Annexes — referenced by Article 53(1)(b)Article Annex XII

Annex XII: Transparency Information for Providers and Users of GPAI Models

In effect since 2 Aug 20255 min readEUR-Lex verified Apr 2026

Annex XII specifies the information that providers of GPAI models must make available to downstream providers who integrate the model into AI systems. Required by Article 53(1)(b), this annex ensures that downstream integrators have enough information to comply with their own AI Act obligations — especially for high-risk systems under Chapter III. The information covers: model capabilities and limitations, intended and reasonably foreseeable uses, integration instructions, risk information, and computational resources. Together with Annex XI (technical documentation), Annex XII completes the GPAI provider's information duties.

Start free assessment All articles

Who does this apply to?

-Providers of GPAI models making models available for downstream integration
-Downstream AI system providers who need Annex XII information to comply with Chapter III
-Product and engineering teams building high-risk systems on top of GPAI models
-Compliance teams verifying that GPAI supplier information meets Annex XII requirements

Scenarios

A GPAI model provider publishes a detailed model card covering capabilities, limitations, recommended uses, and integration guidance alongside API documentation.

Aligned with Annex XII — downstream providers can use this information to fulfil their own Article 9 (risk management) and Article 13 (transparency) obligations.

Ref. Annex XII + Art. 53(1)(b)

A GPAI provider releases a model with minimal documentation: only a parameter count and a generic 'use at your own risk' disclaimer.

Likely non-compliant with Annex XII — downstream providers cannot meet their Chapter III obligations without the required information.

Ref. Annex XII

A downstream provider building a high-risk HR system requests Annex XII information from its GPAI supplier to populate Annex IV technical documentation.

Correct workflow: GPAI provider supplies Annex XII information, downstream provider uses it to build Annex IV sections on the underlying model.

Ref. Annex XII + Annex IV

What Annex XII requires (plain terms)

GPAI model providers must supply downstream integrators with information covering:

1. Model capabilities and limitations — what the model can and cannot do, performance ranges, known failure modes 2. Intended and reasonably foreseeable uses — purpose, recommended applications, and foreseeable misuse scenarios 3. Integration and use instructions — how to integrate the model, input/output specifications, operational constraints 4. Risk information — known risks, biases, safety concerns, and limitations relevant to downstream risk management 5. Computational resource requirements — hardware, inference compute, latency profiles 6. Training information relevant to downstream compliance — data characteristics, training methodology summaries

The level of detail must be sufficient for downstream providers to meet their Chapter III obligations (risk management, data governance, transparency, accuracy/robustness). Always check the exact list on EUR-Lex Annex XII.

Annex XII vs Annex XI — what's the difference?

| | Annex XI (Technical Documentation) | Annex XII (Transparency Information) | |---|---|---| | Required by | Art. 53(1)(a) | Art. 53(1)(b) | | Audience | AI Office, regulators | Downstream providers | | Purpose | Prove the GPAI model itself is documented | Enable downstream compliance | | Confidentiality | May contain trade secrets | Must be practically usable by integrators |

Annex XI is the upstream regulator-facing dossier; Annex XII is the downstream integrator-facing information package. Both are mandatory for all GPAI providers.

How Annex XII connects to the rest of the Act

Article 53(1)(b) — The direct legal hook requiring Annex XII information.
Article 53(1)(c) — Copyright policy information (complementary to Annex XII).
Annex XI — Technical documentation (the regulator-facing counterpart).
Annex IV — High-risk tech doc that downstream providers populate using Annex XII info.
Article 9 — Downstream risk management depends on Annex XII risk information.
Article 13 — Downstream transparency to deployers requires upstream Annex XII data.
Article 56 — Codes of practice may specify how to provide Annex XII information.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise the value chain transparency rationale, the enabling role of GPAI information for downstream compliance, and the balance with trade secret protection. Use the official preamble on EUR-Lex.

Compliance checklist

Map each Annex XII heading to an information artefact (model card, API docs, risk sheet, integration guide).
Ensure information is detailed enough for downstream providers to populate Annex IV technical documentation.
Include known limitations, biases, and failure modes — not just capabilities.
Provide computational resource requirements (hardware, inference, latency).
Update Annex XII information with each model version or significant change.
Deliver information in a format accessible to downstream providers (not buried in research papers).
Track downstream provider feedback on information adequacy.

Read the official text on EUR-Lex

Check your GPAI transparency information against Annex XII—free assessment.

Start Free Assessment

Article 53: Obligations for Providers of General-Purpose AI Models

Article 55: Obligations for Providers of GPAI Models with Systemic Risk

Article 56: Codes of Practice for GPAI Models

Article 9: Risk Management System

Article 13: Transparency and provision of information to deployers

Article 101: Fines for Providers of General-Purpose AI Models

Article 113: Entry into Force and Application Dates

Annex XI: Technical Documentation for Providers of General-Purpose AI Models

Annex IV: Technical Documentation for High-Risk AI Systems

Related annexes

Annex XI — GPAI technical documentation (regulator-facing counterpart)
Annex IV — High-risk tech doc that downstream providers populate with Annex XII info

Frequently asked questions

Is a model card enough to satisfy Annex XII?

A model card is a good starting point but may not cover all Annex XII elements (e.g. computational resource details, integration instructions for compliance purposes). Gap-analyse against the Annex XII list.

Can we protect trade secrets while complying with Annex XII?

Yes. Annex XII requires information sufficient for downstream compliance — not full model internals. You can structure information to be practically useful without revealing proprietary architecture or training details.

What if a downstream provider builds a high-risk system and we didn't provide enough info?

Both parties face exposure: the GPAI provider for insufficient Annex XII information, and the downstream provider for insufficient Annex IV documentation. The value chain must cooperate.

On this page

Key terms

Downstream provider: A provider of an AI system that integrates a GPAI model — they depend on Annex XII information to comply with their own Chapter III or other AI Act obligations.
Model card: A documentation format commonly used to communicate model capabilities, limitations, and intended uses — aligns with but does not fully substitute for Annex XII.
Integration guidance: The information GPAI model providers must supply to downstream providers to enable correct integration, including capabilities, limitations, and intended uses of the model.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover for GPAI infringements under Article 101
SMEs / start-ups: Proportionate to size
Failure to provide Annex XII information blocks downstream providers from meeting Chapter III obligations — compounding enforcement risk across the value chain.

Timeline

2 Aug 2025
Annex XII transparency information obligations applied as part of Chapter V.

At a glance

Article: Annex XII
Status: Applicable now
Timeline: 2 Aug 2025
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now