Skip to content

EU AI Act

EU AI Act watermarking: what you actually have to build

Article 50(2) of the EU AI Act requires providers of AI systems that generate synthetic audio, image, video, or text to ensure the output is “marked in a machine-readable format and detectable as artificially generated or manipulated.” The technical solutions must be effective, interoperable, robust, and reliable as far as technically feasible. The Act deliberately names technique families rather than standards: watermarks, metadata identifications, cryptographic provenance methods, logging methods, and fingerprints, alone or in combination. In practice, a defensible implementation layers at least two of these per modality, typically an invisible watermark plus signed provenance metadata.

This page is the engineering view: what each legal phrase translates to in a build, modality by modality, and a checklist you can hand to a team. For the legal frame around it (who is a provider, all five Article 50 duties, penalties, timeline), start from the Article 50 reference page.

The text of Article 50(2) makes four engineering-relevant choices.

It is output marking, not model documentation. The obligation attaches to the content your system emits. A model card or terms-of-service notice satisfies nothing here. Every generated file, stream, or string that leaves the system must itself carry the mark.

“Machine-readable” means software-detectable, not human-visible. A visible “AI-generated” caption does not satisfy 50(2). The mark must be something a parser or detector can find: embedded metadata, a signal in the pixels or samples, a statistical signature in the token distribution. (Human-visible labels are a separate duty, on deployers, under Article 50(4); see disclosure requirements.)

The quality bar is relative, not absolute. The mark must be “effective, interoperable, robust and reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art.” This is a moving target pegged to the state of the art per modality. It forgives the genuine hardness of, say, watermarking short text. It does not forgive shipping less than what the field demonstrably knows how to do.

Technique families are named, standards are not. Recital 133 lists “watermarks, metadata identifications, cryptographic methods for proving provenance and authenticity of content, logging methods, fingerprints or other techniques, as may be appropriate,” and explicitly allows combinations. It also allows implementation “at the level of the AI system or at the level of the AI model, including general-purpose AI models,” which means an upstream model-level watermark (such as Google DeepMind’s SynthID) can carry part of a downstream provider’s burden, provided the downstream system does not strip it.

The forthcoming Code of Practice on Transparency of AI-Generated Content (first draft published by the AI Office on 17 December 2025, second draft March 2026; see the Jones Day summary) will sharpen expectations, but the architecture below follows from the Act itself and will not be invalidated by it.

Why one technique is never enough

Each family fails somewhere. Metadata is trivially stripped: most social platforms and messaging apps re-encode uploads and discard embedded metadata in the process. Invisible watermarks survive re-encoding but can degrade under aggressive cropping, filtering, or adversarial attack. Fingerprinting (perceptual hashing against a registry of generated outputs) survives everything but requires you to operate a lookup service and log outputs. Cryptographic provenance manifests such as C2PA Content Credentials are tamper-evident and interoperable but, being metadata, disappear when a platform strips them (C2PA’s durable-credentials work, which pairs the manifest with a watermark and a fingerprint so it can be re-attached, exists precisely because of this).

The “robust and reliable as far as technically feasible” standard, read against a state of the art in which layered marking is normal practice, points one way: combine a signal that lives in the content (watermark) with a record that describes it (signed metadata), and where the stakes justify it, a fingerprint that lets you recover provenance after both are gone.

What marking means per modality

ModalityIn-content signal (survives stripping)Attached provenance (interoperable)Hard parts
ImageInvisible pixel-domain watermark embedded at generationC2PA manifest signed at exportCrops, filters, screenshots; regeneration attacks
VideoPer-frame or temporal watermarkC2PA manifest on the containerRe-encoding, clipping, frame-rate changes; live streams
AudioSpectral watermark below audibilityC2PA manifest / ID3-level metadataCompression, resampling, playback-and-rerecord
TextStatistical (logit-level) watermark at sampling timeNone that survives copy-pasteShort outputs, heavy paraphrase, translation

Images

The mature case. Embed an invisible watermark in the pixel domain at generation time (model-level watermarking like SynthID for image models, or a post-generation embedder in your pipeline), then attach a signed C2PA manifest at export declaring the generator, the time, and the fact of AI generation. The C2PA specification is the closest thing the field has to the “interoperable” property Article 50(2) asks for: it is an open standard whose coalition includes Adobe, Microsoft, Google, and OpenAI, and validators are freely available. Test the watermark against your users’ realistic post-processing: platform re-encoding, resizing, moderate crops, and screenshots.

Video

Same two layers, harder engineering. The watermark must survive re-encoding and clipping, so it is embedded per frame or as a temporal pattern rather than once. The C2PA manifest goes on the container (MP4/BMFF is supported by the spec). Live generation (real-time avatars, streamed synthesis) is the frontier case: the manifest model assumes a finished asset, so live systems lean on the in-stream watermark plus session logging. Budget for the compute: frame-level embedding at generation scale is a real cost, which is exactly the “costs of implementation” factor the Act says regulators must weigh, not a reason to skip marking but a legitimate input to technique choice.

Audio

Embed a spectral watermark below the threshold of audibility, designed to survive lossy compression and resampling. The open state of the art is well represented by Meta’s AudioSeal, which localises watermarks to the second and survives common edits, and by SynthID’s audio mode. The brutal test is playback-and-rerecord (playing the audio through a speaker into another microphone); document how your chosen scheme performs there, because voice-cloning deepfakes are the highest-scrutiny use of this modality.

Text

The hard one, and the one the Act’s “as far as technically feasible” clause was written for. Metadata does not survive a copy-paste, so the only in-content option is statistical watermarking: biasing token selection at sampling time so the output carries a detectable signature invisible to readers. Google DeepMind’s SynthID Text, published in Nature in October 2024 and open-sourced, demonstrated this at production scale with negligible quality impact. Its limits are well known: reliability drops on short outputs, heavy paraphrasing, and translation. Feasibility means you deploy the state of the art and document its limits, not that you decline to mark text at all. If you serve text through an API, marking at the model level (per Recital 133) is the natural placement.

The interoperability question

“Interoperable” is the quiet word in Article 50(2) that rules out purely proprietary schemes as a complete answer. A watermark only your own detector can read makes content “detectable” by you, not by the ecosystem the provision is trying to equip. The pragmatic reading, reflected in the draft Code of Practice, is to pair whatever proprietary watermark your models use with an open, standardised carrier for the provenance claim, which today means C2PA Content Credentials. That combination gives you a detector you control and a manifest anyone can validate.

Implementation checklist

A concrete program for a provider shipping generative features:

  1. Inventory outputs. Every endpoint, export path, and background job that emits generated audio, image, video, or text. Include “AI-assisted” features, then apply the exemption test below to each.
  2. Apply the exemptions honestly. Article 50(2) does not cover systems performing “an assistive function for standard editing” or that do not “substantially alter the input data provided by the deployer or the semantics thereof.” Grammar correction and denoising are out of scope; text-to-image generation and voice cloning are squarely in. Document each exemption call.
  3. Choose the in-content signal per modality. Model-level watermarking where your model vendor provides it (and verify contractually that it is on); pipeline-level embedding where it does not.
  4. Attach signed provenance. Generate a C2PA manifest at every export point, signed with a certificate you manage. Declare AI generation explicitly in the manifest’s assertions.
  5. Preserve marks through your own pipeline. The commonest self-inflicted failure: your thumbnailer, transcoder, or CDN strips the metadata your generator just wrote. Test the full path to the user.
  6. Stand up detection. You must ensure output is “detectable”; run your detector as an internal service, and decide the policy for exposing verification to users and platforms.
  7. Measure robustness and write it down. Benchmark watermark survival against the transformations your content realistically meets. This dossier is your “state of the art” evidence if a market surveillance authority asks.
  8. Log generation events. Recital 133 lists logging among the techniques; an output log keyed by fingerprint is also your recovery path when both watermark and metadata are gone.
  9. Watch the Code of Practice. Presentation details and detector-access expectations will firm up there; the layered architecture above is the stable part.

Timing

The duty applies from 2 August 2026. Under the AI Omnibus adopted in June 2026, generative AI systems placed on the market before 2 August 2026 have a grace window to 2 December 2026 for the 50(2) marking mechanism specifically (William Fry’s analysis); anything launched on or after 2 August 2026 must mark from day one. Non-compliance sits in the EUR 15 million or 3 percent of worldwide turnover penalty tier of Article 99(4). Full timeline and penalty table on the Article 50 reference page.

For the underlying techniques in more depth, see how AI content watermarking works and the SynthID deep dive. This page is engineering guidance, not legal advice; scope decisions for your products belong with qualified EU counsel.

Building this layered marking stack (watermark, C2PA signing, detection, robustness evidence) is exactly the kind of system Webisoft engineers for companies facing the August deadline.

eu-ai-actwatermarkingarticle-50c2pamachine-readable-markingprovenance