The August 2 Gap: What Your AI Vendor Isn’t Telling You

The European Commission published the final Code of Practice on marking and labelling of AI-generated content on June 10, 2026. Six days later, the vendor community has said almost nothing. No major generative AI provider serving financial services has published a substantive public response. Most compliance functions have not received guidance from their AI vendors either. That silence is worth examining, because Article 50 transparency obligations become mandatory on August 2 regardless of whether vendors get around to explaining their implementation plans.

The Code is the Commission’s attempt to give providers a practical path to compliance before that deadline. The question compliance teams should be asking is not whether their vendor has signed it, but whether their vendor can describe, in writing, which of its mechanisms they are implementing and when.

What the Code Does and Does Not Do

The Code is voluntary in the sense that signatories self-select. Adherence to it is not. Under the AI Act, Article 50 obligations apply from August 2 regardless of whether a provider signed the Code. What the Code provides is a recognized practical framework: firms whose providers sign and follow it receive the benefit of presumed compliance and reduced administrative burden. Providers who ignore it face the same August 2 deadline with no safe harbor to point to.

The Commission was explicit on this distinction. The Code does not replace the AI Act or the Commission’s forthcoming guidelines on Article 50. It provides an EU-wide recognized practical framework for signatories to demonstrate compliance. Enforcement will focus on monitoring adherence to the Code, with the stated goal of delivering greater predictability and legal certainty across the EU.

After publication, the Commission and the AI Board will assess the Code’s adequacy. The Commission will also publish guidelines on the implementation of Article 50 transparency obligations ahead of August 2. Organizations should treat those forthcoming guidelines as the authoritative compliance baseline, not the Code alone.

The Two Mechanisms, and the One That Requires Infrastructure

The Code recommends two primary mechanisms for AI content marking and labelling:

Sub-measure 1.1.1: Digitally-signed metadata. Cryptographic metadata embedded in the content file, linking the content to its AI origin in a tamper-evident way. This travels with the content through standard distribution channels and can be verified by any receiving system that reads the metadata.

Sub-measure 1.1.2: Imperceptible watermarking. A signal embedded in the content itself, invisible to end consumers, that survives common transformations such as resizing, compression, and format conversion. Unlike metadata, it persists even when metadata is stripped.

The Code also identifies an optional third mechanism:

Sub-measure 1.1.3: Fingerprinting or logging. A registry-based approach in which content is matched against a database of known AI-generated outputs. The European Commission FAQ notes this requires a registry database. That infrastructure requirement makes it the most technically complex of the three, and the least likely to see broad adoption by August 2.

Providers choosing to rely on sub-measure 1.1.3 as their primary mechanism face an immediate build-or-buy decision for registry infrastructure that does not yet exist at scale in the financial services context. Compliance teams should be asking their vendors now which sub-measure or combination of sub-measures they intend to implement, and by what date.

The Standard the Commission Described Without Naming

The more revealing thing about the Code is what it chose not to say. The Commission describes, in technical detail, the characteristics that a compliant digitally-signed metadata implementation must meet—and then declines to name any specific technology standard that meets them. That is a deliberate drafting choice, not an oversight.

The IPTC, the global standards body of the news media and a participant in content provenance standards development, interpreted the Code on its publication date. IPTC’s assessment: C2PA is the only technology that currently meets the criteria for digitally-signed metadata as described in sub-measure 1.1.1. IPTC further reads the Code as encouraging the use of CAWG metadata assertions in C2PA manifests.

That interpretation is IPTC’s, not the Commission’s, and compliance teams should not treat it as a regulatory ruling. What it establishes is that the technical community most familiar with content provenance standards regards C2PA as the practical path to sub-measure 1.1.1 compliance—while the Commission, for its own reasons, preferred to describe the destination without naming the road.

For financial services firms, that gap between the technical community’s reading and the Commission’s silence creates a vendor evaluation problem. Asking a vendor whether they are “C2PA compliant” is not the same as asking whether their implementation satisfies sub-measure 1.1.1. The second question is the one that matters for August 2, and it requires a more specific answer than most vendors have been asked to provide.

What Financial Services Firms Need to Do Before August 2

The Article 50 obligations apply to providers and deployers of general-purpose AI systems. Financial services firms that use third-party generative AI systems in client-facing contexts are deployers under the AI Act. The compliance obligation does not sit entirely with the technology vendor.

The scope of the visible content labelling requirement, however, is more precise than “client-facing.” Article 50(4) targets two categories: deepfakes (audio, image, or video content depicting real persons or events that did not occur), and AI-generated text published for the purpose of informing the public on matters of public interest, unless that text has undergone substantive human editorial review. A firm using a generative AI system to answer private account servicing queries from individual clients is triggering Article 50(1), which requires disclosure that the user is interacting with an AI system. It is not automatically triggering the visible content labelling rules that the Code of Practice addresses. Compliance teams should map each AI deployment to the specific Article 50 sub-obligation it activates before concluding that the Code’s marking mechanisms apply to that use case.

Three things should happen before August 2. First, get written confirmation from each AI provider of which sub-measure or combination they implement, with enough technical specificity to assess against sub-measure 1.1.1’s criteria—not a sales answer, a technical one, in writing, before July 1. Second, where vendor implementation is incomplete or unconfirmed, assess whether deployer-layer controls bridge the gap: interface disclosures, user-facing labels, metadata read-out at point of delivery. The Code’s mechanisms apply at the content level; Article 50 deployer disclosure obligations apply at the interaction level; these are distinct requirements that can stack. Third, build the compliance documentation record now—vendor disclosures received, gaps identified, remediation steps taken or pending. That record is the audit trail if enforcement attention arrives after August 2, and the Commission has signaled it intends to use Code adherence as the primary enforcement lens.

The Adequacy Assessment as Forward Signal

The Commission and AI Board will assess the Code’s adequacy after publication. That assessment matters for two reasons.

First, it creates a second compliance event. If the Code is found inadequate in material respects, it may be revised or supplemented before the enforcement framework matures. Providers who built their compliance programs exclusively around the current Code text may face rework.

Second, the adequacy assessment will generate public output. Compliance teams should monitor the AI Board’s publications through the second half of 2026. The Board’s findings on Code adequacy will be the earliest signal of how the Commission intends to approach enforcement of Article 50 in practice.

The August 2 deadline is fixed. The enforcement posture that follows it is not yet fully formed. Organizations that complete their vendor disclosure and documentation work before August 2 will be positioned to respond to that posture as it emerges. Those that wait for the Commission’s guidelines before acting have compressed their window to weeks.