EU AI Act for Brands: Who Labels AI Images, You or Your Provider?

Two parties, two different jobs. Your AI image provider has to sign every image as machine-readable AI. Your brand has to add a visible "AI-generated" label when the image is a deepfake or could fool a real viewer. Neither side can push its obligation to the other.

That split sits in Article 50 of the EU AI Act (Regulation EU 2024/1689). The Regulation calls these two roles the "provider" (Art. 3.3) and the "deployer" (Art. 3.4). In plain English: your AI image provider is the provider, and your brand is the deployer. Both of you owe something, but not the same thing.

The transparency obligations of Article 50, including the marking of synthetic image outputs (Art. 50.2) and the disclosure of deepfakes by deployers (Art. 50.4), become applicable on 2 August 2026, twenty-four months after the AI Act entered into force. Other parts of the Regulation phase in on different dates, but for AI-generated images this is the date that matters.

Reputable AI image providers are adopting the standard ahead of the deadline so that deliveries do not need retrofitting later. If you are commissioning AI imagery for campaigns that will still be live in late 2026, the safe assumption is that everything you produce from now on should already carry the machine-readable provenance signal.

Article 3.3 of the AI Act defines a "provider" as a natural or legal person that develops an AI system, or has one developed, and places it on the market or puts it into service under its own name or trademark, whether free of charge or for payment. In the image generation industry, this is the company behind the model and the API: the AI image vendor.

The obligation imposed on providers by Article 50.2 is technical. Providers must ensure that the outputs of their generative AI systems are marked in a machine-readable format that allows them to be detected as artificially generated or manipulated. The mark must be effective, interoperable, robust and reliable as far as is technically feasible.

The Regulation does not name a specific technology, but the industry standard for satisfying the "machine-readable" requirement is the C2PA Content Credentials specification, an open standard for cryptographically signed provenance manifests embedded inside image files. Compliant providers like Dreamshot now ship every output with a signed C2PA manifest as part of the standard delivery.

Article 3.4 defines a "deployer" as any party using an AI system under its own authority. When a brand commissions AI-generated images and publishes them in advertising campaigns, product catalogues, social media or corporate communications, the brand is the deployer. The deployer designation cannot be pushed back onto the provider, even by contract.

Crucially, the deployer obligation is not triggered by every AI-generated image. It is triggered by a specific subset: content that constitutes a deepfake (defined in Art. 3.60 as AI-generated or manipulated image, audio or video content that resembles real persons, objects, places or events and that would falsely appear to be authentic), and content that may mislead a reasonable person about real persons, events or facts.

For most decorative or stylised brand imagery the visible disclosure rule does not apply. For photorealistic imagery depicting people, locations or events that look like documentary photography, it absolutely does.

Article 50.2 places the technical marking obligation squarely on providers of generative AI systems. The marking must be embedded into the output itself, not added separately. It must remain machine-detectable through normal processing. And it must comply with the future technical guidance and harmonised standards that the European Commission and the AI Office will publish.

In practical terms, a compliant delivery from your AI image provider should include:

• A cryptographically signed C2PA manifest embedded in the master file, declaring that the image was AI-generated or AI-composited.
• A clear chain of provenance assertions covering at minimum the model used, the moment of generation, and the issuing provider.
• A verification path: anyone receiving the master file can use a free C2PA inspector (such as the Content Authenticity Initiative verifier) to confirm authenticity.
• A guarantee that the marking is invisible to the viewer of the image, so it does not interfere with the creative or commercial value of the asset.

If your current AI image provider cannot point you to the C2PA manifest in the files they have already delivered, they are not yet meeting the Article 50.2 standard. From 2 August 2026 onwards, that gap becomes a legal exposure that flows through to you as the deployer.

Article 50.4 is the rule that catches most marketing and brand teams by surprise, because it is the one that lives on the published artefact. It requires deployers of generative AI systems that produce or manipulate image, audio or video content constituting a deepfake to disclose that the content has been artificially generated or manipulated. The disclosure must be clear and distinguishable, and it must be made no later than at the time of the first interaction or exposure.

In the marketing context, "clear and distinguishable" means the disclosure cannot be hidden in metadata or buried in legal small print. It needs to be a visible, human-readable label on or alongside the published asset. Common implementations include an "AI-generated" badge overlaid on the image, a caption directly underneath the asset, or a disclosure card in the carousel of a social post.

Not every AI-generated image needs a visible label on publication. The visible-disclosure obligation scales with how likely the image is to be perceived as a real-world depiction. The matrix below maps the four typical scenarios brand teams face and the minimum legal action each one requires.

C2PA, short for the Coalition for Content Provenance and Authenticity, is an open technical standard for embedding cryptographically signed provenance information directly inside media files. The standard is co-developed by Adobe, Microsoft, the BBC, Sony, Truepic and other industry members, and it is the de facto interoperable answer to the AI Act's "machine-readable marking" requirement.

A C2PA manifest is small, invisible to the viewer, and resistant to ordinary file edits. It contains a chain of "assertions" recording how the file was created, which AI model produced it, who signed off on each transformation, and when. The signature is cryptographic, so any tampering with the manifest invalidates it. Anyone can verify a C2PA-signed file using a free public inspector at contentcredentials.org/verify.

C2PA is what turns transparency from a policy promise into a verifiable technical fact. A brand can claim their imagery is authentic; a C2PA-signed master proves it.

Several large social platforms recompress images on upload, which can sometimes strip or alter embedded metadata, including a C2PA manifest. This is a known limitation of the current internet plumbing rather than a compliance failure on your side.

The way the Regulation is designed, the provider's Article 50.2 obligation is satisfied at the moment of delivery, in the master file the provider hands to you. Your evidence of compliance is the signed master that you, as the deployer, retain in your brand asset archive. The published copy on a third-party platform is downstream of that evidence chain.

A defensible procurement posture for AI-generated imagery under the EU AI Act rests on three contractual commitments, which we recommend including in every work order with your AI image supplier from now on:

1. Cryptographic provenance at delivery. The supplier warrants that every master file delivered carries a valid C2PA manifest identifying the file as AI-generated, and provides a free verification path.
2. Non-removal of the manifest. Your team commits not to deliberately strip the C2PA manifest from the master archive. Incidental stripping by downstream platforms is acknowledged and does not count as a breach.
3. No impersonation without consent. Your team commits not to use the delivered imagery to impersonate identifiable real persons without their express written consent, in line with national personality-rights law (in Spain, LO 1/1982).

These three commitments mirror the structure of Article 50: the provider does the technical marking, the deployer preserves the trail and applies the visible label when required. With the contract aligned to the regulation, your compliance story becomes traceable end to end.

Is the EU AI Act applicable to brands outside the European Union?

Yes, the Regulation has extraterritorial reach. If you place AI-generated content on the EU market (for example, a US brand running an Instagram campaign that targets European audiences), the deployer obligations of Article 50.4 apply to that campaign regardless of where your headquarters are.

Does the visible label have to use the exact words "AI-generated"?

The Regulation requires the disclosure to be clear and distinguishable but does not prescribe specific wording. Industry practice converges on short, unambiguous formulas such as "AI-generated", "Created with AI" or "Synthetic image". Avoid euphemisms like "digitally enhanced" that hide the AI origin.

Who pays the fine if a deepfake is published without a visible label?

The Article 50.4 obligation is on the deployer, so the administrative fine for a missing visible disclosure falls on the publishing brand, not on the AI provider. Article 99 of the Regulation sets the maximum fine at the greater of 15 million euros or 3% of worldwide annual turnover for Article 50 infringements.

Is the C2PA manifest enough on its own?

For the provider, yes: the C2PA manifest satisfies the machine-readable marking requirement of Article 50.2. For the deployer, the C2PA manifest is necessary but not sufficient: when the published content is a deepfake or could mislead a reasonable viewer, you still owe a visible, human-readable disclosure under Article 50.4.

How can I verify whether an image I received is C2PA-signed?

Upload the master file to the free public inspector at contentcredentials.org/verify. The tool reads the embedded manifest, validates the cryptographic signature and shows the chain of provenance assertions. Less than a minute per file.

If you commission AI-generated imagery for European audiences, treat the period between now and 2 August 2026 as the window to align your supplier contracts, your internal labeling policy and your asset-archive practices with Article 50. The brands that arrive at the deadline with a signed C2PA master for every campaign and a documented labeling policy will have a much easier conversation with their auditors and legal teams than the ones that scramble at the last minute.

Dreamshot delivers every image with a signed C2PA manifest as standard. If your current provider does not, we will happily reproduce your last campaign under a fully compliant pipeline so you can compare side by side. Grab the full playbook below.