← Back to Home

Six weeks to comply with the EU AI Act. Here's what small businesses actually need to do.

Plain English. No legal jargon. What to actually do before August 2.

Content Credentials verification panel showing a Memolio AI-illustrated book page, with metadata confirming it was generated by Seedream 4.5

August 2, 2026. That's when EU AI Act Article 50 becomes enforceable.

If your business uses AI to generate images, and those images reach customers in the EU, you have a legal obligation you probably haven't dealt with yet. I hadn't — not properly — until I sat down and worked through what it actually requires.

This is the practical version. What you need to understand, what you need to do, and the prompts you can drop into Claude right now to figure out where you stand. Memolio generates AI-illustrated images for every personalised book for grandparents we produce, so this is live for us too.

What the law actually requires, in plain English

Article 50 says: if you use AI to generate images, audio, or video that reaches EU users, those outputs must be marked as AI-generated in a way that's detectable.

That's it. Three sentences of law that translate into three things you need to have in place.

1. A digital certificate on the image file. Think of this like a digital birth certificate sewn into the image. It records who generated it, when, and with what system. The technical standard for this is called C2PA, backed by Adobe, Google, Microsoft, OpenAI, and about 6,000 other companies. When someone opens the image in a compatible viewer, they can see the provenance chain. The `c2patool` CLI is the open-source tool for attaching one.

2. An invisible signal embedded in the image pixels. This is what the news usually calls a "watermark," but it's not a visible stamp in the corner. It's a pattern woven into the image at the pixel level — invisible to the eye, but detectable by software — that survives JPEG compression and basic editing. Think of it like a serial number baked into the photograph.

Honest caveat: these can be stripped. Researchers have shown you can remove them with the right tools. The Code of Practice published this month doesn't pretend otherwise. It says no single technique is bulletproof, which is why you need all three layers.

3. A log that links each image to its generation event. This is the backup that works even when the other two are stripped. A database record that says: this image was generated at this timestamp, by this system, for this customer. You probably already have something like this if you log your outputs at all.

Does this actually apply to you?

It applies if you use AI to generate images, audio, or video (not just assist in editing — actually generate from scratch), those outputs reach users in the EU, and you're deploying the AI system in a product, not just using it personally.

It does not apply to AI-assisted writing. Blog posts, marketing copy, emails — the Article 50 text-marking requirement covers news journalism and public interest content, not commercial writing. If your business is using AI to write content, you don't have a disclosure obligation under this rule.

The provider vs deployer distinction matters here. If you're using OpenAI, Adobe, or BytePlus APIs to build your product, you're a deployer, not a provider. The heavier obligations — model documentation, conformity assessments — sit with the model providers. Deployers have lighter requirements, which is mostly what Article 50 asks for.

High-risk AI is almost certainly not you. All the scary-sounding AI Act requirements — audits, human oversight mandates, conformity assessments — apply to AI in specific sectors: hiring, credit scoring, biometrics, law enforcement, critical infrastructure. If you're using AI for creative output, marketing, or personalisation, you're not in that tier.

What to ask Claude to figure out where you stand

If you want to work out your specific situation, here are the prompts worth running.

To understand your obligations:

> "I run a [describe your business] and use AI to generate [images/audio/video] for customers in the EU. Walk me through whether EU AI Act Article 50 applies to me, what tier I'm in (provider vs deployer), and what I need to have in place before August 2, 2026."

To check what your image model already does:

> "I generate images using [Midjourney / DALL-E / Stable Diffusion / name your tool]. Does it already attach C2PA Content Credentials to outputs? What should I check in the API documentation or in the image metadata to verify this?"

To get your disclosure text written:

> "I need to add a disclosure to my website that some content is AI-generated, to comply with EU AI Act Article 50. My product is [describe it]. Draft me disclosure text that's accurate and plain-English — not a legal wall of text."

To check your logging is sufficient:

> "I keep [describe what records you keep, e.g. database rows linking image URLs to generation timestamps]. Is this sufficient to satisfy the server-side logging requirement under EU AI Act Article 50, or are there gaps?"

What I'm doing for Memolio

Every page of a Memolio book is AI-painted from scratch using Seedream 4.5 (BytePlus) — that's 22–24 generated images per book. The logging layer is already there. Every generated image is stored in Supabase with generation metadata.

The C2PA layer needs adding: a signing step in the n8n pipeline, between the BytePlus API response and the Cloudinary upload, attaching a manifest to each image before storage. Six weeks to get it in.

The invisible watermarking layer is the open question. I need to check what BytePlus already provides. If they attach a native watermark at generation, that layer is covered. If not, it needs building separately.

That session is next. If you're in the same position — using an image generation API, selling to EU customers, and haven't thought about this — August 2 is closer than it looks.

Want a personalised book for your grandparent?

Memolio is in private testing and opening up soon. Join the waitlist to be first in line.

Join the Waitlist