Conformy

Annex IV — Technical Documentation

A detailed guide to the documentation requirements that the EU AI Act imposes on providers of high-risk AI systems. What each section covers and how to create the documentation.

Last updated: March 2026

What is Annex IV?

Annex IV to the EU AI Act (EU 2024/1689) specifies the technical documentation that providers of high-risk AI systems must prepare under Article 11. It is one of the most concrete and comprehensive obligations in the entire regulation.

The purpose of the documentation is to demonstrate that the AI system meets the requirements in Chapter III, Section 2 — including risk management, data governance, transparency, human oversight, and cybersecurity. The documentation must be sufficiently detailed for a national supervisory authority to assess the system’s compliance.

The documentation must be prepared before the system is placed on the market or put into service, and must be kept up to date throughout the system’s lifecycle.

Who needs to prepare Annex IV documentation?

The requirement applies to providers of high-risk AI systems. This includes:

  • Companies that develop their own AI systems and place them on the EU market
  • Organizations that adapt or fine-tune existing AI models for high-risk applications
  • Third-country providers whose AI systems are used within the EU
  • Importers or distributors who make substantial modifications to an AI system (they then become providers)

Deployers (users) do not need to prepare Annex IV documentation, but have other obligations — including FRIA under Article 27.

Exception: Providers covered by sector-specific EU legislation (Annex I, e.g., medical devices) may need to adapt the documentation to the requirements already in that sector legislation. But Annex IV applies as the baseline.

The 9 sections of Annex IV

Annex IV specifies nine main areas that the technical documentation must cover. Here we explain what each section entails.

1. General description of the AI system

An overall description of the system’s intended purpose, developer, version, and how the system interacts with hardware and software. Includes the system’s name, its function in plain language, and a description of who it is intended for.

2. Detailed description of the system’s components and development process

Methodology, design choices, and architectural decisions. Description of computational resources, model selection (including why a particular model type was chosen), training methodology, validation techniques, and test results. Also technical specifications such as inputs, outputs, and interfaces.

3. Information on monitoring, functioning, and control

Description of how the system is monitored during operation, its capabilities and limitations, expected performance under different conditions, and the degree of human oversight. Includes information on the system’s predictability and interpretability.

4. Appropriateness of the performance metrics

Description of the metrics used to measure the system’s accuracy, robustness, and other relevant performance, and why these metrics are appropriate for the intended purpose. Includes the expected levels of accuracy and the limits of that accuracy.

5. Description of the risk management system

Documentation of the risk management system established under Article 9: identified risks, assessment of likelihood and severity, measures taken, and residual risks. Must demonstrate that risks have been managed systematically and iteratively.

6. Relevant changes made throughout the system’s lifecycle

Description of any relevant changes made by the provider to the system throughout its lifecycle, including version management and change management processes that keep the documentation up to date.

7. Harmonised standards applied

List of the harmonised standards applied in full or in part. Where no harmonised standards have been applied, a description of the other solutions used to meet the requirements, including a list of other relevant standards or common specifications applied.

8. Copy of the EU declaration of conformity

A copy of the EU declaration of conformity for the system, by which the provider takes responsibility for compliance with the applicable requirements of the regulation.

9. Description of the post-market monitoring system

Detailed description of the post-market monitoring system established under Article 72: how the provider collects and reviews experience from systems in use, and the post-market monitoring plan that supports it.

Step by step: How to create the documentation

Creating Annex IV documentation may seem overwhelming, but with the right structure and tools it doesn’t have to be. Here is a recommended approach:

  1. Classify your system — Confirm that your AI system is high-risk by reviewing the criteria in Annex III. Use our free classification.
  2. Inventory existing documentation — Most organizations already have parts of the information needed: architecture documents, data flow descriptions, test reports, and risk analyses. Gather what exists.
  3. Create a structured draft — Use the nine-part structure of Annex IV as a template. Our documentation tool generates a complete draft based on your answers.
  4. Fill in technical details — Supplement the draft with specific information about your model, data, performance, risks, and test results.
  5. Legal review — Have a lawyer or compliance specialist review the documentation. Verify that all requirements in Article 11 are met.
  6. Establish maintenance processes — Annex IV is not a one-time document. Plan for ongoing updates with every substantial change to the system.

Common mistakes to avoid

  • Waiting too long — The documentation must exist before the system is released. Starting afterwards means risk of gaps and delays.
  • Too vague risk assessment — Describe concrete risks, not just general ones. "Risk of bias" is not sufficient — specify which groups may be affected and what measures have been taken.
  • Insufficient data documentation — Section 5 (data) is often the most deficient. Track data sources, preprocessing, and quality controls from the start.
  • No update plan — Documentation without a lifecycle plan does not meet the requirements. Define when and how the documentation will be updated.
  • Confusing provider and deployer — Annex IV applies to providers. Deployers have other obligations. Ensure the right person in your organization owns the right documentation.

Start creating your documentation

Instead of starting with a blank document, you can use our tool to generate a structured Annex IV draft. Answer questions about your AI system, and we’ll create a complete draft covering all nine sections.

The draft is ready for review by your lawyer or compliance specialist. You can export it as PDF.

Generate your Annex IV draft

Answer questions about your AI system and get a structured documentation draft — ready for review. Start with 15 free credits.

Create documentation