The majority of the Act is expected to come into force on 2 August 2026. The European Parliament, however, has agreed a proposal that would delay the obligations imposed in respect of high risk AI systems. The remaining provisions of the Act remain largely unaffected, and businesses should operate on that basis, noting that breaching these obligations can result in a fine of up to EUR 15 million or 3% of their total worldwide annual turnover for the preceding financial year (whichever is higher).
The Act raised a number of questions around how companies would comply with their transparency obligations. This led to the creation of a draft code of practice (the “Code of Practice on Marking and Labelling of AI-generated content” (the Code)), integrating feedback from hundreds of participants and observers including industry, academia and other stakeholders.
The Code of Practice on marking and labelling of AI-generated content
The second draft of the Code was published on 3 March 2026 and a final version is expected by June 2026. The Code is subject to further amendments, but sets out four key requirements to demonstrate compliance:
The transparency obligations
The Code is underpinned by the underlying transparency obligations in the Act.
The extent of these obligations is influenced by different factors such as whether the AI system is classified as limited or high risk; and whether you are a deployer or provider.
For limited risk AI systems:
If you are a provider
A ‘provider’ is a company, individual, public authority, agency or body that: (a) develops, or procures the development of an AI system or general-purpose AI model; and (b) places it on the market or puts it into service under its own name or trademark. In other words, this applies to those who set out to create, or procure the creation of an AI system.
Providers of limited risk AI systems must comply with three core transparency requirements.
The question of how providers can satisfy these requirements has been a recurring area of discussion, such that the European Commission has stepped in to provide guidance via the voluntary code of practice on the transparency of AI-generated content. We discuss this in further detail below.
If you are a deployer
In contrast, a ‘deployer’ is a company, individual, public authority, agency or body using an AI system under its authority, except where the AI system is used in a personal non-professional activity.
Given that deployers are effectively users with little to no control over the AI system, they are subject to much fewer disclosure requirements. The Act only imposes obligations on deployers of three specific types of AI systems:
For high risk AI systems:
If you are a provider
Unsurprisingly, the Act imposes the most obligations for this category. In general, it will include requirements for providers to supply instructions for safe use and information about accuracy, robustness, and cybersecurity. Individuals overseeing such systems must be suitably qualified to understand the system’s capacities and limitations, with various recordkeeping and risk management protocols.
If you are a deployer
Similar to above, deployers face fewer but a broader set of obligations reflective of the higher risk AI system. These include the implementation of specific governance, monitoring, transparency and impact assessment requirements. The key obligations can be grouped under two headings:
Operational obligations
The deployer must implement appropriate measures to ensure the high-risk AI system is used in accordance with the relevant instructions for use, that input data is relevant and sufficiently representative for the intended purpose of the system, and monitor its operation in order to be able to inform the provider in the event it identifies any risks or serious incidents.
Control and risk management obligations
A deployer must conduct a fundamental rights impact assessment (FRIA) before deploying the system, assign human oversight to individuals with the necessary competence, train and regularly monitor the AI system for risks, and keep the logs of the AI system in an automatic and documented manner for at least six months.
Future outlook
The trajectory is unmistakable: the Act positions transparency as a core principle, which is going to impact design choices, user interfaces and governance processes. Organisations will be expected to comply with the Code and the underlying transparency obligations that underpin it.
Companies leveraging AI along their supply chain should therefore prioritise embedding and documenting transparency measures that can withstand both regulatory and legal scrutiny, while ensuring alignment with wider IP governance and strategic commercial decisions.
For more information the EU AI Act and the Code and how they might impact your business, contact Sacha Wilson and Jacky Lai.
Sacha advises clients from a variety of sectors, including some of the world’s best known brands, agencies and platforms. He is ranked for advertising and digital media in both The Legal 500 and Chambers and Partners and is recognised as one of the UK’s leading advertising lawyers.
Sacha advises on a range of commercial transactions and has particular expertise in advertising-related agreements (such as creative agency, media planning and buying, production and brand partnerships). He is particularly well known for his expertise in digital marketing and adtech.
Sacha also has expertise in general advertising compliance (including prize promotions, native advertising and influencer marketing) as well as ecommerce and online consumer regulations.
Sacha also works within the firm’s retail and technology practices and regularly advises well-known retail brands on a range of retail-focused commercial agreements including distribution, licensing, and franchise agreements, as well as clients across a range of industries on tech focused agreements such as software development, SaaS, and IT services contracts.
In relation to data privacy, Sacha has advised on all the key compliance areas, and has worked with a large number of clients on their data protection compliance programmes. He has particular expertise in the data privacy aspects of marketing, adtech and digital media. He frequently advises on the compliance aspects of adtech vendor arrangements, programmatic advertising, and mobile apps.
Sacha also has expertise in the legal issues associated with AI, particularly in the context of advertising and marketing. He regularly advises clients on the privacy, IP, contractual and regulatory issues associated with the use and deployment of AI for a range of purposes in the advertising and marketing industries.
Jacky has acted for clients ranging from leading global multinationals to early-stage companies across sectors such as retail, IT, healthcare, energy and financial services.
He has particular experience in technology focused contracts (IT services, software development and licensing, SaaS, SLAs, supply, manufacturing and distribution agreements, white label and collaboration agreements).
Jacky has advised on a variety of non-contentious IP issues (including source code licensing, open source software, assignment and infringement). He also advises corporate buyers and sellers in M&A transactions and data protection matters (drafting privacy notices, compliance policies and data subject access requests (DSAR)).
Jacky supports clients by providing training to legal teams and working with key stakeholders in creating internal policies and best practices to navigate the evolving regulatory landscape on key areas such as the EU Digital Operational Resilience Act (DORA), GDPR and AI.
Jacky trained at DLA Piper, where he completed a secondment to Unilever advising on a wide range of commercial, sports sponsorships and endorsements, advertising and IP matters. Jacky also worked in-house at a leading US private equity backed software and payments company where he acted on various supply of goods and services, payment, technology litigation and AI matters.