EU AI Act Draft 2: What It Means for Content Provenance and How to Comply

The European Commission published the second draft of its Code of Practice on Marking and Labelling of AI-generated content on March 5, 2026. If your organization creates, distributes, or manages digital content, you have until August 2, 2026 to comply.

Here's what the draft actually requires, and what it means in practice.

What the EU AI Act Requires

The second draft establishes a multi-layered technical approach to content authenticity. It's not a single checkbox — it's a framework built around three interconnected requirements:

1. C2PA Metadata Embedding

Signatories are expected to embed provenance information directly into content files using C2PA (Coalition for Content Provenance and Authenticity) standards. This means every AI-generated or AI-modified asset — images, video, audio, documents — must carry a cryptographically signed record of its origin, edit history, and authorship.

C2PA is no longer just an industry best practice. The EU is making it the baseline for legal compliance.

2. Imperceptible Watermarking

The draft recognizes a fundamental problem: C2PA metadata is easily stripped. When a user takes a screenshot, uploads to a social platform, or converts a file, the metadata often doesn't survive.

To address this, the Code requires imperceptible watermarking that is "interwoven" with the content itself — robust enough to withstand compression, cropping, and common transformations. The watermark must persist even when metadata is lost.

3. Provenance Certificates for Text

For text content specifically, the draft takes a pragmatic approach. Providers can issue digitally signed "Provenance Certificates" — manifests that formally guarantee the origin of content without embedding signals into the text itself.

‍

The Deadline: August 2, 2026

The transparency rules take effect on August 2, 2026. That gives organizations roughly five months to implement compliant systems. The final Code of Practice is expected in June 2026, leaving a narrow window between finalization and enforcement.

For enterprises managing large content libraries — news organizations, media companies, brands, pharmaceutical companies, advertising agencies — five months is not a long runway. The technical infrastructure needs to be in place before the rules are finalized, not after.

‍

Why This Is Harder Than It Looks

Most organizations assume compliance means adding metadata before publishing. The reality is more complex:

• Metadata doesn't survive distribution. Files get copied, converted, compressed, and reposted. Without watermarking, provenance is lost at every step.
• Existing workflows weren't built for this. CMS platforms, DAMs, and publishing tools don't natively generate C2PA metadata. Compliance requires infrastructure changes, not just policy changes.
• The chain of custody matters. The EU requires not just origin metadata, but the full provenance chain...every modification, every tool used, every person involved.
• White-labeling creates complexity. For agencies and platforms serving clients, provenance signals need to reflect the actual content creator, not the platform.

What Compliant Infrastructure Looks Like

Meeting the EU AI Act's content provenance requirements means having systems that can:

• Generate and embed C2PA metadata at the point of creation or ingest
• Apply imperceptible watermarks that survive distribution
• Maintain a verifiable chain of custody through transformations
• Issue provenance certificates for text content
• Preserve existing marks and prevent their removal
• Scale across every media type: video, images, audio, documents

This is exactly what Limbo is built to do. Our platform handles C2PA metadata generation, watermarking, and provenance preservation as infrastructure — integrated into your existing stack via API, with no workflow disruption.

The Window Is Closing

The second draft confirms what has been clear for months: the EU is not backing down on content authenticity requirements. The technical bar is high, the deadline is firm, and the final rules are weeks away from being locked.

Organizations that wait for the final Code to act will find themselves in a five-month sprint to implement infrastructure that should have taken twelve.

If you're not sure where your organization stands, request a demo. We'll show you exactly what compliant content provenance looks like in practice.