◈︎

Formally submitted to the EU AI Office Stakeholder Consultation on the Draft Guidelines on Transparency Requirements for Certain AI Systems under Article 50 AI Act. Contribution ID: 14ef05a-f2ad-487-dc9b-aa87a0bc1665 · Date: June 3, 2026, 23:52 CET · Sections II, IV, VII. Organisation: AIOSchema Project (micro, Information Technology + Cultural and creative sector). All contributions are made publicly available by the EU AI Office.

Position Paper for the EU AI Office Code of Practice on Marking and Labelling of AI-Generated Content

   
Submitted by Ovidiu Ancuta, AIOSchema Project, aioschema.org
Date June 3, 2026
Document ID AS-POS-ART50-001
Classification Public
License CC-BY 4.0
Contact [email protected]

1. Executive Summary

Article 50(2) of the EU AI Act requires providers of AI systems that generate or manipulate content to ensure their outputs are “marked in a machine-readable format, detectable as artificially generated or manipulated,” and that “the technical solutions are effective, interoperable, robust and reliable,” taking into account “the costs of implementation and the generally acknowledged state of the art.”[2]

We submit AIOSchema as a compliant technical mechanism for satisfying these requirements.

AIOSchema is an open standard built on a lightweight, extensible architecture for establishing, maintaining, and preserving the integrity, authenticity, and provenance of digital and physical assets.[3] It defines a minimal, verifiable manifest format that establishes what an asset is, who created it, and when it existed, independently of any platform, storage system, or proprietary tool. Its Core Block is stable and locked as of v0.5.5, a finished standard, not a moving target, with all cryptographic algorithms treated as replaceable modules so the standard survives as the cryptographic landscape evolves.

Critically, Article 50 is a transparency obligation, not a forensic detection mandate. The law requires providers to disclose that their content is AI-generated, and to do so in a way that is machine-readable and tamper-evident. AIOSchema satisfies this by cryptographically authenticating the provider’s declaration. Any compliance mechanism that depends on the provider’s cooperation must authenticate the disclosure, not the content’s origin.

The key distinction: AIOSchema makes Article 50 compliance accessible to every AI provider and AI content deployer, including small companies, startups, independent developers, and the SMEs publishing AI-assisted content across the EU, not only those who can afford PKI certificate infrastructure. AIOSchema Level 2 is zero-direct-cost and immediately deployable. We request that the Code of Practice recognise it alongside C2PA Content Credentials as a compliant mechanism for Article 50. The two standards are complementary, not competing.


2. The Problem: A Compliance Gap for Small Providers

C2PA Content Credentials is the most widely discussed mechanism for Article 50 compliance. It is a credible solution. However, its architecture introduces structural barriers that exclude a significant portion of regulated AI providers:

Requirement C2PA Cost / Complexity Impact on Small Providers
X.509 certificate $200-1,000+/year from a CA Annual recurring cost
CA trust list membership C2PA Conformance Programme Additional process and fees
CBOR + JUMBF encoding Binary format, limited library support Significant development effort
Specification size 200+ pages High learning curve
Integration timeline Weeks to months Delays compliance

The EU AI Act applies to every AI provider placing systems on the EU market, including SMEs, independent developers, and research labs. Article 50(2) explicitly requires that “the costs of implementation” be taken into account.[2] The European Commission’s own data shows that over 95% of AI providers in the EU are SMEs. A compliance mechanism that only works for the top 5% is not a compliance mechanism for the regulation. It is a market distortion. This structural barrier is particularly problematic given that the Commission’s own impact assessment for the AI Act (SWD(2021) 84)[1a] identified SMEs as facing disproportionate compliance burdens, precisely the outcome Article 50(2)’s cost-consideration clause seeks to prevent.


3. AIOSchema: How It Works

AIOSchema defines a minimal, verifiable manifest format that establishes what an asset is, who created it, and when it existed. A conformant manifest contains:

  • Core Block: five primary fields: schema_version, asset_id, creation_timestamp, hash_original, creator_id, plus core_fingerprint (SHA-256 hash of the canonicalised five core fields).
  • Signature: Ed25519 digital signature over the Core Block, binding the manifest to the creator’s keypair. This is the Level 2 compliance mechanism.
  • Extension fields: optional registered fields including ai_declaration for structured AI disclosure, and compliance.eu_art50 for structured Article 50 editorial exemption documentation.
  • Anchor reference: optional link to an independent timestamp authority via the uniform URI scheme aios-anchor:<service-id>:<anchor-id>. Accommodates RFC 3161, OpenTimestamps, blockchain, or any public immutable TSA. No specific service is mandated.

Architectural Design Principles

Three further properties distinguish AIOSchema from format-specific or platform-dependent approaches:

Modular, replaceable algorithms. Hashing, signing, soft binding, and anchoring are treated as modules, not fixed dependencies. No single cryptographic primitive can compromise the whole standard. AIOSchema separates the shape of the standard from the algorithms used inside it, meaning it can adopt stronger algorithms as cryptography evolves without invalidating existing manifests or breaking the verification chain.

Universal interoperability. Container-agnostic, platform-agnostic, ecosystem-agnostic, and metadata-agnostic. AIOSchema integrates cleanly with XMP, EXIF, schema.org, W3C PROV, and C2PA, or operates as a fully standalone solution. No dependency on any external ecosystem is required for compliance.

Long-term durability and verifiability. Digital content is constantly transformed: recompressed, resized, transcoded, stripped of metadata. Physical assets change hands, are photographed, scanned, and re-documented. AIOSchema survives these transformations through multi-hash support, detached signatures, sidecar and XMP hybrid embedding, soft binding via perceptual hashing, and anchor chaining. The manifest travels independently of the asset. Durability is not an afterthought: it is a core design requirement.

Conformance Levels and Article 50 Compliance

Level Requirements Cryptographic Binding Article 50
Level 1 Core Block only None Not robust: unsigned manifest can be forged
Level 2 Core Block + Ed25519 signature Creator identity + tamper evidence Compliant: signed, detectable, robust
Level 3 Level 2 + independent anchor + provable timestamp Strongest: timestamp independently verifiable

Level 2 is the compliance floor for Article 50. The Ed25519 signature provides tamper evidence, creator binding, machine-readability, detectability, and interoperability across six independent cross-verified reference implementations (Python, TypeScript, Node.js, Go, Rust, and .NET with no external dependencies).

AI Declaration Extension (v0.5.6)

For structured Article 50 compliance, AIOSchema v0.5.6 defines the ai_declaration extension:

{
  "@context": "https://aioschema.org/v1",
  "@type": "https://aioschema.org/v1/Manifest",
  "core": {
    "asset_id": "01914de8-6a10-7083-a24a-1a73f2e9b000",
    "schema_version": "0.5.6",
    "creation_timestamp": "2026-05-07T14:30:00Z",
    "hash_original": [
      "sha256-4a3b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b"
    ],
    "core_fingerprint": "sha256-c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9",
    "creator_id": "ed25519-fp-7fcc5530c17565c99ea02d846ab0b5eb",
    "signature": "ed25519-<128-hex-chars>",
    "manifest_signature": "ed25519-<128-hex-chars>",
    "anchor_reference": "aios-anchor:rfc3161-sectigo:abc123def456"
  },
  "extensions": {
    "compliance_level": 3,
    "ai_declaration": {
      "disclosure_required": true,
      "ai_generated": true,
      "ai_manipulated": false,
      "human_reviewed": true,
      "standard_editing": false,
      "creative_work": false
    },
    "compliance": {
      "eu_art50": {
        "editorial_responsibility": "Editor-in-Chief, Organisation Name",
        "review_type": "substantive"
      }
    }
  }
}
Field Covers
disclosure_required True if AI contributed to this content
ai_generated Content is fully AI-generated
ai_manipulated Existing content was substantially altered by AI
human_reviewed A human reviewed AI-generated content before publication
standard_editing Only standard editing used: exempt from disclosure per Art. 50(2)
creative_work Artistic, satirical, or fictional work: reduced obligations per Art. 50(4)

Editorial Exemption Documentation (v0.5.6)

For deployers relying on the editorial exemption under Article 50(4), AIOSchema v0.5.6 provides the compliance.eu_art50 extension. Where a human reviewed and edited AI-assisted content before publication, and a named person or entity bears editorial responsibility, deployers can assert and document that exemption in a machine-readable, cryptographically signed record.

The second draft Code of Practice on Transparency of AI-Generated Content (March 2026), Commitment 4, requires deployers to establish minimal documentation demonstrating that AI-generated text has undergone human review or editorial control and that a natural or legal person holds editorial responsibility. The name, role, and contact details of the reviewing person are retained in the deployer’s internal documentation per Commitment 4 and are not embedded in the public manifest, in accordance with GDPR data minimisation principles (Art. 5(1)(c) GDPR).

{
  "extensions": {
    "compliance": {
      "eu_art50": {
        "editorial_responsibility": "Editor-in-Chief, Organisation Name",
        "review_type": "substantive"
      }
    }
  }
}
Field Legal Requirement Satisfied
editorial_responsibility Art. 50(4) EU AI Act: natural or legal person holding editorial responsibility. MAY be a legal entity name, institutional role title, or both.
review_type CoP Commitment 4 and Commission Guidelines May 2026: nature of review. substantive or editorial-control maps to the two limbs of Art. 50(4). Superficial checks do not qualify.

This provides auditable evidence of the exemption claim without requiring a separate compliance workflow. The compliance namespace is extensible: as other jurisdictions enact AI transparency legislation, additional sub-keys (compliance.ca_sb1047, compliance.can_aida, etc.) can be defined through the AIOSchema Extension Registry without modifying the standard. Because the manifest is signed at Level 2, any alteration of the exemption assertion after signing is cryptographically detectable.


4. Article 50(2) Requirement Mapping

Machine-readable format

AIOSchema manifests are structured JSON, the most universally supported machine-readable format in existence. Every programming language, every browser, and every runtime environment can read, parse, and verify a JSON manifest natively, without additional libraries, decoders, or tooling.

Detectable as artificially generated

The ai_declaration extension explicitly identifies content as AI-generated with structured, typed fields. The manifest is self-describing: any conformant verifier can detect and parse the declaration without external schema resolution.

Effective, interoperable, robust, and reliable

The signature makes any removal or alteration of the declaration cryptographically detectable. Six independent cross-verified reference implementations across six programming languages demonstrate interoperability in practice. Ed25519 provides 128-bit security with no trusted third party required for verification.

Taking into account the costs of implementation

C2PA implementation costs well over EUR 1,000 in the first year when certificates, conformance programme participation, and ongoing fees are included. AIOSchema Level 2 costs EUR 0 in direct costs and is implementable in hours. AIOSchema Level 3, the strongest compliance posture, also costs EUR 0, using any public RFC 3161 TSA or OpenTimestamps service.


5. Comparison: AIOSchema vs C2PA

Dimension C2PA Content Credentials AIOSchema Level 3
Machine-readable Yes (CBOR/JUMBF) Yes (JSON)
Cryptographic signing Yes (X.509 + COSE) Yes (Ed25519)
Tamper evidence Yes Yes
Creator identity binding Via CA-issued certificate Via Ed25519 keypair
Independent timestamp Via C2PA timestamp service RFC 3161 / OTS / blockchain (Level 3)
Anchoring cost C2PA service fees $0 (any public immutable TSA)
Format complexity CBOR + JUMBF (binary) JSON (text)
Spec length 200+ pages Under 50 pages
Time to implement Weeks Hours
Annual cost Well over $1,000 $0
Physical assets Not supported natively QR code manifest (v0.5.5+)
AI declaration c2pa.actions assertion Dedicated ai_declaration extension
Editorial exemption documentation Not defined compliance.eu_art50 extension
Trust model Centralised (CA trust list) Decentralised (keypair verification)
C2PA interoperability N/A AIOSchema fields embeddable as C2PA custom assertions

6. Addressing Potential Objections

“Self-generated keypairs lack the trust of CA-issued certificates”

This misunderstands the Article 50 requirement. The law requires marking that is detectable, robust, and reliable, not a specific trust model. A self-generated Ed25519 keypair provides tamper evidence equivalent to X.509-signed content, creator binding, and full verifiability.

“If anyone can generate a keypair, how do you prevent fabricated provenance?”

You cannot anchor to the past. Once a manifest is anchored to an RFC 3161 trusted timestamp authority, that timestamp is immutable. A manifest created today gets today’s timestamp. A manifest fabricated tomorrow to claim it was created last year will either have no anchor (detectable absence) or an anchor dated tomorrow (detectable mismatch).

“JSON is less robust than CBOR for embedded metadata”

Article 50(2) does not mandate a specific encoding format. The relevant question is which format is more universally verifiable. JSON is natively readable and parseable by every browser, every programming language, and every machine without additional libraries or decoders. Robustness in the Article 50 context comes from the cryptographic signature, not the encoding format.

“AIOSchema is a new standard: is it mature enough?”

AIOSchema v0.5.6 has a published technical specification, six independent reference implementations cross-verified against a shared conformance test suite, and dedicated extensions specifically designed for Article 50 structured disclosure and editorial exemption documentation. Maturity is measured in verifiable correctness, not years of existence.


7. Recommendations to the AI Office

  1. Recognise AIOSchema Level 2 at a minimum as a compliant mechanism for satisfying Article 50(2) transparency obligations, alongside C2PA Content Credentials.

  2. Explicitly acknowledge that multiple technical mechanisms can satisfy Article 50, provided they produce machine-readable, cryptographically signed, tamper-evident provenance, without mandating a specific trust model or certificate infrastructure.

  3. Operationalise the cost-consideration principle: if the only recognised compliance mechanism costs hundreds of euros per year, the regulation’s own requirement to consider “the costs of implementation”[2] is not being honoured.

  4. Include AIOSchema in the Code of Practice’s technical annex as a recognised low-cost compliance path, ensuring that SMEs, independent AI providers, and AI content deployers have a viable route to compliance before the August 2026 enforcement deadline.

  5. Establish a principle of cryptographic equivalence: Ed25519 and X.509/COSE both produce cryptographically valid, tamper-evident signatures. The Code of Practice should not privilege one algorithm over another where both satisfy the legal requirements.

  6. Recognise that anchoring is technology-agnostic: RFC 3161 trusted timestamps, OpenTimestamps, blockchain-based services, and hybrid approaches are all supported through the uniform aios-anchor:<service-id>:<anchor-id> URI scheme.

  7. Address the deployer editorial exemption path explicitly: the Code of Practice should provide guidance on how deployers can document the editorial exemption under Article 50(4) in a machine-readable, auditable format.


8. About AIOSchema

AIOSchema is an open standard for establishing, maintaining, and preserving the integrity, authenticity, and provenance of digital and physical assets, published at aioschema.org. The specification is freely available under CC-BY 4.0. Six reference implementations are available in Python, TypeScript, Node.js, Go, Rust, and .NET - each dependency-free, cross-verified against a shared conformance test suite.

   
Contact [email protected]
Specification aioschema.org/spec
Implementations aioschema.org/implementations

Notes

[1] European Commission, “SME Definition”, based on Eurostat structural business statistics and the Commission Recommendation 2003/361/EC.

[1a] European Commission Staff Working Document SWD(2021) 84, Impact Assessment accompanying the Proposal for a Regulation on Artificial Intelligence, 21 April 2021, Section 6.1.4.

[2] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on Artificial Intelligence (EU AI Act), Article 50(2).

[3] AIOSchema Specification v0.5.6, aioschema.org/spec, June 2026. CC-BY 4.0.


Document ID: AS-POS-ART50-001 · June 3, 2026 · CC-BY 4.0 · © 2026 Ovidiu Ancuta