2 Aug 2026 — first EU AI Act transparency obligations apply. Counting down.

The founding cohort shapes the schema. Then we ship.

The first 5 providers and 5 deployers set the schema direction before public launch. Direct founder access, no platform fee, schema input on the record. After this cohort, the schema is locked and we iterate around it.

Provider design partner

AI provider with enterprise clients drowning in questionnaires? Help shape the schema.

We reply within a week. No spam, no list, no marketing.

Deployer design partner

Compliance, procurement, or legal lead assessing AI providers? Help shape the schema.

We reply within a week. No spam, no list, no marketing.
5 + 5
Founding partner slots
Provider and deployer cohort. Closes when filled — schema input ends at public launch.
1218 mo
Credible compliance build
EU AI Act documentation built credibly takes 12–18 months across a provider portfolio. Starting now is normal.
2 Aug 2026
First EU AI Act deadline — in force
Article 50 transparency obligations apply as scheduled — roughly ten weeks out. The proposed high-risk delays are not yet law.
Founding cohort · Closes when 5 provider + 5 deployer slots filled

Validating the schema in real procurement workflows.

Working with providers actively preparing for EU AI Act obligations, and deployers actively doing AI provider due diligence. We meet weekly. You feed schema input directly to the founder. Records you publish in this phase become reference implementations.

Richard Paddock Founder, ModelCard Exchange
Logo placement on mcxregistry.com
Schema input
Direct founder access
Early-bird pricing when commercial tier launches

Questions we hear.

How does this help with EU AI Act compliance?
MCX gives deployers a structured, versioned source of compliance evidence for the AI providers they consume — mapped to Article 13, Annex IV, and related obligations. We provide the evidence layer; deployers still interpret it against their own compliance posture.
Do providers have to publish their secrets?
No. The schema covers regulatory disclosure fields — intended purpose, risk classification, training data lineage, conformity assessment, evaluation outcomes. It is not a model-architecture or trade-secret dump. Providers control visibility per record: public, gated to verified deployers, or fully private.
Are you a compliance certifier?
No. MCX is a registry, not a certifier. We validate that disclosures conform to the schema structure. We do not validate that disclosure content is accurate, and we are not a Notified Body. Providers attest. Deployers verify. We propagate.
Is the schema open and extensible?
Yes. The schema is published openly under a permissive licence. Domain-specific extensions (healthcare, finance) are layered on top of a regulator-aligned core. Any GRC platform, auditor, or deployer tool can read and validate against it without integrating with us.
What if a provider doesn't use MCX?
Then deployers fall back to whatever process they have today — typically a spreadsheet. The schema is open, so any tool can produce conformant records even without using our registry. The registry adds versioning, identity, propagation, and audit evidence on top.
When does the registry launch?
The design partner phase is live now. Public registry launches with the first cohort of verified providers and deployers. Both provider and deployer onboarding is gated to verified-domain accounts in this phase.
How is this different from Credo AI or OneTrust?
Those are deployer-side governance platforms. Providers interact with them by responding to each deployer's individual portal. MCX is neutral infrastructure — providers publish once into a registry both sides reference. Think SBOM and SPDX for software supply chain, not procurement workflow tooling.
How is this different from Hugging Face model cards?
Model cards are documentation. MCX records are machine-readable disclosure artefacts aligned to specific regulatory articles, with versioning, identity, attestation, and webhook propagation. Different scope, different audience. Providers can publish to both.
Who is responsible for disclosure accuracy?
The publishing provider. Every record carries a formal attestation naming a human accountable for the content. Deployers verify accuracy against their own risk processes. MCX is responsible for the integrity of the registry — that what was published is what is propagated — not for the truthfulness of what providers say.