide whether you implement C2PA in-house (a 6 to 9 month engineering effort) or adopt a provider that does it for you. Within 30 days, activate the marking duties across at least one production AI pipeline. Within 90 days, verify the marking survives the most aggressive derivation paths in your asset distribution. Within 180 days, be audit-ready. The first formal AI Office requests are expected by Q1 2027. If you adopt Shield, the integration is one API call per generation, and we handle the chain from signing to anchoring while you stay focused on the model and the user experience.