Skip to content
Verbitas Docs

EU AI Act Implementation

EU AI Act Implementation

Article 50 of the EU AI Act requires deployers of certain AI systems to mark and disclose AI-generated content. This guide describes how Verbitas supports Article 50 technical measures and what language you should — and should not — use when describing your implementation.

What Article 50 requires (simplified)

Article 50 applies primarily to:

  1. AI systems that generate synthetic audio, video, image, or text that resembles real people or events (deep-fake content)
  2. AI systems that generate text published for the purpose of informing the public

Deployers must use technical means to mark the output as artificially generated or manipulated. The specific technical standard is not mandated — C2PA is considered an accepted approach for machine-readable disclosure.

Read the full regulation and consult qualified legal advice for your specific deployment context. Verbitas does not provide legal advice.

What Verbitas provides for Article 50

Verbitas provides the technical layer that records AI-generated assertions in machine-readable C2PA manifests. Specifically:

Technical measureHow Verbitas implements it
Machine-readable AI disclosureC2PA assertion ai_generated: true embedded in JUMBF manifest
Tamper-evident markCryptographic signature (X.509 + KMS); any modification invalidates the manifest
Durable disclosure (survives stripping)TrustMark / AudioSeal / VideoSeal watermark pointing to the manifest record
Verifiable by third partiesPublic verify API at https://api.verbitas.io/v1/verify; public UI at https://v.verbitas.io
Audit trailAppend-only tenant audit log (GET /v1/audit); manifest retention per recipe manifest_days

Recommended recipes for Article 50 use cases

Content typeRecommended recipeKey assertions
AI-generated imageimage-genai-v1 or image-deepfake-v1ai_generated, generator, model
Deep-fake / face-swap imageimage-deepfake-v1ai_generated, deepfake_disclosure
AI-generated audio / TTSaudio-genai-v1ai_generated, generator
Voice cloneaudio-voiceclone-v1ai_generated, voiceclone_disclosure
AI-generated videovideo-genai-v1ai_generated, generator
LLM-generated texttext-genai-disclosure-v1ai_generated, generator, model

For editorial or journalistic content, pair with image-editorial-v1 and set retention.manifest_days: 2555 (7 years).

Implementation steps

1. Sign at generation time

Verbitas must be called at or immediately after generation — before the content is distributed. Do not sign after-the-fact, as the manifest timestamp will reflect a later time than the generation timestamp.

import verbitas


client = verbitas.Client()


# Call your AI model
image_bytes = my_diffusion_model.generate(prompt)


# Sign immediately
result = client.sign(
    image_bytes_as_file,
    recipe="image-genai-v1",
    metadata={
        "generator": "my-model-name",
        "model": "my-model-v1",
        # Optionally: "prompt_hash": sha256_of_prompt
    }
)


# Store asset_id and verifier_url with the asset record
store_asset(image_bytes, result.asset_id, result.verifier_url)

2. Surface the disclosure to users

Embed the verifier badge on pages that display the content. Users who click the badge are taken to the public verifier where they can confirm the disclosure and what it proves.

The verifier always shows:

  • That the content was marked as AI-generated at sign time
  • The timestamp of the signing event
  • What the verification result proves and does not prove

3. Configure retention for compliance evidence

For Article 50 compliance evidence, set manifest retention to at least 7 years:

# In your custom recipe:
retention:
  manifest_days: 2555  # ~7 years

On the Enterprise plan, audit log entries are also retained for 7 years.

4. Enable anchoring for tamper-evidence

The anchor batch creates a Bitcoin timestamp that proves the manifest existed before a specific block. This provides independent evidence that the disclosure was made at a specific time and was not fabricated retroactively.

anchoring:
  enabled: true
  methods: [opentimestamps, arbitrum]

Audit log for compliance documentation

The GET /v1/audit endpoint provides a machine-readable record of all sign events:

Terminal window
# Export all sign events for a compliance audit period
curl "https://api.verbitas.io/v1/audit?from=2026-01-01T00:00:00Z&to=2026-12-31T23:59:59Z&event_type=asset.signed&format=ndjson" \
  -H "Authorization: Bearer $VERBITAS_API_KEY" \
  > compliance-audit-2026.ndjson

Each entry includes the asset ID, recipe used, file type, signing timestamp, and the actor key ID.

Approved language

Use this language when describing your Verbitas-based implementation to regulators, legal teams, or end users.

Approved:

  • “Content is marked with machine-readable AI-generated assertions per C2PA 2.4.”
  • “Provenance infrastructure that records AI generation claims in tamper-evident manifests.”
  • “Technical measures that disclose AI origin and can be verified by third parties.”
  • “Cryptographic linkage between generated content and its origin record.”
  • “Verbitas records ai_generated: true in a C2PA manifest. This record can be verified at [verifier URL].”

Not approved (do not use):

  • “Verbitas makes our content Article 50 compliant.”
  • “This content is verified as AI-generated.” (implies truth of the assertion)
  • “Verbitas certifies compliance with the EU AI Act.”
  • “Verified AI-generated content.”
  • “This content is authentic / real / genuine.”
  • “Compliant with Article 50.”

See Compliance: Positioning for the full approved language list.

What Verbitas records vs. what it proves

What Verbitas recordsWhat it proves
ai_generated: true was submitted by your API key at sign timeThe claim was recorded and signed. Not that the claim is accurate — you are responsible for submitting accurate assertions.
Timestamp of the sign eventThe sign event occurred at that time per RFC 3161 and the anchor batch
Generator name and modelThe value you submitted. Verbitas does not independently verify generator identity.

Your organisation remains responsible for the accuracy of the assertions you submit.

Further reading