48 Days. €15 Million. Does Your CMS Know What It Published?

Note: This page describes regulatory frameworks in general terms only. Nothing here is legal advice. Requirements vary by jurisdiction, entity type, and use case. Consult qualified legal specialists for guidance specific to your situation.

On 2 August 2026 (48 days from today), the EU AI Act's Article 50 transparency obligations become enforceable law. The fines are real: up to €15 million, or 3% of your global annual turnover, whichever hurts more.

Here's what the regulation actually requires: if your system generates, assists, or significantly shapes content intended for the public, it must carry machine-readable proof of its origin. Not a disclaimer in small print. Not a policy page. Machine-readable. Detectable by other systems. Verifiable.

For most enterprise CMS platforms, that requirement lands somewhere between "difficult" and "architecturally impossible." Not because the content teams are careless. Because the systems underneath them were never designed to track a sentence's origin.

The provenance problem is a structural one.

Modern content pipelines are multi-handed. A product description might start as a brief drafted by a human, refined by an LLM, reviewed by an editor, localised by an AI translation service, and published through a headless CMS into five markets simultaneously. Ask that system which parts are "AI-generated" and it'll look at you blankly.

Article 50 doesn't care about the complexity of your pipeline. It cares about the output. If an AI was materially involved, the content must be marked. Machine-readably. At publication. Not retrospectively.

What machine-readable provenance actually looks like.

The European Commission's Code of Practice on Transparency of AI-Generated Content, published just last week, points toward technical standards like C2PA (Coalition for Content Provenance and Authenticity) as the implementation mechanism. C2PA works by attaching signed, verifiable metadata to content at the point of creation or modification: a chain of custody that survives republication and AI scraping.

This is precisely the problem REGINALD was designed to solve.

REGINALD (the Registry for Genuine Information, Notarised Authentication, and Legitimate Documentation) uses Ed25519 cryptographic signatures to attach verifiable provenance to every document in the MX OS network at the moment of authorship. When a document is written, revised, or AI-assisted, that event is recorded and signed. The chain of custody is immutable and machine-readable by any conforming agent or auditing system.

For a CMS publisher, this means: every piece of content carries a signed record of its origin, its revision history, who reviewed it, and what AI systems touched it. Not in a database that might be subpoenaed. In the document itself.

The compliance question is really a content infrastructure problem.

"Are we compliant with Article 50?" is the wrong question. The right question is: does our content layer know what it published, who created it, and how it came to exist?

If your documents carry their own provenance, Article 50 compliance is a byproduct, not a project. If they don't, you have 48 days to build a provenance layer that most legacy CMS vendors have never considered.

The companies that will navigate this cleanly are the ones that treated document provenance as infrastructure from the start: not a legal feature bolted on before a deadline, but a structural property of every file they publish.

MX OS was built exactly for this. The deadline just made it urgent for everyone else.

A note on scope. The 2 August deadline applies to new AI systems. For teams already running generative AI tools before that date, the watermarking and labelling requirements have been extended to 2 December 2026 under the AI Act Omnibus. That extension is narrower than it sounds: it only covers existing system deployments, not new content produced by those systems after August 2. If your CMS is publishing AI-assisted content from August 3 onwards, the obligation applies regardless of when you deployed the underlying model.

If you're a CMS vendor, a digital agency, or a publisher with AI-generated content in your stack and no provenance layer beneath it, I'm happy to talk.

Tom Cranstoun is CEO of Digital Domain Technologies Ltd and the founder of MX OS. The MX Handbook is available now. MX: The Protocols ships July 2026.