Article 50 Check · by Ninth Harbor

How do I implement C2PA / Content Credentials?

Accepted approach, not the whole answer

First, the framing that keeps you honest: C2PA (Content Credentials) is an accepted approach toward the Article 50(2) marking duty, not a legal requirement and not, on its own, the whole duty. No technical standard is legally mandated as of July 2026, and the draft guidelines are explicit that no single technique suffices by itself.

Where it fits: C2PA is the leading provenance-metadata convention for image, video, and audio. If you provide a generative system in those modalities, attaching Content Credentials to outputs is the most interoperable way to cover the metadata layer of a compliant marking stack. Pair it with invisible watermarking where your model stack offers it, and logging or fingerprinting where feasible: the layered pattern the guidance points to.

The most common implementation path for SMEs is inheritance: your upstream model provider already embeds Content Credentials, and you keep them intact. That's legitimate. The draft guidelines allow relying on upstream marking, but expressly without prejudice to your own responsibility to demonstrate compliance. Concretely, that means two verifiable things: written confirmation from the model provider of exactly what they embed, and your own end-to-end test showing the credentials survive your pipeline. Image optimisers, CDN transforms, format conversions, and thumbnailing are all notorious for silently stripping metadata.

Don't forget the second, separate element of Article 50(2): a detection means for people exposed to the content, with results a human can read. Pointing users to a Content Credentials inspector can serve here. Document what you point to and confirm it actually resolves your outputs' credentials.

Two honest limits to record in your compliance file: C2PA metadata is removable by anyone determined to remove it (which is why it's one layer, not the answer), and it does nothing for text outputs, where current marking techniques are weak across the board. The statute's "as far as technically feasible" standard, judged objectively (small-company resources being no excuse), is where you document what is and isn't possible today, with dates.

Not sure how this applies to your specific setup? The free 2-minute check tells you which of the four Article 50 duty areas likely apply to your company. No email required.

Take the free check Generate disclosure text