Skip to main content
Signing your content is free. See it on your own words in two minutes.Start free Explore Encypher Mark

EU AI Act and Content Provenance

The EU AI Act requires machine-readable marking of AI-generated content. The compliance deadline is August 2, 2026. C2PA manifests are the industry-standard implementation.

Key date: August 2, 2026

Full EU AI Act Article 50 transparency obligations take effect for new systems. Generative systems already on the market before that date have a transitional period to December 2, 2026 (May 2026 AI Omnibus). Organizations with EU users that generate AI content for public audiences need compliant marking infrastructure in place.

The 30-second proof runs an AI model in Provenance Chat and verifies the mark live. Or try it yourself.

Policymaker or regulator? Read the two-page Article 50 brief.

The Compliance Timeline at a Glance

  1. Aug 1, 2024

    AI Act enters into force

    Regulation (EU) 2024/1689 becomes law across the EU.

  2. Feb 2, 2025

    Prohibitions apply

    Bans on prohibited AI practices take effect.

  3. Applies in under 2 months

    Aug 2, 2026

    Article 50 transparency obligations

    Machine-readable marking required. Generative systems placed on the market from this date must comply from day one.

  4. Dec 2, 2026

    Grace period ends for existing systems

    Generative AI systems already on the market before Aug 2, 2026 must complete Article 50(2) marking (May 2026 AI Omnibus agreement).

  5. Dec 2, 2027

    High-risk systems

    Stand-alone high-risk AI obligations apply (embedded systems follow Aug 2, 2028).

What the EU Code of Practice asks for

The Code of Practice on Transparency of AI-Generated Content, published in final form on June 10, 2026, operationalises Article 50. Its own words set a high bar, and concede the hard part. Encypher is built to address that technical gap.

“Providers shall ensure their technical solutions are effective, interoperable, robust and reliable as far as this is technically feasible, taking into account the specificities and limitations of various types of content, the costs of implementation and the generally acknowledged state of the art.”

EU Code of Practice on Transparency of AI-Generated Content, final Code (June 10, 2026), Section 1 (Article 50(2))

“no single marking technique suffices ... only an appropriate combination of marking techniques and associated detection mechanisms can allow satisfaction of those requirements.” Signatories “will implement a multi-layered marking approach ... with at least two layers of machine-readable marking.”

EU Code of Practice, final Code (June 10, 2026), Recital and Measure 1.1

“given that free-form text cannot transport metadata, a single-layer of marking ... is considered sufficient.”

EU Code of Practice, final Code (June 10, 2026), Measure 1.1 (free-form text)

Quotations are excerpts from the EU Code of Practice on Transparency of AI-Generated Content, published as the final Code on June 10, 2026; ellipses mark omitted text. Source: European Commission.

That last line is the gap. Free-form text was assumed unable to carry a signed mark. Encypher carries a signed, tamper-evident mark inside the text itself, surviving copy-paste, using C2PA Section A.7, which we co-authored. Here is how the two-layer ask maps to what we provide.

What the Code asks forWhat Encypher provides
Layer 1: digitally signed, time-stamped, tamper-evident metadataC2PA manifest with a COSE signature and an RFC-3161 timestamp
Layer 2: an imperceptible mark difficult to separate from the contentInvisible embedding in text, plus signal-domain watermarking for image, audio, and video
At least two layers of machine-readable markingBoth layers in one API call, across many media types
Free-form text “cannot transport metadata”A signed mark carried inside free-form text that survives copy-paste, via C2PA Section A.7
Detection available free of charge to the public and researchersFree public verification in Provenance Chat and the sign-and-verify demo
Marking and detection may be provided by third partiesEncypher is that independent third-party provider

The case the rules treat as too hard: short text

The rulebook leaves the hardest case out. AI content must be marked, “with the exception of very short text” (Sub-measure 1.1.2). In plain terms: short text was treated as too hard to mark.

That is the gap Encypher closes. Encypher marks short text so it can be checked later, invisibly, even down to a single sentence. It is not magic: if text is fully rewritten the mark can be lost. But it closes the exact gap the rulebook says is hard.

See it, do not just read it.

Watch an AI model produce a response that is marked and independently verified, live. This helps demonstrate the Article 50 marking and detection obligations. It does not by itself guarantee compliance.

The Regulatory Framework

The EU AI Act (Regulation (EU) 2024/1689) establishes a risk-based framework for AI regulation across the European Union. For content provenance, the relevant provisions are Article 50 (transparency obligations) and the supporting technical specifications.

Article 50 sets out four obligation sets, split between providers and deployers. The table below maps each subsection: who it binds, what it requires, and how Encypher relates.

ProvisionWhoWhat it requiresHow Encypher relates
Article 50(1)ProviderSystems that interact with people (chatbots, assistants, agents) must make clear the person is dealing with an AI.Disclosure practice; Encypher provenance can document that a given output came from an AI system.
Article 50(2)ProviderSystems generating synthetic audio, image, video, or text must mark outputs in a machine-readable format, detectable as AI-generated.Encypher's core fit: C2PA manifests plus invisible text marking applied at the point of generation.
Article 50(3)DeployerOperators of emotion-recognition or biometric-categorisation systems must inform the people exposed to them.Outside Encypher's product scope; a disclosure duty to track in your compliance map.
Article 50(4)DeployerDeep fakes must be disclosed as artificially generated or manipulated. AI-generated or AI-edited text published to inform the public on matters of public interest must be disclosed, unless a natural or legal person holds editorial responsibility for the publication.Marked content carries its own disclosure record; the audit trail evidences what was published, when, and how it was marked.

Note the split: the provider marking duty in Article 50(2) applies to synthetic output generally. The public-interest text scope belongs to the deployer disclosure duty in Article 50(4); it does not narrow the marking duty.

The EU AI Act applies to any organization providing or deploying AI systems to users in the EU, regardless of where the organization is headquartered. An American AI company with European users is subject to Article 50 requirements.

What Machine-Readable Marking Requires

The EU AI Act requires marking that is machine-readable, meaning it can be processed by software without human interpretation. A visible label saying "Generated by AI" satisfies transparency for human readers but does not satisfy the machine-readable requirement alone.

Machine-readable marking must be embedded in or attached to the content in a structured format that allows automated verification. The EU AI Act does not prescribe a specific technical standard, but the recitals reference interoperability and the importance of standards. C2PA is the industry consensus implementation.

A C2PA manifest embedded in AI-generated content records:

  • That the content is AI-generated (action: c2pa.ai.generated)
  • The generating system identity (AI model and version)
  • Generation timestamp (tamper-evident)
  • Content hash (detects subsequent modification)
  • Publisher or deployer identity (organizational certificate)

This information is verifiable by any party - regulators, auditors, platform operators - using open-source C2PA libraries, without requiring access to proprietary systems.

Article 50 Implementation Guide

Implementing Article 50 compliance with Encypher requires integration at the AI content generation step. The integration pattern differs by content type:

Text Content

After AI text generation, before publishing or distributing the content, call the Encypher signing API with the generated text. The API returns the text with embedded C2PA manifest markers. Publish the signed version. The manifest identifies the content as AI-generated and records the generation metadata.

Image Content

Pass the AI-generated image file to the signing API. The API returns the image with an embedded C2PA JUMBF manifest in the file container. Supported formats include JPEG, PNG, WebP, TIFF, AVIF, and HEIC. The manifest records the AI-generation action with generating system identity.

Audio and Video Content

Audio and video files are signed with C2PA manifests embedded in their container structures (ISO BMFF uuid boxes for MP4/MOV/M4A, RIFF chunks for WAV/AVI, ID3 GEOB frames for MP3). The manifest records the AI-generation event and generating system.

A single Encypher API integration handles all content types. SDKs for Python, TypeScript, Go, and Rust wrap the REST API. Batch endpoints handle signing at scale.

dashboard.encypher.com
A signed response in the Encypher dashboard API playground showing success, document ID, and the signed text returned by POST /sign
Machine-readable marking in practice: a signed API response with the C2PA manifest embedded in the returned text.

Penalties

The canonical dates are in the timeline at the top of this page: Article 50 transparency obligations apply from August 2, 2026 for new systems, with a transitional period to December 2, 2026 for generative systems already on the market.

Penalties for non-compliance with transparency obligations run up to EUR 15 million or 3 percent of global annual turnover, whichever is higher. For large AI providers, the financial exposure is material.

Enterprise implementation of C2PA signing typically requires 60-90 days including API integration, workflow modification, and testing. Organizations that wait until close to the August 2026 deadline will face compressed implementation timelines during a period of peak demand for compliance services.

The Content Creators' Perspective

The EU AI Act's Article 50 requirements benefit human content creators as well as creating obligations for AI providers. When AI-generated content is marked, human-authored content that is not marked becomes distinguishable from it.

Publishers, journalists, and authors who sign their human-authored content with C2PA provenance create a documented distinction from AI-generated content. A news outlet with a signed archive of human-authored journalism can demonstrate the distinction between their original reporting and AI-generated summaries. This distinction has commercial value in an environment where readers increasingly want to know which content is human-authored.

The EU AI Act does not require human-authored content to be marked. But the availability of C2PA infrastructure creates the practical ability to make that distinction, and the incentive to do so grows as AI-generated content proliferates.

See how it works

Mark every AI output your systems produce and demonstrate Article 50 coverage to a regulator.

Start free by hand: paste a piece of AI-generated text, mark it in one click, and walk away with the marked text, a ready-to-paste disclosure statement, and a downloadable per-content Encypher compliance certificate. When your team needs to mark at scale, Mark Compliance automates marking through the API and SDK.

An Encypher compliance certificate is an Encypher-issued record of how your content was marked and verified. It is legally distinct from a government certification and is not legal advice. Confirm your obligations with qualified counsel.

Prefer to read it? The page-by-page walkthrough below shows the same steps.

  1. 1

    Paste your AI text

    Drop in any AI-generated text. No setup, no API key.

    Pasting AI-generated text into the Encypher Mark editor
  2. 2

    Mark it in one click

    Encypher embeds the machine-readable C2PA marking the EU AI Act Article 50 expects.

    Marking the AI text in one click in the Encypher Mark flow
  3. 3

    Get your marked text

    Copy the marked text. The invisible marking travels with it and survives copy and paste.

    Copying the marked text output from the Encypher Mark flow
  4. 4

    Share the disclosure

    A ready-to-paste AI disclosure statement and badge, generated for you.

    The generated AI disclosure statement and embeddable badge
  5. 5

    Prove it with a certificate

    Download a per-content compliance certificate and a public verify link anyone can check.

    Downloading the per-content compliance certificate and public verify link

Download the one-page walkthrough (PDF)

Free way to start

Mark AI content by hand

Paste, mark, and download an Encypher compliance certificate. No API key to set up. Up to five Encypher compliance certificates a month, free. The deadline is August 2, 2026.

Start Marking Free

For teams

Mark Compliance

Automate marking at scale through the API and SDK, with unlimited Encypher compliance certificates, the Article 50 evidence dossier and a live coverage view, audit-log retention, seats, and support.

Talk to us about Mark Compliance

Related Resources

Demonstrate Article 50 coverage before August 2, 2026

Start free by marking AI content by hand. When your systems generate AI output at scale, Mark Compliance automates marking through the API and SDK and gives you the Article 50 evidence dossier with a live coverage view. The August 2, 2026 deadline is your planning horizon.

Related