EU AI Act compliance · Design partner cohort open
2 Aug 2026 — first EU AI Act transparency obligations apply. ~10 weeks out.
The disclosure registry for the EU AI Act

Vendors disclose once. Buyers verify fast.

AI vendors publish Article 13 and Annex IV-aligned records once into a neutral registry. Enterprise buyers retrieve them instantly by API — with versioning, identity, and audit-grade evidence built in.

Vendors — one structured record replaces a stack of repeat questionnaires
Buyers — real-time, machine-readable disclosures replace stale PDFs
Auditors — versioned records with full change history for compliance evidence
Become a design partner See the API
Aligned with
EU AI Act NIST AI RMF ISO 42001
The problem

Two sides of the same broken process.

Procurement teams wait for stale PDFs. Vendor compliance teams answer the same questionnaire forty times. Neither side has machine-readable evidence. Under the EU AI Act, that's no longer just inefficient — it's a legal liability.

For AI vendors

Drowning in questionnaires.

AI vendors with enterprise pipelines answer the same questions dozens of times a year. Every buyer sends a different format. Every deal repeats the manual effort. There is no publish once — until now.

Weeks of effort   lost per vendor, per year, to duplicate disclosure work
For enterprise buyers

On the hook for every third-party AI model.

Procurement teams assess a growing roster of AI vendors a year: send spreadsheet, wait two weeks, receive a stale PDF, repeat at every renewal. "The vendor said it was compliant" is not an audit trail under the EU AI Act.

Not machine-readable   today's vendor disclosures arrive as PDFs and spreadsheets
Why ModelCard Exchange

Built on open standards. Backed by real vendors and buyers.

01 — Regulatory alignment

Mapped to EU AI Act, NIST AI RMF, ISO 42001.

Every schema field traces back to specific regulatory articles. The schema is published openly so any tool, GRC platform, or auditor can integrate. No black box.

02 — Open by design

Not a walled garden. Open schema, neutral registry.

Same model as SPDX, OpenAPI, OAuth. Vendors publish once. Any buyer, any tool, any auditor can subscribe and verify. The network is the moat, not the software.

03 — Verified vendors

Identity and provenance built in.

Vendor identity verified at the organisation level. Every disclosure change logged and tamper-evident. Auditors get the cryptographic proof they need without chasing PDFs.

The five primitives

The whole platform, nothing more.

Every feature traces back to one of these five. Anything that doesn't is out of scope.

01
Registry
Canonical source of disclosure records
02
Schema
Standardised structure for disclosures
03
Versioning
Every change tracked with full history
04
APIs
Machine-readable retrieval for buyers
05
Webhooks
Real-time propagation when records change
The core workflow

Vendor publishes. Buyer subscribes. Webhook fires.

1

Vendor publishes

A schema-validated disclosure record — once, not per buyer.

2

Platform versions

Every change indexed and timestamped. Full audit trail.

3

Buyer subscribes

Pull records via API into existing GRC or procurement workflows.

4

Webhook fires

Material change — risk class, conformity, training data — propagates instantly.

5

Buyer audits

Structured evidence export. No PDFs. No emails. No chasing.

Regulatory timeline

The first deadline is weeks away — and not deferred.

The bulk of Article 50 transparency duties apply 2 August 2026, as originally scheduled. A May 2026 proposal would push the high-risk deadlines back — but it is not yet law. Building the evidence early is the only safe assumption. Mapped to 15+ EU AI Act articles plus NIST AI RMF and ISO 42001 →

Don't bank on the delay.

The 7 May 2026 Digital Omnibus reached only a provisional agreement to defer high-risk deadlines — Parliament and Council still have to formally adopt it. The August 2026 transparency obligations were never part of that deferral. Credible compliance evidence takes 12–18 months to build, so starting now is the only position that holds either way.

2 Aug 2026
In force Article 50 transparency obligations — chatbot disclosure, deepfake and AI-content labelling — apply as originally scheduled.
2 Dec 2026
Proposed AI-content watermarking grace period for systems already on the market — pending formal adoption of the Omnibus.
2 Dec 2027
Proposed Annex III high-risk AI systems — credit scoring, biometric ID, employment, critical infrastructure — pending EU adoption.
2 Aug 2028
Proposed Annex I embedded high-risk products (medical devices, vehicles) — pending EU adoption.
The API

Buyers pull records. Then subscribe for changes.

Concrete, machine-readable, predictable. The API is the product surface — every disclosure record is reachable in one call, and every material change emits a signed webhook.

curl python typescript api.modelcardexchange.io 
# Buyer: retrieve a vendor's current disclosure record
GET /v1/disclosures/acme-fraud-v3

{
  "slug":                  "dsc_01J6X4M9",
  "publisher":             "acme.ai",
  "publisher_role":        "provider",
  "model_id":              "acme-fraud-v3",
  "risk_class":            "high",
  "lifecycle_status":      "production",
  "version":               12,
  "schema_version":        "0.1.0",
  "updated_at":            "2026-05-08T14:32Z",
  "training_data_cutoff":  "2025-12-31",
  "intended_purpose":      "Card-not-present fraud detection...",
  "conformity_assessment": "third_party_notified_body",
  "attestation": {
    "attestor":             "chief_compliance_officer@acme.ai",
    "attested_at":          "2026-05-08T14:31Z"
  }
}

# Subscribe: webhooks fire on disclosure.updated,
# risk_class.changed, training_data.changed, incident.critical_alert
POST /v1/subscriptions
Design partner programme

The founding cohort shapes the schema. Then we ship.

The first 5 vendors and 5 buyers set the schema direction before public launch. Direct founder access, no platform fee, schema input on the record. After this cohort, the schema is locked and we iterate around it.

5 + 5
Founding partner slots
Vendor and buyer cohort. Closes when filled — schema input ends at public launch.
1218 mo
Credible compliance build
EU AI Act documentation built credibly takes 12–18 months across a vendor portfolio. Starting now is normal.
2 Aug 2026
First EU AI Act deadline — in force
Article 50 transparency obligations apply as scheduled — roughly ten weeks out. The proposed high-risk delays are not yet law.
Founding cohort · Closes when 5 vendor + 5 buyer slots filled

Validating the schema in real procurement workflows.

Working with vendors actively preparing for EU AI Act obligations, and buyers actively doing AI vendor due diligence. We meet weekly. You feed schema input directly to the founder. Records you publish in this phase become reference implementations.

Optional logo placement when launched
Schema input
Direct founder access
Early-bird pricing when commercial tier launches

Vendor design partner

AI vendor with enterprise clients drowning in questionnaires? Help shape the schema.

We reply within a week. No spam, no list, no marketing.

Buyer design partner

Compliance, procurement, or legal lead assessing AI vendors? Help shape the schema.

We reply within a week. No spam, no list, no marketing.
FAQ

Questions we hear.

How does this help with EU AI Act compliance?
MCX gives buyers a structured, versioned source of compliance evidence for the AI vendors they consume — mapped to Article 13, Annex IV, and related obligations. We provide the evidence layer; buyers still interpret it against their own compliance posture.
Do vendors have to publish their secrets?
No. The schema covers regulatory disclosure fields — intended purpose, risk classification, training data lineage, conformity assessment, evaluation outcomes. It is not a model-architecture or trade-secret dump. Vendors control visibility per record: public, gated to verified buyers, or fully private.
Are you a compliance certifier?
No. MCX is a registry, not a certifier. We validate that disclosures conform to the schema structure. We do not validate that disclosure content is accurate, and we are not a Notified Body. Vendors attest. Buyers verify. We propagate.
Is the schema open and extensible?
Yes. The schema is published openly under a permissive licence. Domain-specific extensions (healthcare, finance) are layered on top of a regulator-aligned core. Any GRC platform, auditor, or buyer tool can read and validate against it without integrating with us.
What if a vendor doesn't use MCX?
Then buyers fall back to whatever process they have today — typically a spreadsheet. The schema is open, so any tool can produce conformant records even without using our registry. The registry adds versioning, identity, propagation, and audit evidence on top.
When does the registry launch?
The design partner phase is live now. Public registry launches with the first cohort of verified vendors and buyers. Both vendor and buyer onboarding is gated to verified-domain accounts in this phase.
How is this different from Credo AI or OneTrust?
Those are buyer-side governance platforms. Vendors interact with them by responding to each buyer's individual portal. MCX is neutral infrastructure — vendors publish once into a registry both sides reference. Think SBOM and SPDX for software supply chain, not procurement workflow tooling.
How is this different from Hugging Face model cards?
Model cards are documentation. MCX records are machine-readable disclosure artefacts aligned to specific regulatory articles, with versioning, identity, attestation, and webhook propagation. Different scope, different audience. Vendors can publish to both.
Who is responsible for disclosure accuracy?
The publishing vendor. Every record carries a formal attestation naming a human accountable for the content. Buyers verify accuracy against their own risk processes. MCX is responsible for the integrity of the registry — that what was published is what is propagated — not for the truthfulness of what vendors say.