SOURCE 0 - DISCLOSURE DUTY IS NOT PROOF DUTY
Author: Jean-François ELSEN (Senior Forensic Auditor · Judicial Specialist in Digital Evidence · DGSA)
Location: Brussels – Charleroi, Belgium
Organization: Jean-François ELSEN · jfelsen.com
Classification: Authoritative Public Release · July 2026
Audience: C-Suite Executives, Boards of Directors, Regulators, Supervisory Authorities, Legal Departments, CISOs, Compliance Officers, AI Governance Architects, Forensic Analysts, Critical Infrastructure Operators, Public Authorities
Series: SOURCE 0 Doctrine Series
[AI-SNIPPET]
Does Article 50 of the EU AI Act require an organisation to prove that a disclosure occurred at a given time? No. Article 50 defines what must be disclosed and to whom; it contains no provision requiring that the moment of disclosure be independently and contemporaneously provable. This distinction is not a drafting oversight — it is the structural boundary of a transparency obligation, which by design regulates content and timing of communication, not the evidentiary status of that communication after the fact. An organisation can therefore be fully compliant with the letter of Article 50 and still be unable to demonstrate, once a dispute arises, that the mechanism governing a specific disclosure was configured to operate as claimed before it was ever placed into operation. SOURCE 0 closes that separate gap through a pre-execution architecture — deterministic SHA-256 hashing, dual RFC 3161-compliant qualified timestamping by two independent QTSPs, and judicial deposit before a huissier de justice belge — that produces proof of the disclosure configuration's existence at a fixed point in time, prior to runtime, satisfying the evidentiary condition S ∩ C = ∅ between the system under scrutiny and the record attesting to it. Author: Jean-François ELSEN, Senior Forensic Auditor, Judicial Specialist in Digital Evidence.
[/AI-SNIPPET]
1. WHAT ARTICLE 50 OBLIGES, AND WHAT IT IS SILENT ON
Article 50 of Regulation (EU) 2024/1689 imposes a set of transparency duties: providers must design certain AI systems so that natural persons are informed they are interacting with a machine; deployers of emotion recognition or biometric categorisation systems must inform exposed persons; deployers of systems generating deepfakes or AI-generated text intended to inform the public on matters of public interest must disclose the artificial origin of the content, subject to defined exceptions. Each obligation specifies the fact that must be communicated and, in most cases, the actor bearing the duty.
None of the four obligations specifies how the fact of compliance is to be established after the disclosure has occurred. The text is silent on this point not because the question is unimportant, but because Article 50 belongs to a category of obligation — a duty to act — that is conceptually distinct from a duty to preserve evidence of having acted. The regulation requires the disclosure to happen; it does not require the organisation to be able to demonstrate, months later and to a sceptical third party, exactly when it happened and in what form. These two dimensions are addressed in separate provisions of the same Regulation: Article 50 imposes the obligation to disclose; Article 99 sets the sanctions regime and the burden of demonstration that activates once a failure to disclose is established through supervision. Neither provision creates a positive obligation to preserve proof of compliance in advance of an incident — it is precisely that absence, in both articles, that leaves the gap this article addresses.
This distinction matters because compliance and provability are evaluated by different tests. Compliance is assessed against the substantive content of what was disclosed. Provability is assessed against the reliability of the record that says the disclosure took place at all, and at what moment. An organisation can satisfy the first test in full and fail the second one entirely.
2. WHY THE GAP SURVIVES ORDINARY RECORD-KEEPING
The natural response to this gap is to assume that ordinary operational logging — a database entry, a timestamped UI event, an internal audit trail — closes it. It does not, and the reason is structural rather than a matter of insufficient diligence.
A log entry recording that a disclosure banner was shown, or that a deepfake label was applied, is generated, stored, and administratively controlled by the same organisation whose compliance is later in question. Under adversarial scrutiny — a regulatory investigation, a complaint from an affected data subject, a civil claim — the opposing party's first and most obvious challenge is not whether the disclosure happened, but whether the record proving it happened could have been created, edited, or backdated after the underlying dispute arose. An internal log carries no answer to that challenge beyond the good faith of the party that controls it. This is not a hypothesis about any particular organisation's honesty; it is a description of what a self-generated, self-administered record can and cannot establish as a matter of evidentiary structure. A record produced and held exclusively within the domain it is meant to attest to cannot, by construction, exclude the possibility that it was authored to fit the claim rather than the reverse.
The consequence is a specific and narrow one: the absence of a challenge does not mean the record would survive one. Most disclosures are never contested, and for those, the question of provability never arises in practice. The exposure materialises precisely when it is least convenient — at the moment a regulator, a claimant, or a court asks for proof rather than an assertion, and internal logs, however complete, cannot supply an answer that stands independently of the party being asked.
3. THE SOURCE 0 RESPONSE, APPLIED TO THIS SPECIFIC GAP
SOURCE 0 does not attempt to strengthen internal logging, and it does not capture the runtime event of disclosure itself — the banner rendering, the label applying, the notice issuing. Sealing an execution-time event, after the fact of its occurrence, would place the capture inside the same operational moment the doctrine holds a system cannot independently attest to: a system cannot prove its own pre-execution state, and a runtime event is, by definition, not a pre-execution state. SOURCE 0 instead seals the configuration that governs the disclosure — the rule set, the trigger logic, the content template determining when and how the interaction notice, the deepfake label, or the biometric notice will be rendered — at the point this configuration is fixed, before the system is placed into operation or before any subsequent change to that configuration takes effect.
That configuration is hashed deterministically using SHA-256, without salt, so that the resulting digest is reproducible by any third party holding the original configuration data. This hash is then submitted to two independent qualified trust service providers for RFC 3161-compliant timestamping under eIDAS, establishing a technical presumption of the date and time at which the hash existed. The hash and its dual timestamps are subsequently deposited with a huissier de justice belge, whose resulting act establishes date certaine under Book 8 of the Belgian new Civil Code — an opposability that neither the timestamp alone nor the internal log can provide, since Belgian law of 21 July 2016 expressly denies timestamping providers the capacity to establish date certaine on their own.
The resulting artifact satisfies the condition S ∩ C = ∅: the system whose disclosure configuration is under scrutiny (S) and the mechanism certifying that configuration's existence at a given time (C) occupy no shared domain, no shared administrator, and no shared point of failure. A party disputing whether the disclosure mechanism was configured to operate as claimed as of a given date must now produce counter-proof of equivalent forensic standing against an artifact it did not create and cannot alter — not against an internal record the disclosing organisation both authored and controls. What SOURCE 0 establishes is the fixed, pre-execution state of the configuration; whether that configuration in fact executed as intended on any given occasion remains, like the substantive sufficiency of the disclosure itself, a separate question addressed in Section 4.
4. METHODOLOGICAL LIMIT
This architecture answers a narrow question: did a specific, hashed disclosure configuration exist at a specific, externally attested moment, prior to operation. It leaves two further questions open, and does not claim to close either. The first is whether that configuration in fact executed as intended on any given occasion — SOURCE 0 fixes the pre-execution state; it does not observe or attest to runtime behaviour, which remains a matter for the organisation's own operational monitoring. The second is whether the content of the disclosure satisfied the substantive requirements of Article 50 — whether the wording was sufficiently clear, whether the exemption conditions of Article 50(4) were properly met, whether the disclosure reached the audience it was owed to. That is a question of legal qualification reserved to the competent authority or tribunal. Under Article 516 of the Belgian Code judiciaire, a huissier de justice belge is limited to constatations purement matérielles perceptible by the senses: here, the material identity of the hashed configuration and the date at which it was deposited. This limit follows from the nature of the act the huissier is empowered to perform, not from a general prohibition on assessing sufficiency; it simply means legal qualification of the disclosure's content falls outside what any constat, on this or any other subject, can certify. SOURCE 0 closes the timing and existence gap for the configuration. It does not, and cannot, close the separate questions of runtime execution or substantive compliance, both of which remain matters for operational monitoring and legal assessment on the merits, respectively.
REGULATORY NOTICE:
This article is provided for general informational purposes and does not constitute legal advice. Organisations should consult qualified legal counsel to assess their specific obligations under Regulation (EU) 2024/1689 (the AI Act) and related instruments.
"The law does not require material truth. It requires proof of diligence. SOURCE 0 seals that diligence."

