Regulatory Engineering For Video AI — EU AI Act, Article 50, And Biometric Prohibitions

Published 2026-06-03 · 29 min read · By Nikolay Sapunov, CEO at Fora Soft

Why This Matters

If your product captures, generates, or analyses video of people, regulation is no longer a thing that happens to other companies — it is a set of requirements that land inside your codebase, your release process, and your data pipeline. The teams that get hurt are not the ones that read the law wrong; they are the ones who never classified their features at all, shipped an emotion-detection demo into an EU hiring tool, and discovered the line only when a regulator drew it for them. This lesson is written for the product manager, founder, or engineering lead who has to ship a face feature, a generative-video feature, a meeting-analytics feature, or a surveillance feature into real markets — and needs to know, concretely, which features are banned, which require a label, which require a pile of documentation, and what code implements each. It is the regulatory spine of the section: the face detection and recognition lesson owns the biometric engineering in detail, and the quality, cost, and C2PA disclosure lesson owns the generative-video disclosure pipeline; this lesson ties every feature in your product to the rule that governs it, and shows you the classifier and the manifest that make compliance a build step rather than a panic.

The One Idea: Compliance Is A Classifier, Not A Reading

Before any detail, hold the idea that organises everything below. Regulation feels like a wall of legal text, but for an engineer it reduces to a function. The input is a description of a feature — what it does to video, whose video, where in the world, and to what end. The output is a small label: prohibited, high-risk, transparency-only, or minimal-risk. Once a feature has its label, the obligations follow mechanically, and they become ordinary engineering tasks: emit a disclosure string, write a metadata marker, capture a consent record, keep a log, register an entry in a database.

This is the difference between treating the law as prose to be read and treating it as a contract to be implemented. A lawyer reads the prose. An engineer implements the contract. The most important artifact this lesson produces is therefore not a summary of the law — it is the classifier, a piece of code or a decision sheet that takes any new video AI feature and returns its bucket, so the right obligations attach automatically at design time instead of being discovered at audit time.

Figure 1. The classifier in one picture. Run every video AI feature through these four questions before you build it, and the obligations attach automatically instead of surfacing in an audit.

The Law You Actually Have To Implement

Three regimes touch a video product in 2026: the European Union's AI Act (the most demanding and the most structured), a patchwork of United States federal and state laws, and China's content-labelling rules. The European framework is the one worth understanding first, because it is comprehensive, it carries the largest fines, and it has become the template other regions copy.

The EU AI Act — formally Regulation (EU) 2024/1689 — is a single regulation that classifies AI systems by the risk they pose and attaches obligations to each risk level. It entered into force on 1 August 2024, and its rules switch on in stages rather than all at once. The bans came first, on 2 February 2025. The rules for general-purpose AI models followed on 2 August 2025. The transparency rules and the bulk of the high-risk regime were set for 2 August 2026. We will return to a 2026 twist in the timeline that changes which of those you must ship this year, but the structure — ban, high-risk, transparency, minimal — is the backbone, and it maps directly onto the four buckets of the classifier.

A point that trips up almost every team: the Act regulates roles, not just systems. The same feature carries different duties depending on whether you are the provider (the entity that builds or substantially modifies an AI system and puts it on the market under its own name) or the deployer (the entity that uses the system in the course of its business). When you wire a third-party generative-video API into your product, the API vendor is usually the provider and you are the deployer — and, as we will see, that split decides who has to watermark the output and who has to tell the user it is a fake. Get the role wrong and you will either do work that was not yours to do or, far worse, skip work that was.

Bucket One — The Banned List (Article 5)

The first question the classifier asks is whether a feature is simply illegal to build. The Act's Article 5 lists "unacceptable-risk" practices that no risk-management process can rescue, and several of them are squarely about video. These prohibitions have been in force since 2 February 2025, which means a product shipping any of them today is already exposed.

Four of the banned practices matter most for a video product. First, you may not create or expand a facial-recognition database by untargeted scraping of facial images from the internet or from CCTV footage — the practice that produced the famous enforcement cases against face-search startups. Second, you may not use AI to infer emotions of people in the workplace or in education institutions, except for narrow medical or safety reasons — so an "engagement detector" in an e-learning product or a "candidate sentiment" overlay in a hiring video tool is not a risky feature to be documented, it is a prohibited one. Third, you may not run biometric categorisation that sorts individuals by sensitive traits — race, political opinions, trade-union membership, religious or philosophical beliefs, sex life, or sexual orientation — inferred from their biometric data. Fourth, real-time remote biometric identification in publicly accessible spaces for law-enforcement purposes is prohibited except in tightly drawn cases (searching for specific victims or missing persons, preventing an imminent terror threat, or locating a suspect in a serious crime), and even then only with prior judicial authorisation, a fundamental-rights impact assessment, and registration in the EU database.

A fifth ban is arriving. The 2026 reform package (discussed below) adds a prohibition on AI systems that generate or manipulate non-consensual intimate imagery — so-called "nudifier" apps — and child sexual abuse material. For providers of general-purpose image and video generators, the ban is written to bite even when that output is not the system's intended purpose: if such generation is a "reasonably foreseeable and reproducible" outcome and the system lacks adequate technical safeguards against it, the provider is on the hook. The engineering consequence is direct: a generative-video feature now needs misuse safeguards as a design requirement, not a content-moderation afterthought, and the real-time content moderation lesson covers the detection side of that obligation.

Common mistake. Treating a prohibited feature as a high-risk feature to be "made compliant." Teams sometimes respond to a ban by adding consent screens, audit logs, and a human reviewer, believing diligence converts an illegal practice into a permitted one. It does not. Emotion recognition in a workplace, sensitive-trait biometric categorisation, and untargeted face-scraping are banned regardless of how carefully they are built or how freely the subject consents. The only compliant response to a Bucket One feature is not to build it, or to redesign it until it no longer does the banned thing — for example, replacing "detect whether the student looks engaged" with "detect whether a face is present in frame," which is plain detection and carries none of the prohibition.

Bucket Two — High-Risk (Annex III)

If a feature is not banned, the classifier next asks whether it is high-risk. The Act lists high-risk uses in Annex III, and several reach video products: remote biometric identification and categorisation; AI used in education to evaluate learning outcomes or proctor exams; AI used in employment to screen or assess candidates; AI used to determine access to essential services; and AI used by law enforcement and border control. The trigger is the use, not the technology — the same object detector is minimal-risk for counting empty parking spaces and high-risk for screening job applicants on video.

High-risk does not mean banned; it means a substantial compliance load. A provider of a high-risk system must run a risk-management system, govern its training data, write technical documentation, keep automatic logs, build in human oversight, meet accuracy and robustness targets, and register the system in an EU database. A deployer must, among other things, run a fundamental-rights impact assessment for certain deployments and keep the system's logs. This is the bucket that turns a feature into a project, which is exactly why classifying correctly matters: you do not want to discover that an "exam proctoring" feature was high-risk after you have shipped it without any of that scaffolding.

The honest engineering note is that most video AI features in a typical product are not high-risk. A background-blur filter, a meeting transcriber, a highlight generator, a content-recommendation model, a quality-upscaler — none of these decide who gets a job, a place at a school, or a benefit, so none of them enter Bucket Two. The high-risk regime is real and heavy, but it applies to a minority of features. The classifier's job is to find that minority precisely, so the rest of the product is not slowed by paperwork it does not owe.

Bucket Three — Transparency (Article 50): The Part You Ship In 2026

Most video AI features that touch a user land in Bucket Three: not banned, not high-risk, but subject to a transparency duty under Article 50. This is the workhorse of the Act for ordinary products, and — because of the 2026 timeline twist — it is the obligation you must have running this year. Article 50 sets four duties, and the engineering trick is to see that each one is a small, concrete output your system has to emit.

The first duty (Article 50(1)) is on the provider of any AI system meant to interact directly with people: the system must make clear that the person is talking to an AI, unless that is obvious. For a video product this catches AI receptionists, avatar agents, and voice bots in a call. The implementation is a one-line disclosure at the start of the interaction.

The second duty (Article 50(2)) is on the provider of any system that generates synthetic audio, image, video, or text: the output must be marked in a machine-readable format and detectable as artificially generated or manipulated, using solutions that are "effective, interoperable, robust and reliable as far as technically feasible." In practice this means a provenance marker baked into the file — the C2PA Content Credentials standard is the mechanism the European Commission's code of practice points to — backed by an invisible watermark. The full construction of that marker lives in the C2PA disclosure lesson; the regulatory point here is who owes it: the provider of the generator, which is usually your API vendor, not you.

The third duty (Article 50(3)) is on the deployer of an emotion-recognition or biometric-categorisation system: you must inform the people exposed to it that it is running, and process their data under the GDPR. Note the interplay with Bucket One — emotion recognition in a workplace or school is banned outright, so this transparency duty applies only to the emotion- and biometric-analysis uses that are still allowed (for instance, an audience-reaction measure at a consumer event, with proper notice).

The fourth duty (Article 50(4)) is the one everyone means when they say "the deepfake rule." A deployer of a system that generates or manipulates image, audio, or video that is a deep fake must disclose that the content is artificially generated or manipulated. There is a carve-out for evidently artistic, creative, or satirical work, where the disclosure must merely exist without spoiling the piece. So when you build a face-swap or AI-avatar feature on top of a vendor's model, two separate duties attach to two separate parties: the vendor (provider) marks the file machine-readably under 50(2), and you (deployer) show the human-visible "AI-generated" disclosure under 50(4). Miss the distinction and you will assume the vendor's watermark satisfies your disclosure duty — it does not.

Figure 2. The four Article 50 duties, mapped to who owes them and what output satisfies them. The provider marks the file; the deployer discloses to the human. On an integrated pipeline, both duties fire at once on different parties.

The 2026 Timeline Twist — The Digital Omnibus

Here is the fact that most articles on this topic still have wrong, because it changed in May 2026. By late 2025 the EU recognised that the machinery needed to enforce the high-risk regime — standards, notified bodies, the database — was not going to be ready for the original 2 August 2026 deadline. The European Commission tabled a reform package, the Digital Omnibus on AI, on 19 November 2025. After a first round of negotiations failed in late April 2026, the EU institutions reached a provisional political agreement on 6 May 2026, confirmed by Member-State representatives in the Council on 13 May 2026.

The agreement does three things that matter for planning. It defers the high-risk obligations: standalone Annex III systems now have until 2 December 2027, and AI embedded in regulated products under Annex I until 2 August 2028. It leaves the Article 50 transparency obligations on the original 2 August 2026 date, with only a four-month grace period (to 2 December 2026) for systems already on the market to retrofit the machine-readable marking under 50(2). And it adds the new Article 5 ban on non-consensual intimate imagery and CSAM generators, with a transitional period to 2 December 2026.

The planning consequence is sharp, and it is the reason this lesson exists in Phase 8 rather than as a footnote. The heavy documentation work — the risk-management files, the conformity assessments, the database registrations — has real headroom now, into late 2027 and 2028. The transparency layer does not. If your product generates synthetic video, runs an AI agent that talks to users, or performs allowed emotion or biometric analysis, the Article 50 disclosures are due in 2026. That is the part to build first.

One caution stated plainly: as of this writing the Omnibus is a provisional political agreement, not yet published in the Official Journal, and the deferred dates only become binding on formal adoption — expected before 2 August 2026. Treat the new high-risk dates as the planning baseline, but verify formal adoption before you rely on them, and do not let the deferral become an excuse to defer the transparency work that was never moved.

Figure 3. The post-Omnibus timeline. The high-risk paperwork moved to 2027 and 2028; the Article 50 transparency layer did not — it remains due in 2026, which is why it is the part to ship first.

What The Fines Actually Cost — With The Arithmetic

The Act's penalties are tiered to match the buckets, and the numbers are large enough that the math is worth doing out loud. Article 99 sets three ceilings. A breach of an Article 5 prohibition is the most serious: up to 35 million euros, or 7% of total worldwide annual turnover, whichever is higher. A breach of most other obligations — including the Article 50 transparency duties — is up to 15 million euros or 3% of worldwide turnover, whichever is higher. Supplying incorrect or misleading information to authorities is up to 7.5 million euros or 1%.

Work an example, because "whichever is higher" behaves differently at different company sizes. Take a large platform with 2 billion euros of annual turnover that ships a banned emotion-recognition feature:

Article 5 ceiling = max( €35,000,000 , 7% × €2,000,000,000 )
                  = max( €35,000,000 , €140,000,000 )
                  = €140,000,000

For a company that size, the percentage dominates and the fixed cap is irrelevant. Now run the same breach for a startup with 4 million euros of turnover:

Article 5 ceiling = max( €35,000,000 , 7% × €4,000,000 )
                  = max( €35,000,000 , €280,000 )
                  = €35,000,000

The fixed cap dwarfs the percentage — except that the Act adds a mercy clause for small and medium enterprises: for an SME or startup, the fine is the lower of the two figures, not the higher. So the same startup's exposure is the 280,000-euro percentage, not the 35-million-euro cap. The lesson in the arithmetic is that the headline "35 million or 7%" is a ceiling, not a tariff; the actual exposure scales with your size, and the percentage is what bites a large company. Either way, a missing Article 50 disclosure — the cheap-to-build obligation — sits in the 15-million-or-3% tier, which is still enough to erase a year of margin on a feature that took an afternoon to make compliant.

Figure 4. The three penalty ceilings. For a large company the percentage dominates; for an SME the fine is capped at the lower of the two figures. A missing Article 50 disclosure sits in the middle tier — cheap to avoid, expensive to ignore.

The Compliance Manifest — One Record Per Feature

Now the engineering pattern that ties the buckets together. The most durable way to operate a video AI product under these rules is to attach a small, machine-readable compliance manifest to every AI feature — a structured record that captures what the feature does and which obligations it owes. Build it once per feature, keep it in version control next to the code, and it becomes the single source of truth that feeds the classifier, the disclosure layer, the GDPR record of processing, and the eventual high-risk database registration.

A manifest is plain data. For each feature it records the purpose, the kind of video processing, whose data it touches, the jurisdictions it runs in, the resulting risk bucket, the disclosures it must emit, the legal basis for any personal data, and the retention rule. Here is the shape:

{
  "feature_id": "avatar-agent-v2",
  "purpose": "AI avatar that greets and answers visitors in a live video kiosk",
  "video_processing": ["synthetic_generation", "direct_interaction"],
  "data_subjects": ["end_users"],
  "jurisdictions": ["EU", "US-IL", "CN"],
  "risk_bucket": "transparency",
  "obligations": {
    "eu_ai_act_50_1": "show 'You are speaking with an AI' on first frame",
    "eu_ai_act_50_2": "provider (vendor X) embeds C2PA marker — verify in CI",
    "eu_ai_act_50_4": "show visible 'AI-generated' badge on rendered video",
    "cn_label": "explicit + implicit label for China distribution",
    "gdpr_basis": "consent (Art. 6/9) captured before capture"
  },
  "retention_days": 30,
  "owner": "video-platform-team",
  "last_reviewed": "2026-06-03"
}

With a manifest per feature, compliance stops being a quarterly fire drill and becomes a property the build can check. A continuous-integration step can assert that every feature with synthetic_generation in its processing list has a 50_2 and a 50_4 obligation filled in; that no feature carries a risk_bucket of prohibited; that every feature touching EU data subjects has a GDPR basis. This is the same discipline the eval-rig lesson applies to quality — encode the requirement as a test, and the requirement holds. It is also the raw material for the audit harness: a script that walks the manifests and prints, per feature, what is owed and what is missing.

Article 50 In Code — The Disclosure A Deployer Owes

The transparency duties reduce to three concrete outputs, and because they are what you must ship in 2026, they are worth seeing as code. The deployer's job for a generative-video feature is to emit a human-visible disclosure (Article 50(4)) and to confirm the provider's machine-readable marker is present (Article 50(2)). A thin compliance layer wrapping the model call expresses both:

def deliver_generated_clip(clip, manifest):
    # 50(4): the deployer must disclose a deepfake / manipulated media to the human,
    # clearly and at first exposure. A burned-in badge plus a UI label satisfies it.
    if "synthetic_generation" in manifest["video_processing"]:
        clip = burn_in_label(clip, text="AI-generated")          # visible to the viewer
        clip.ui_flags["ai_disclosure"] = True                    # shown before playback

    # 50(2): the *provider* marks the file machine-readably. As deployer you verify it
    # arrived — never assume the vendor did it; missing markers are your release blocker.
    if not has_provenance_marker(clip):                          # e.g. C2PA manifest present?
        raise ComplianceError("50(2) marker missing — block release, ask provider")

    # 50(1): if the feature interacts with the user (an agent), announce it up front.
    if "direct_interaction" in manifest["video_processing"]:
        announce_ai_to_user(session, manifest["obligations"]["eu_ai_act_50_1"])

    return clip

The shape is the point, not the helper names: disclosure is a guard at the boundary where content reaches the user, and the manifest tells the guard what to check. The artistic-and-creative carve-out in 50(4) is a flag on the manifest, not a special code path; the China explicit-and-implicit labelling requirement (below) is another disclosure the same guard can emit when the manifest lists CN in its jurisdictions. Build the guard once and every generative feature inherits it.

Beyond Europe — The United States And China

The EU framework is the most structured, but a global product ships into two more regimes, and a classifier that only knows European law will miss obligations that already carry teeth.

In the United States there is no single federal AI law, but two pieces of federal action bear directly on video. The TAKE IT DOWN Act, signed into law on 19 May 2025, is already in force: it makes knowingly publishing non-consensual intimate imagery — including AI deepfakes — a federal crime, and it requires covered platforms to remove such content within 48 hours of a valid request and to make reasonable efforts to remove copies, with the Federal Trade Commission enforcing the notice-and-removal duty as of May 2026. If your product hosts user video, you owe a working notice-and-takedown path now. The NO FAKES Act is the bill to watch: a revised, broadly endorsed version was introduced in the Senate and House on 20 May 2026, and it would create a federal right against unauthorised digital replicas of a person's voice or visual likeness, with platform liability for knowingly hosting them and a counter-notice procedure for disputed takedowns. It is not yet law — it awaits committee markup — but its backers (from the major studios and labels to OpenAI, YouTube, and TikTok) make it the most likely federal likeness law to pass, and a product that builds AI avatars, voice clones, or face-swaps should design its consent and takedown flows to anticipate it.

At the US state level, the law that most often surprises engineers is Illinois's Biometric Information Privacy Act (BIPA). It requires informed, written consent before you collect a biometric identifier — and a faceprint or a voiceprint built from video counts — plus a written retention-and-destruction policy, and it bans selling the data. Crucially, BIPA gives individuals a private right of action with statutory damages of 1,000 dollars per negligent violation and 5,000 dollars per intentional or reckless violation. A 2024 amendment (SB 2979) eased the arithmetic by ruling that repeatedly scanning the same person by the same method counts as a single violation rather than one per scan, but the consent-first requirement is unchanged and is the practical trigger: capture a faceprint from an Illinois user without prior written consent and you have a per-person claim. The consent-capture engineering for face features is covered in the face recognition lesson; the regulatory rule is simply consent before capture, recorded.

In China, the Cyberspace Administration's Measures for Labeling AI-Generated Synthetic Content, backed by the mandatory national standard GB 45438-2025, took effect on 1 September 2025. They require AI-generated content — including video — to carry both an explicit label that an ordinary viewer can see and an implicit label embedded in the file's metadata. For a product distributing AI-generated video into China, that is two markers, not one, and the implicit metadata label is mandatory for all such content. The pattern rhymes with Article 50 but is stricter on the visible label, which is why the disclosure guard reads the feature's jurisdiction list rather than assuming one rule fits every market.

Figure 5. The same feature owes different things in different markets. A compliance manifest that lists a feature's jurisdictions lets the disclosure layer emit the right marker for each, instead of shipping one rule everywhere.

GDPR Sits Underneath All Of It

One more layer runs beneath the AI-specific rules and is easy to forget: in Europe, the General Data Protection Regulation governs the personal data your video features process, and the AI Act explicitly leaves it in force. Two GDPR articles matter most. Article 9 treats biometric data used to uniquely identify someone as a special category that you may not process without a specific lawful basis — most often the person's explicit consent. Article 22 gives people the right not to be subject to a decision based solely on automated processing where it has legal or similarly significant effects — relevant the moment a video AI feature gates access to a service or a job without a human in the loop. The practical reading for an engineer is that an Article 50 disclosure is necessary but not sufficient: telling users that emotion analysis is running satisfies the AI Act, but you still need a GDPR basis to process the biometric data that analysis consumes. The classifier should therefore output a GDPR flag alongside the AI Act bucket, so a feature that touches biometric data never ships without its lawful basis recorded in the manifest.

Where Fora Soft Fits In

We build video products across conferencing, streaming and OTT, e-learning, telemedicine, and surveillance, and in every one of them the regulatory questions arrive as engineering decisions, not legal abstractions. Our practice is to classify each AI feature into its bucket at design time, attach a compliance manifest to it in the repository, and let a continuous-integration check fail the build when a generative feature lacks its Article 50 disclosure or a biometric feature lacks its consent record. We keep the disclosure layer — the visible "AI-generated" badge, the machine-readable provenance marker verification, the China explicit-and-implicit labels — as one guard at the point where content reaches the user, driven by the feature's manifest rather than scattered through the code. The verticals change which rules dominate: a telemedicine or hiring tool is where the high-risk regime bites and the fundamental-rights assessment becomes real work; an e-learning product is where the emotion-recognition ban quietly rules out a tempting "engagement" feature; a generative-OTT or avatar product is where Article 50 disclosure and the new intimate-imagery safeguards govern every release. The method is constant: classify the feature, record the obligations, implement them as build steps, and audit the manifests before every ship.

What To Read Next

• Face Detection And Recognition Under The EU AI Act
• Quality + Cost Gates + C2PA + EU AI Act Article 50 Disclosure Engineering
• Real-Time Content Moderation In The SFU

Talk To Us · See Our Work · Download

• Talk to a video engineer — bring a feature and the markets it ships into, and we will classify it, map its obligations, and turn them into build steps: /services/ai-software-development
• See our case studies — conferencing, streaming, surveillance, telemedicine, e-learning, and AI work: /portfolio
• Download the video AI compliance checklist — the four-bucket classifier, the Article 50 obligations by role, the penalty tiers, the jurisdiction matrix, and a pre-ship audit list on one page: Download the checklist

References

1. European Union — "Regulation (EU) 2024/1689 (Artificial Intelligence Act), Article 50: Transparency obligations for providers and deployers of certain AI systems" (official version of 13 June 2024; read via the European Commission AI Act Service Desk and EUR-Lex, accessed June 2026) — https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-50 — tier 1 (official EU regulation). Source for the four transparency duties: 50(1) interaction disclosure (provider), 50(2) machine-readable marking of synthetic content (provider), 50(3) emotion/biometric notice (deployer), 50(4) deepfake disclosure (deployer) with the artistic/creative carve-out, and 50(5) "clear and distinguishable, at first exposure."
2. European Union — "Regulation (EU) 2024/1689 (AI Act), Article 5: Prohibited AI practices" (official version of 13 June 2024; European Commission AI Act Service Desk + EUR-Lex, accessed June 2026) — https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-5 — tier 1 (official EU regulation). Source for the bans relevant to video: 5(1)(e) untargeted facial-image scraping, 5(1)(f) emotion inference in workplace/education, 5(1)(g) sensitive-trait biometric categorisation, 5(1)(h) real-time remote biometric identification in public for law enforcement and its narrow exceptions, plus the judicial-authorisation, FRIA (Article 27) and EU-database (Article 49) conditions.
3. European Union — "Regulation (EU) 2024/1689 (AI Act), Article 99: Penalties" (official version of 13 June 2024; European Commission AI Act Service Desk + EUR-Lex, accessed June 2026) — https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-99 — tier 1 (official EU regulation). Source for the three penalty ceilings (€35M/7% for Article 5; €15M/3% for Article 50 and most operator obligations; €7.5M/1% for incorrect information) and the SME/start-up "whichever is lower" rule (Article 99(6)).
4. Council of the EU / European Parliament — "Artificial intelligence: Council and Parliament agree to simplify and streamline rules" (press release, 7 May 2026) — https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/ — tier 1 (official EU institutional). Source for the provisional Digital Omnibus political agreement of May 2026 and the intent to defer high-risk obligations while preserving the transparency timeline.
5. Gibson Dunn — Manfredi, Baladi, Gesing, Harrison, Lukic, Spano, Oberacker, Thonke — "EU AI Act Omnibus Agreement — Postponed High-Risk Deadlines and Other Key Changes" (client alert, 27 May 2026, accessed June 2026) — https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/ — tier 4 (specialist law-firm analysis of the official agreement). Source for the integrated post-Omnibus timeline: Annex III high-risk to 2 December 2027, Annex I to 2 August 2028, Article 50 staying on 2 August 2026 with a four-month 50(2) grace period to 2 December 2026, the new Article 5 nudifier/CSAM ban (transitional to 2 December 2026), and the caveat that the new dates bind only on Official-Journal publication. Where this lower-tier source summarises the law, the article defers to the official Articles in refs 1–3 above; the Omnibus content is flagged as a provisional agreement, not yet enacted.
6. U.S. Senate — Office of Sen. Marsha Blackburn — "Blackburn, Coons, Salazar, Dean, Colleagues Introduce Revised Version of NO FAKES Act" (press release, 20 May 2026, accessed June 2026) — https://www.blackburn.senate.gov/2026/5/technology/blackburn-coons-salazar-dean-colleagues-introduce-revised-version-of-no-fakes-act — tier 3 (US legislative primary). Source for the revised NO FAKES Act: federal protection against unauthorised digital replicas of voice and visual likeness, platform liability with knowledge, First Amendment carve-outs, state-law preemption, the new counter-notice procedure and library/archive exemption, its broad industry endorsement, and that it complements the TAKE IT DOWN Act and is not yet enacted.
7. Orrick / U.S. Senate Commerce Committee — "TAKE IT DOWN Act Becomes Law" and "FTC Enforcement Begins" (accessed June 2026) — https://www.orrick.com/en/Insights/2025/05/TAKE-IT-DOWN-Act-Becomes-Law — tier 3/4 (US legislative primary + specialist analysis). Source for the TAKE IT DOWN Act: signed 19 May 2025, criminalises non-consensual intimate imagery including AI deepfakes, requires covered platforms to remove within 48 hours of a valid request and to remove copies, FTC enforcement of notice-and-removal from May 2026.
8. Illinois General Assembly — "Biometric Information Privacy Act (740 ILCS 14)" and SB 2979 amendment (signed 2 August 2024; read via the Illinois General Assembly and WilmerHale/Shook analysis, accessed June 2026) — https://www.ilga.gov/Legislation/BillStatus?DocNum=2979&GAID=17&DocTypeID=SB&GA=103 — tier 3 (US state statute). Source for BIPA: written informed consent before collecting a biometric identifier, retention/destruction policy, sale ban, private right of action with statutory damages of $1,000 (negligent) / $5,000 (intentional or reckless), and the SB 2979 single-violation accrual rule and electronic-consent clarification.
9. Cyberspace Administration of China — "Measures for Labeling of AI-Generated Synthetic Content" + mandatory national standard GB 45438-2025 (effective 1 September 2025; read via China Law Translate and Bird & Bird analysis, accessed June 2026) — https://www.chinalawtranslate.com/en/ai-labeling/ — tier 3/4 (national measure + specialist translation/analysis). Source for China's dual-label requirement: a visible explicit label and a mandatory implicit metadata/watermark label on AI-generated video and other media, building on the 2023 deep-synthesis rules.
10. Coalition for Content Provenance and Authenticity (C2PA) — "C2PA Technical Specification v2.2 (2025-05-01) and v2.4" (accessed June 2026) — https://spec.c2pa.org/ — tier 3 (de-facto standard specification). Source for Content Credentials as the machine-readable provenance mechanism (manifest = assertions + claim + claim signature) that the EU code of practice points to for Article 50(2), with v2.2 adding video-streaming support. The full C2PA-in-pipeline implementation is owned by the companion C2PA disclosure lesson (5.8); cited here for the marking mechanism only.
11. European Union — "Regulation (EU) 2016/679 (GDPR), Article 9 (special categories of personal data) and Article 22 (automated individual decision-making)" (accessed June 2026) — https://eur-lex.europa.eu/eli/reg/2016/679/oj — tier 1 (official EU regulation). Source for biometric data as a special category requiring an Article 9(2) lawful basis (typically explicit consent), and the Article 22 right against decisions based solely on automated processing — the layer the AI Act explicitly leaves in force beneath Article 50.