Compliance Checklist
For teams producing AI-generated images, video, audio or text. Article 50 applies from 2 August 2026.
Source: Regulation (EU) 2024/1689.
Every AI-generated asset must carry machine-readable metadata identifying it as AI-generated. The standard the EU Commission points to is C2PA Content Credentials.
Are your AI-generated outputs embedded with C2PA metadata?
When you publish or deliver AI-generated content, the audience must be informed that it is AI-generated. This applies to images, video, audio and certain text. Exception: no disclosure is required when the synthetic origin is already obvious to a reasonably informed person (e.g. a stylised illustration no one would mistake for a photograph). When content could be perceived as real, disclosure is mandatory.
Do you label AI-generated content that could be perceived as real when you publish or deliver it?
AI-generated or manipulated images and video that depict real people or events must carry a clear, visible label stating the content is artificially generated or manipulated.
Do you label manipulated media before distribution?
You must be able to answer: who generated it, what model was used, what parameters, and when. Six months later, in front of a regulator, client or journalist.
Can you trace every AI-generated asset back to model, user, timestamp and parameters?
Technical documentation per generation: which AI model, which version, which template or pipeline produced the output.
Is the AI model and system documented per output?
Article 14 requires human oversight before AI-generated content is approved and exported. A review or approval step must exist in the production workflow.
Is there a human approval step before AI content is published or delivered?
Article 4 (in force since February 2025): your team must have sufficient AI competence to understand the tools they use and the obligations that apply.
Does your team understand what EU AI Act requires of them?
Know where your data is processed and stored. For EU organisations, this means understanding whether prompts, source material and outputs leave the EU.
Do you know where your AI-generated data is processed and stored?
| # | Requirement | GENERAITR |
|---|---|---|
| 1 | Machine-readable metadata | C2PA Content Credentials embedded in every exported asset. Organisation identity and generation metadata included in the manifest. Signed by GENERAITR (self-signed cert in Early Access; CA-signed cert planned for Beta). |
| 2 | Disclosure at publication | C2PA manifest embedded in the asset file itself. Provenance metadata (model, workflow, user, timestamp) readable by any C2PA-compatible tool. Exportable .meta.json disclosure document available via the Metadata button in the Export panel. |
| 3 | Deepfake declaration | Invisible DCT watermark embedded automatically in every image. Visible watermark / label configurable at export: text overlay (custom text, font, position, opacity) and GENERAITR-branded image overlay in multiple variants. Both controls are available in the Export panel with a built-in compliance note. C2PA manifest also embedded in the exported file. |
| 4 | Audit trail | Every generation is logged automatically: model, pipeline, parameters, user, organisation, and timestamp. Queryable via the asset lineage database. |
| 5 | Model documentation | Model identity and workflow version recorded per generation in the C2PA manifest and the lineage record. |
| 6 | Human oversight | Per-output human review toggle on every generated image. Reviewer identity and timestamp persisted on the media record. Tagged-media export requires the reviewed flag — unreviewed outputs cannot be exported through the bulk export path. Auditable trail without requiring a full approval workflow. |
| 7 | AI competence | Modality badge (Image / Video / Audio / 3D) and an AI Act usage notice shown on every template card at the moment of selection. Onboarding flow and compliance page also in place. |
| 8 | Data residency | Online plan: processed and stored on Hetzner servers in the EU. Local plan: fully on-premise, no data leaves the organisation's infrastructure. |