← All EU AI Act guides

Annex IV Technical Documentation: a Practical Checklist

Annex IV Technical Documentation: a Practical Checklist

TL;DR — [Annex IV of the EU AI Act][1] sets out mandatory technical documentation requirements for high-risk AI systems. Providers must compile detailed records covering system design, testing, performance data, risk assessments, and instructions for use. Documentation must be kept for the system's lifecycle and made available to competent authorities upon request. It forms the compliance backbone for demonstrating due diligence under Articles 10–15.


What is Annex IV technical documentation?

[Annex IV of Regulation (EU) 2024/1689][1] establishes the content and structure of technical documentation that high-risk AI system providers must prepare and maintain. This documentation serves as evidence of compliance with the EU AI Act's substantive requirements and enables regulators to assess conformity, risk mitigation, and post-market surveillance.

Why is Annex IV documentation required?

Technical documentation is the primary mechanism through which AI providers demonstrate that their systems comply with the EU AI Act's obligations on risk assessment, testing, performance monitoring, and human oversight. It creates an auditable trail and enables competent authorities, notified bodies, and market surveillance officials to verify claims and investigate incidents.

What must be included in Annex IV documentation?

According to [Annex IV][1], technical documentation shall include (as applicable):

  • System description: purpose, intended use, and foreseeable misuse
  • Development process: data sourcing, annotation practices, algorithm selection
  • Risk assessment: identification and mitigation of known and foreseeable risks (per Article 10)
  • Testing and validation protocols: datasets, metrics, performance thresholds, and results
  • Training and fine-tuning records: hyperparameters, convergence criteria, dataset characteristics
  • Performance data: accuracy, robustness, cybersecurity testing results
  • Human oversight measures: design of user interfaces enabling human intervention
  • Instructions for use: operational guidance and limitation statements
  • Post-market monitoring plan: how performance will be tracked after deployment
  • Logging and audit trail capability: technical means to record decisions and system behaviour
  • EU declaration of conformity (Article 49)

Who must prepare Annex IV documentation?

Providers of high-risk AI systems, as defined in [Article 6 and Annex III][1], must prepare and maintain this documentation. For systems classified as high-risk, documentation is non-optional and failure to maintain it is a compliance breach.

When must documentation be completed?

Documentation must be prepared before a high-risk AI system is placed on the market or put into service. It must be kept updated throughout the system's lifecycle, reflecting material changes, retraining, or performance degradation. Documentation must remain available for at least 10 years after the system ceases to be placed on the market or put into service.

How detailed must Annex IV documentation be?

[Annex IV][1] does not prescribe a fixed length or format. Documentation must be "sufficiently detailed and comprehensive" to enable competent authorities to assess compliance. The standard is functional completeness: all elements listed in Annex IV must be addressed, with enough technical specificity to be reproducible or verifiable. Boilerplate language or placeholder sections will not satisfy this requirement.

Is there a prescribed format or template?

[Annex IV][1] does not mandate a single template or format. Providers may structure documentation as they choose, provided all required elements are covered. Some organisations use a modular approach; others use a single comprehensive dossier. The format is less important than exhaustiveness and accessibility to regulators.

What if a system uses third-party components or pre-trained models?

Providers remain responsible for the entire system. Where third-party components are used, documentation must identify them, describe how they are integrated, and specify what performance and risk data the provider has obtained or generated. Pre-trained models require documentation of their training data, known limitations, and performance in the provider's specific use case.

How should documentation be organized for regulators?

While [Annex IV][1] permits flexibility, best practice is to:

  • Use a clear table of contents with cross-references
  • Maintain version control with dates and change logs
  • Store originals (code, datasets, training logs) in retrievable formats
  • Separate confidential information (via technical file with restricted access) from public summaries
  • Ensure the document is language-accessible to the relevant national authority

What happens if Annex IV documentation is incomplete or missing?

A system lacking compliant Annex IV documentation is presumed non-compliant. Competent authorities may:

  • Prohibit market access or require withdrawal
  • Issue enforcement notices requiring remediation
  • Impose fines (up to €30 million or 6% of annual global turnover, whichever is higher; see Article 99)
  • Initiate post-market surveillance to verify actual system behaviour

Can Annex IV documentation be withheld for confidentiality reasons?

Providers may mark portions as commercially confidential (e.g., proprietary algorithms, financial terms) and request protective handling by authorities. However, core technical elements—design, testing data, performance metrics, and risk mitigation—cannot be withheld. Regulators must access sufficient information to assess compliance. National data protection laws apply, but they do not override the AI Act's transparency obligations to authorities.


Frequently asked questions

Q: Is Annex IV documentation required for all AI systems?
A: No. [Annex IV][1] applies only to high-risk AI systems, as listed in [Annex III][1]. Lower-risk systems have lighter or no documentation obligations.

Q: Do SMEs get relief from Annex IV requirements?
A: [Recital 41][1] encourages support for SMEs in documenting compliance, but the substantive requirements are the same. Some authorities may offer guidance or simplified templates, but providers cannot skip elements.

Q: Must Annex IV documentation be in English?
A: [Annex IV][1] does not mandate English. However, most competent authorities operate in their national language and English. Providing a version in the language of the primary market and a technical English summary is practical.

Q: How often must Annex IV documentation be updated?
A: Whenever the system undergoes material changes (retraining, architecture modification, new use case). Minor updates (e.g., performance tracking) can be appended. A full refresh every 12–24 months for continuously learning systems is a common practice benchmark.

Q: Can we use an EU declaration of conformity instead of Annex IV documentation?
A: No. The [EU declaration of conformity (Article 49)][1] is a separate compliance statement; Annex IV documentation is the technical record supporting it. Both are required.

Q: What role does Annex IV play in notified body audits?
A: For high-risk systems subject to third-party conformity assessment (Article 43), notified bodies will audit Annex IV documentation as part of their review. It is the primary evidence they examine.


Sources

[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 September 2024 on artificial intelligence (EU AI Act) — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689


This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.