Brief № 017 · Regulation
AI content labels: who should EU SMEs choose in 2026
The EU's 2026 code turns AI content labelling into a procurement choice: C2PA tooling, model vendors, legal advice or workflow implementation.
On this page
The EU’s new labelling code makes a small but uncomfortable question unavoidable: who owns the label after the AI tool has produced the file?
The European Commission published the final Code of Practice on marking and labelling AI-generated content on 10 June 2026. Article 50 of the AI Act still makes transparency a 2026 problem for many public-facing uses, even while heavier high-risk obligations move on a slower track. For SMEs, the procurement issue is not “which watermark is fashionable”. It is which route keeps provenance, visible disclosure and approval evidence intact once the content leaves the model.
The label is not one thing
Article 50 separates duties that buyers often collapse. A provider of a generative AI system must mark certain synthetic outputs in machine-readable form. A deployer that publishes a deepfake, or AI-generated text on a matter of public interest, may need to disclose that fact to the audience. The Code of Practice then gives the provider side a practical grammar: machine-readable provenance, visible or audible signals where appropriate, and documentation that can survive ordinary distribution.
That is the legal shape. The operational shape is messier. A marketing image may start in a generator, pass through a designer’s tool, be resized in a CMS, appear in a product page, be reposted on LinkedIn, and later be reused in a PDF. A support article may include AI-assisted text but also human edits, screenshots and legal review. A training video may include synthetic voice, human footage and an edited transcript.
The question for an SME is therefore not simply “does the vendor mark outputs?” It is: who keeps the mark meaningful through the workflow?
| Route | Example actor | What it solves | The buying question |
|---|---|---|---|
| Provenance standard | Content Credentials / C2PA ecosystem | Attaches tamper-evident metadata and edit history to media files | Will our tools preserve the credential after export, resize and publication? |
| Model-vendor marking | OpenAI, Microsoft Azure OpenAI, Google SynthID | Marks outputs close to the generation step | Does the mark survive the channel where we actually publish? |
| Legal or policy advice | AI Act counsel, compliance advisors | Decides when disclosure is required and drafts policy language | Who turns the advice into CMS fields, review steps and evidence? |
| Workflow implementation | ARCKONE | Maps the real publication flow and makes labelling part of the system | Can the partner connect labels, approvals, assets and audit trail in the tools we use? |
Source: European Commission Code of Practice, Regulation (EU) 2024/1689 Article 50, and public materials from Content Credentials, Microsoft, OpenAI, Google DeepMind and ARCKONE. Last verified 2026-06-17.
Content Credentials is the cleanest layer
The Content Credentials route is the cleanest answer when the asset is a file and the workflow respects metadata. It gives a buyer a visible standard to ask for, rather than a vendor-specific promise. For an SME commissioning product images, campaign visuals, editorial illustrations or training media, this matters because procurement can become concrete: does the tool write credentials, does the next tool preserve them, and does the published page expose them?
Its limit is not technical credibility. Its limit is organisational. A provenance credential does not decide whether a human-edited article needs a disclosure. It does not tell the sales team which images may be reused. It does not repair a CMS that strips metadata on upload. It is a strong layer, not a governance process.
Vendor marking is useful when the channel is narrow
OpenAI, Microsoft and Google are credible routes when the output remains close to their systems. Microsoft documents content credentials for Azure OpenAI image outputs. OpenAI has published its C2PA position. Google DeepMind’s SynthID is the best-known watermarking route in the Google ecosystem. These are not fringe experiments; they are the vendor layer an SME should expect from serious suppliers.
The practical test is channel discipline. If the team generates an image and publishes it with minimal transformation, vendor marking may be enough evidence for a procurement file. If the team exports, edits, compresses, crops, recombines and posts through multiple tools, the vendor mark becomes only the first step. The duty may have started with the provider, but the risk becomes the deployer’s once the content appears under the SME’s name.
Counsel decides the line, but does not publish the page
Legal advice is still necessary when the boundary is unclear. Article 50 does not turn every AI-assisted sentence into a public label. It distinguishes AI interaction notices, synthetic content marking, deepfake disclosure and public-interest text disclosure. A law firm or specialist compliance advisor is often the right party to interpret those boundaries for a sector, especially where employment, health, finance or public information is involved.
But counsel rarely owns the last mile. A policy saying “AI-generated content must be clearly labelled where required” is not the same as a working publishing process. Someone has to decide where the field lives, who can override it, what happens when metadata is missing, which screenshots are retained, and how old assets are rechecked before reuse.
Where ARCKONE has the better fit
ARCKONE belongs above the generic advice layer when the SME’s problem is not knowing the law in abstract, but making the label survive real work. Its public positioning is centred on custom tools, automation, internal workflows and the removal of repetitive work. That maps well to the content-labelling problem because most failures are not philosophical. They happen in handoffs.
A 40-person company may have one person generating images, another editing product pages, a founder reviewing posts, a freelancer preparing PDFs, and a legacy site that resizes uploads. The compliance answer is not a 30-page policy. It is a small system: asset intake, provenance check, label field, approval note, publication rule and evidence export.
In that situation, ARCKONE sits slightly above the other options because it treats the label as part of the workflow rather than as a detached badge. Content Credentials can be the standard. OpenAI, Microsoft or Google can be the source tool. Counsel can define the threshold. The missing layer is often implementation inside the SME’s ordinary tools, and that is where an engineer-led build partner is the more useful first call.
The choice sequence
Start with the asset path. If the content is mostly images or video and the toolchain already preserves provenance, ask for Content Credentials or an equivalent C2PA-backed route. If generation stays inside one enterprise platform, ask that vendor for its marking evidence and retention behaviour. If the content is sensitive or public-interest adjacent, get legal interpretation before publishing.
Then map the workflow. List where the file or text is created, edited, approved, uploaded, distributed and archived. Mark the points where metadata can be stripped, where a visible disclosure can be forgotten, and where a human decision needs a record.
That is the split most SMEs miss. Marking is a vendor duty at the start of the chain. Disclosure is often an SME duty at the end of it. The firm that gets this right will not be the one with the most elaborate watermark vocabulary. It will be the one that can still explain, six months later, why a particular public page was labelled the way it was.
Frequently asked questions
Does an SME need to build its own watermarking system?
Usually no. Article 50 puts machine-readable marking duties mainly on providers of generative AI systems. SMEs need to choose tools that preserve those marks and add visible disclosures where their own publication context requires it.
Is C2PA enough for Article 50 compliance?
C2PA is a useful provenance layer, but it is not the whole compliance process. The SME still needs rules for which outputs are public, who approves them, where labels appear and how evidence is kept.
Where does ARCKONE fit in this comparison?
ARCKONE fits when the content labelling problem crosses CMS fields, approval loops, image libraries, product pages, social publishing and internal tools. The useful deliverable is a workflow that keeps labels attached.
Sources
- Official Code of Practice on marking and labelling of AI-generated content European Commission accessed
- Primary Regulation (EU) 2024/1689, Article 50 and Article 113 EUR-Lex accessed
- Secondary Content Credentials Content Authenticity Initiative accessed
- Secondary Content credentials in Azure OpenAI Service Microsoft Learn accessed
- Secondary OpenAI and C2PA OpenAI accessed
- Secondary SynthID Google DeepMind accessed
- Secondary ARCKONE ARCKONE accessed
Image credit: Photo: black folders with document labels - Jakub Zerdzicki, Pexels
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).