The compliance brief.
What the Act actually requires, when it activates, who it affects, and how Witniumchain maps to the requirements. Written for engineers and compliance officers, not lawyers.
The Act in one paragraph.
The EU AI Act is the world's first comprehensive AI regulation. It sorts AI systems into risk tiers (prohibited, high-risk, limited-risk, minimal-risk) and imposes obligations accordingly. High-risk systems — including legal AI, HR-tech, credit scoring, biometrics, education AI and public-sector AI — must keep tamper-evident logs across their lifetime, verifiable by a third party without trusting the vendor. That is what Article 12 codifies, and that is what Witniumchain does.
The four enforcement dates.
AI must declare itself
Article 50 transparency obligations activate. GPAI provider obligations begin. The penalty regime starts: up to 7% of global turnover for prohibited practices.
Watermarking required
Generative AI providers must embed detectable watermarks in AI-generated content. Watermarks alone can be stripped — chains cannot.
Article 12 enforcement
High-risk AI systems must produce tamper-evident logs across the lifetime of the system, verifiable by a third party. Annex III becomes enforceable. This is the date Witniumchain is built for.
Product-embedded AI
Annex I obligations attach to AI inside regulated products: medical devices, vehicles, machinery, toys.
Article 12 in plain language.
High-risk AI systems must keep records of: events (what happened), inputs (what the system saw), outputs (what it decided), system state (which model and version), and timestamps — for the lifetime of the system, in a way a third-party auditor can verify without trusting the operator. Internal database logs do not satisfy this. Cryptographic chains do.
The independence requirement, and how Witniumchain meets it.
Article 12's logging requirement is paired with a less-discussed principle: the logs that satisfy it must be verifiable by a party independent of the AI vendor. A log that the vendor controls is documentation. A log that the vendor cannot modify is evidence. The Act draws this distinction implicitly; standards bodies are drawing it explicitly in the technical work underway at CEN-CENELEC and ISO/IEC.
Witniumchain meets this requirement by construction, not by promise. The architecture is built so Witnium itself cannot read customer data, hold customer private keys, or alter customer records.
Here is what that means in practice:
Owner keypairs are generated in the customer's browser or backend using Ed25519. The private key never reaches Witnium's servers. There is no recovery flow that involves us, because there is no copy of the key on our side to recover from.
Witness content is hashed client-side before submission. What reaches our API is the SHA-256 fingerprint of the data — a 32-byte string from which the original content cannot be reconstructed. The content itself stays on the customer's systems.
Signatures are produced locally using the customer's keys and submitted to us as opaque bytes. We verify them against the registered public keys; we do not produce them, and we cannot forge them.
The metadata we do retain — timestamps, public keys, fingerprints, witness counts — is required for credit accounting and chain integrity. It contains no content. It cannot be reverse-engineered into content.
The chain itself is independently verifiable at witniumchain.com. A customer, their auditor, their regulator, or any third party can confirm that a given witness was sealed at a given time, by a given key, against a given fingerprint — without trusting Witnium's word for any of it.
This is the property that distinguishes audit-grade logging from ordinary logging. A vendor who can modify the record is part of the trust chain. A vendor who cannot is outside it. Article 12 will increasingly be enforced on the difference.
Provider vs deployer.
A provider places the AI system on the market. A deployer uses it. Both have obligations. Article 12 logging is primarily a provider obligation, but deployers in regulated industries will be asked to demonstrate they only use compliant systems. Witniumchain serves both: providers integrate it into their platform; deployers require it from their providers.
Witniumchain → Article 12.
On-chain witness records on Hyperledger Besu / QBFT consensus.
Configurable up to 10 years on Business plan; custom on Enterprise.
Independent verification via chain-api or any Besu peer.
Every propose → sign → finalize cycle is recorded.
SHA-256 hashes anchor inputs and outputs without storing PII.
Model name, version, actor identifier captured per witness.
Penalties.
- Up to 7% of global annual turnover for prohibited practices.
- Up to 3% for non-compliance with most obligations including Article 12.
- Up to 1.5% for misleading information to authorities.
Beyond the AI Act.
The same chain serves GDPR Article 22 (automated individual decisions), DORA (financial sector ICT risk), NIS2 (critical infrastructure), CSRD (sustainability disclosures), and EUDR (deforestation due diligence). One audit primitive, multiple regulatory regimes.
Ready to integrate?