The C2PA has launched its Conformance Programme, a formal certification process ensuring that implementations of Content Credentials are secure, correct, and interoperable. The programme was soft-launched at the Content Authenticity Summit at Cornell Tech in New York City and is now fully operational, accepting submissions from software developers, device makers, and certification authorities.
The Conformance Programme functions similarly to Bluetooth or Wi-Fi certification programmes - it provides baseline assurance that a product handles C2PA data correctly. Products that pass are placed on a publicly accessible Conforming Products List and receive trusted signing certificates.
Two security levels
The programme introduces two assurance levels. Level 1 covers software-based implementations. Level 2 requires hardware-backed key storage and attestation - a higher security bar that provides stronger trust guarantees. Google's Pixel 10 was the first device to achieve Level 2, the highest currently defined.
Why it matters
Before the Conformance Programme, any product could claim to implement C2PA, but there was no independent verification of that claim. The programme creates accountability: products on the Conforming Products List have been evaluated for technical compliance, security posture, and implementation correctness.
For verification tools, the programme enables a meaningful distinction between credentials signed by conforming products (trusted) and those signed by unrecognised implementations. This is the trust infrastructure that makes C2PA verification meaningful at scale.
The programme was developed over more than a year by the C2PA Conformance Task Force, co-chaired by representatives from Truepic, Arm, and Google. Developers and platform builders can explore the requirements and certification process at c2pa.org/conformance.