EU AI Act High-Risk Documentation: What to Prepare Now
What you need to know: EU AI Act High-Risk Documentation: What to Prepare Now
High-risk AI systems under the EU AI Act must have complete technical documentation by August 2026. This guide covers all nine Annex IV requirements.
If your organisation provides or deploys a high-risk AI system under the EU AI Act, you have a hard deadline: August 2, 2026. By that date, every high-risk AI system covered by Annex III must have complete technical documentation, a conformity assessment on file, and be registered in the EU database maintained by the European Commission.
For many organisations, the documentation requirement is the most time-consuming part of the compliance process — not because the requirements are ambiguous, but because assembling this documentation requires input from engineering, legal, risk, and data teams, and many organisations lack the internal artefacts that Annex IV requires.
This guide explains which systems are high-risk, what each of the nine Annex IV technical documentation sections must contain, and how to structure your technical file.
Which Systems Are High-Risk
Annex III of the EU AI Act lists eight sectors where AI systems are high-risk when they make or significantly influence decisions about natural persons:
- Biometric identification and categorisation of natural persons
- Management and operation of critical infrastructure (energy, water, transport)
- Education and vocational training (admissions decisions, assessment, evaluation, monitoring)
- Employment and workers management (recruitment, selection, promotion, termination, performance monitoring)
- Access to essential private and public services (credit scoring, insurance underwriting, social benefits)
- Law enforcement (risk assessments, polygraphs, evidence evaluation, crime prediction)
- Migration, asylum, and border control management
- Administration of justice and democratic processes
For most commercial organisations, the most relevant categories are employment (CV screening tools, performance monitoring software) and essential services (credit risk models, insurance pricing engines). If your AI system materially influences decisions in these areas, it is high-risk.
Article 6 of the EU AI Act adds a horizontal rule: AI systems that are safety components of products regulated under Annex I EU harmonisation legislation (medical devices, machinery, radio equipment, vehicles) are also high-risk.
The Annex IV Technical Documentation: 9 Required Sections
Annex IV structures technical documentation into nine mandatory sections. Competent authorities may request this documentation at any time, so it must be current and accessible throughout the system's deployed lifetime.
Section 1: General Description of the AI System
This section covers the system's identity and intended purpose. Document: the name, version, and type of AI system; its intended purpose and the specific tasks it performs; the operator categories it is intended for; how the system interacts with hardware or software; and the version of software or firmware the system relies on. This is the entry point for any regulator reviewing the file — it must be clear and complete without technical jargon that obscures the actual function.
Section 2: Detailed Description of Components and Development
This is the most technically intensive section. Document: the methods and steps used to develop the system; the design specifications, including the general logic and key design choices; the main design parameters and their rationale; the system architecture, including computational resources used; and the significant choices made during development including tradeoffs and their justification. For AI systems using machine learning, this includes a description of the training approach, model architecture, and how the model was validated.
Section 3: Description of the Monitoring, Functioning, and Control of the System
Document how the system operates in its deployed environment. This includes: the system's inputs and outputs; the interpretation of outputs; performance under specific conditions; the conditions under which the system may produce incorrect outputs; and technical limitations and known failure modes.
Section 4: Description of the Appropriateness of the Performance Metrics
Under Article 15, high-risk AI systems must achieve appropriate levels of accuracy, robustness, and cybersecurity. Document the performance metrics selected for the system and why they are appropriate for the intended purpose. Justify the threshold levels chosen and explain how they were determined. Include performance across different demographic groups where relevant to bias detection.
Section 5: Description of Human Oversight Measures
Article 14 requires that high-risk AI systems be designed to allow effective human oversight. Document the measures built into the system's design and deployment: the ability to interpret outputs, the mechanism for overriding or stopping the system, how users are informed of automation bias risk, and what training is provided to human operators. Describe the oversight interface and the escalation pathway when the system produces an output that requires human review.
Section 6: Description of the Risk Management System
Article 9 requires a documented risk management process throughout the system's lifecycle. The technical file must summarise this system: the methodology for identifying and estimating risks, the risk evaluation criteria, the mitigation measures implemented, and the residual risks accepted. The risk management system is not a one-time document — it must be updated as the system evolves and as new risks are identified post-deployment.
Section 7: Description of Data and Data Governance
Article 10 requires that training, validation, and testing datasets meet data quality criteria. Document: the dataset characteristics including provenance, size, and format; the data governance practices applied, including how data quality was ensured; the steps taken to identify and address biases in the data; and the criteria for selecting training, validation, and test datasets. For systems using pre-trained models, document the provenance of the pre-trained model and what is known about the data it was trained on.
Section 8: Instructions for Use
Article 13 requires that providers give deployers an instructions-for-use document. The technical file must contain a copy of this document or reference it. The instructions must cover: the system's identity and version; its intended purpose and the specific tasks it is designed for; its capabilities and limitations; the level of accuracy and performance, including expected performance across different groups; any known biases; the expected lifetime; required maintenance; and the human oversight measures expected of the deployer.
Section 9: EU Declaration of Conformity
The final section of the technical file is the EU Declaration of Conformity drawn up under Article 47. This document declares that the system meets the requirements of the AI Act and any other applicable EU legislation, identifies the conformity assessment procedure applied, and is signed by an authorised representative of the provider. Where a notified body was involved, the certificate and the notified body's identification number are included.
How to Organise the Technical File
The Annex IV documentation does not prescribe a specific file format, but it must be maintained in a form that allows competent authorities to assess compliance with the Act. Best practice is to maintain the technical file in a version-controlled document repository with clear section numbering corresponding to Annex IV. Each section should cross-reference the underlying artefacts — training reports, test results, risk registers, architecture diagrams — so that the file serves as an index to supporting evidence as well as a standalone document.
Registration in the EU AI Database (Article 71)
Before placing a high-risk AI system on the market or putting it into service in the EU, providers must register the system in the EU AI database maintained by the European Commission. Registration requires: the provider's name and contact details; the system's name, version, and intended purpose; the Annex III category under which the system is classified; countries of intended deployment; the Declaration of Conformity reference; and contact details for post-market monitoring. The database is publicly accessible for categories specified in Annex VIII.
Conformity Assessment Process
For most standalone software AI systems under Annex III, the conformity assessment route is self-assessment under Annex VI. For AI systems embedded in Annex I products (medical devices, machinery), third-party notified body assessment under Annex VII is required.
Self-assessment involves the provider reviewing the system against all requirements, completing the internal control procedure, drawing up the Declaration of Conformity, and registering in the database. The assessment should be documented — regulators can ask for evidence that the assessment was conducted rigorously, not just that a Declaration exists.
Notified body assessments are conducted by bodies accredited by national authorities and designated by the European Commission. Pipeline for notified body assessments is filling ahead of the August 2026 deadline — organisations requiring third-party assessment should identify a notified body and begin engagement no later than early 2026.
The August 2026 Deadline in Practice
August 2, 2026 is the date by which Annex III high-risk AI systems must be fully compliant — not the date by which compliance preparation must begin. A realistic timeline for building a complete technical file from scratch is four to eight months, assuming the system's architecture is well documented and testing data is available.
Organisations that have not started documentation preparation should treat this as urgent. The risk management system, performance testing, and data governance documentation in particular require time to build properly — they cannot be produced in a documentation sprint in the weeks before the deadline.
Last updated: May 2026. For informational purposes only — not legal advice.
Frequently Asked Questions
Can we use our existing product documentation as the basis for the Annex IV technical file?
In most cases, existing technical documentation covers some but not all of what Annex IV requires. Engineering documentation typically covers system architecture, model specifications, and performance metrics. What it usually lacks is the risk management system documentation, the human oversight measures section, the data governance narrative, and the instructions for use document in the specific form required by Article 13. A gap analysis against all nine Annex IV sections — comparing what you have against what is required — is the most efficient starting point, rather than assuming existing documentation is insufficient or sufficient.
What is the difference between the technical documentation requirement and the conformity assessment?
Technical documentation (Annex IV) is the underlying body of evidence that demonstrates the system meets the requirements of Articles 9–15. The conformity assessment is the process of reviewing that documentation and the system against the Act's requirements, concluding that it complies, and drawing up the EU Declaration of Conformity. The documentation must exist before the conformity assessment can be completed — it is the input to the assessment, not an output. After the assessment, the Declaration of Conformity becomes section 9 of the technical file, and the complete file is retained for 10 years under Article 18.
How long must technical documentation be retained under the EU AI Act?
Article 18 requires that the technical documentation be kept for a period of 10 years after the high-risk AI system has been placed on the market or put into service. This 10-year retention period runs from the date the system entered service, not from the date the documentation was completed. If a system is updated or a new version is deployed, the documentation for each version must be retained for 10 years from that version's deployment date. Competent authorities can request documentation at any point during this retention period, and failure to produce it on request is itself a compliance failure.
Sources
- EUR-Lex, Regulation (EU) 2024/1689 (EU AI Act), Annex IV and Articles 9–18, 47, 71: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
- European Commission, EU AI Act implementation and high-risk AI guidance: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- ENISA, AI risk assessment methodology for high-risk AI systems: https://www.enisa.europa.eu/topics/artificial-intelligence
- European AI Office, guidance on conformity assessment procedures: https://digital-strategy.ec.europa.eu/en/policies/european-ai-office
Key takeaways: EU AI Act High-Risk Documentation: What to Prepare Now
This article covers: Which Systems Are High-Risk, The Annex IV Technical Documentation: 9 Required Sections, How to Organise the Technical File.
- Which Systems Are High-Risk
- The Annex IV Technical Documentation: 9 Required Sections
- How to Organise the Technical File
- Registration in the EU AI Database (Article 71)
- Conformity Assessment Process
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing — 2 minutes, every Thursday.
Related Regulation
EU AI Act
Official EuroComply guide to EU AI Act