EU AI Act Annex IV Documentation: The 9 Sections You Must Write

The EU AI Act imposes a clear documentation obligation on providers of high-risk AI systems. Article 11 of the Act states that providers must draw up technical documentation before placing a high-risk AI system on the market or putting it into service. That documentation must be kept up to date throughout the system's lifecycle and made available to national competent authorities upon request.

The specific content required in that documentation is defined in Annex IV. It lists nine distinct sections, each targeting a different dimension of the AI system. Failing to populate any one of them is not a minor gap — it is a compliance failure that can block market access or trigger regulatory action once the high-risk provisions enter full application in August 2026.

This article walks through each of the nine sections, explains what regulators expect to see, and highlights the practical steps providers must take to get compliant before the deadline.

Why Technical Documentation Matters Under Article 11

Article 11 does not simply ask for a summary brochure. It requires documentation substantial enough to allow a conformity assessment body — or a national authority — to evaluate whether the system meets all applicable requirements. The documentation must cover the system's design, its training data, its intended purpose, its known limitations, and the measures taken to manage risk throughout development and deployment.

Article 18 reinforces this by specifying that the technical documentation referred to in Article 11 must follow the structure set out in Annex IV. This creates a direct, non-negotiable link between the obligation and the format.

The August 2026 Deadline

High-risk AI systems listed in Annex III (covering areas such as employment, education, law enforcement, critical infrastructure, and access to essential services) must comply with all Chapter 3 obligations — including Article 11 and Annex IV documentation — by 2 August 2026. Systems already on the market before that date are given a transitional window, but providers should not mistake that window for an exemption. Competent authorities will begin enforcement from that date, and the documentation must be in place before, not after, an inspection.

Annex IV Section 1: General Description of the AI System

The first section requires a general description of the system. This includes its intended purpose, the version number or identifier, how it interacts with hardware or software components it is not itself part of, and the basic logic — including key design choices. Where the system uses machine learning, the general description must also cover the key choices involved in training the model.

Providers often underestimate this section by treating it as a product overview. Regulators expect it to be technically precise: what does the system actually do, what problem does it solve, and what are the constraints of that purpose?

Annex IV Section 2: Detailed Description of the Elements and Development Process

Section 2 is the most technically demanding. It requires a detailed description of the development process, including the methods used to develop the system, the design specifications, the architectural choices, and the algorithms. Where the system is trained, the documentation must describe the training methodology, the techniques used to ensure that the training data is relevant and fit for purpose, and the data governance measures applied.

This section must also address the measures taken to detect and correct bias. Providers working with third-party datasets will need contractual and technical evidence that the data meets Annex IV standards, not just a data processing agreement.

Annex IV Section 3: Information on Training and Testing Data

Section 3 requires documentation about the datasets used to train, validate, and test the system. For each dataset, providers must describe its provenance, scope, main characteristics, how it was collected, how it was labelled, and how it was processed. Where personal data was used, the legal basis for processing must be documented.

This section directly intersects with GDPR obligations. Providers processing personal data to train models must ensure their Annex IV documentation and their GDPR records of processing activities are consistent and cross-referenced.

Annex IV Section 4: Validation and Testing Procedures

Section 4 covers the validation and testing procedures used to evaluate the system's performance. It must include the metrics used to measure accuracy, robustness, and cybersecurity, as well as the test results. Where the system was tested against recognised standards, those standards and the outcomes must be cited.

Regulators will look for evidence that testing was rigorous and that its results informed changes to the system before deployment — not that testing was run as a checkbox exercise after development was complete.

Annex IV Section 5: Monitoring, Functioning, and Control of the System

Section 5 addresses how the system is monitored once deployed. It must describe the technical measures that allow human oversight as required by Article 14, including any features that allow operators to interrupt, stop, or override the system. It must also describe how performance is monitored in real-world conditions and how drift or degradation in outputs is detected.

This section is closely tied to the post-market monitoring obligations in Article 61. Providers must maintain a system-level view of post-deployment performance, and the Annex IV documentation must describe how that system works.

Annex IV Section 6: Risk Management System Description

Section 6 requires documentation of the risk management process as specified in Article 9. This includes the identification and analysis of known and foreseeable risks, the risk estimation and evaluation procedures, the risk mitigation measures adopted, and the residual risks that remain after mitigation.

The risk management system must be iterative: it must be updated as the system evolves and as new risks emerge. The documentation must reflect the current state of the risk register, not just the state at initial development.

Annex IV Section 7: Changes Made to the System Through Its Lifecycle

Section 7 requires documentation of any substantial modifications made to the system after initial deployment. A substantial modification is defined in Article 3(23) as a change that affects the system's compliance with the essential requirements or changes its intended purpose.

Every substantial modification effectively resets the conformity assessment clock. Providers must maintain a change log that distinguishes between routine updates and substantial modifications, with supporting evidence that the latter triggered a fresh compliance review.

Annex IV Section 8: Standards and Technical Specifications Applied

Section 8 lists the harmonised standards or common specifications applied during development. Where harmonised standards have been published under the AI Act, applying them creates a presumption of conformity. Where a provider chooses not to apply them, the documentation must explain the alternative measures taken to meet the corresponding requirements.

As of mid-2026, the European standardisation organisations are still finalising key standards. Providers should track CEN-CENELEC Joint Technical Committee 21 output and document their compliance approach as standards are published.

Annex IV Section 9: EU Declaration of Conformity

Section 9 requires a copy of the EU declaration of conformity issued under Article 47. This declaration confirms that the provider has assessed the system against all applicable requirements and that the system is compliant. It must identify the system, the provider, the notified body (where applicable), and the legal provisions to which the system conforms.

The declaration of conformity is not boilerplate — it is a legally binding statement. Providers who issue it without completed documentation for sections 1 through 8 expose themselves to significant liability.

Practical Steps for Compliance Before August 2026

Providers of high-risk AI systems should begin by conducting a gap assessment against all nine sections. For most organisations, sections 2, 3, and 6 require the most preparation — they demand detailed technical records that must be gathered from across the development pipeline, not written retrospectively.

A documentation lead should be assigned with authority to gather input from engineering, data science, legal, and product teams. The nine sections do not map neatly onto any single department's work.

Where third-party components are used, providers must obtain contractual commitments from suppliers to provide the information needed to complete sections 2, 3, and 8. Article 25 addresses the obligations of distributors and importers in this chain.

Finally, documentation must be version-controlled and stored in a format that can be retrieved quickly if a competent authority requests it under Article 18. A PDF buried in an email thread does not meet that standard.

Frequently Asked Questions

Which AI systems must comply with Annex IV? All high-risk AI systems listed in Annex III of the EU AI Act, covering sectors including employment screening, educational access, credit scoring, biometric categorisation, law enforcement, border control, and administration of justice. Systems embedded in products covered by Annex II safety legislation are also subject to Annex IV requirements.

Does Annex IV apply to AI systems developed before August 2026? Existing systems placed on the market before the high-risk provisions apply (2 August 2026) benefit from a transitional arrangement if they have not been substantially modified. However, providers should not rely on this without legal advice, as enforcement scope can vary by sector.

What happens if a notified body finds Annex IV documentation incomplete? The conformity assessment will not be concluded successfully, which means the provider cannot affix the CE marking or issue a valid EU declaration of conformity. The system cannot lawfully be placed on the EU market in that state.

How long must Annex IV documentation be retained? Article 18 requires that the technical documentation and the EU declaration of conformity be kept for ten years after the AI system is placed on the market or put into service.

Can the documentation be in any language? The documentation must be available in a language that can be readily understood by the competent authority of the member state where it is requested. In practice, providers operating across multiple member states should plan for translations.

Sources

• Regulation (EU) 2024/1689 of the European Parliament and of the Council (EU AI Act), Article 11 (Technical documentation), Article 18 (Conservation of documentation), Article 47 (EU Declaration of Conformity)
• EU AI Act, Annex IV (Technical documentation referred to in Article 11(1))
• EU AI Act, Article 9 (Risk management system), Article 14 (Human oversight), Article 61 (Post-market monitoring)
• EU AI Act, Article 3(23) (Definition of substantial modification), Article 25 (Obligations of distributors)
• CEN-CENELEC JTC 21 standardisation roadmap for the AI Act (2025–2026)