ConformySV

Annex IV — Technical Documentation

A detailed guide to the documentation requirements that the EU AI Act imposes on providers of high-risk AI systems. What each section covers and how to create the documentation.

Last updated: March 2026

What is Annex IV?

Annex IV to the EU AI Act (EU 2024/1689) specifies the technical documentation that providers of high-risk AI systems must prepare under Article 11. It is one of the most concrete and comprehensive obligations in the entire regulation.

The purpose of the documentation is to demonstrate that the AI system meets the requirements in Chapter III, Section 2 — including risk management, data governance, transparency, human oversight, and cybersecurity. The documentation must be sufficiently detailed for a national supervisory authority to assess the system’s compliance.

The documentation must be prepared before the system is placed on the market or put into service, and must be kept up to date throughout the system’s lifecycle.

Who needs to prepare Annex IV documentation?

The requirement applies to providers of high-risk AI systems. This includes:

  • Companies that develop their own AI systems and place them on the EU market
  • Organizations that adapt or fine-tune existing AI models for high-risk applications
  • Third-country providers whose AI systems are used within the EU
  • Importers or distributors who make substantial modifications to an AI system (they then become providers)

Deployers (users) do not need to prepare Annex IV documentation, but have other obligations — including FRIA under Article 27.

Exception: Providers covered by sector-specific EU legislation (Annex I, e.g., medical devices) may need to adapt the documentation to the requirements already in that sector legislation. But Annex IV applies as the baseline.

The 9 sections of Annex IV

Annex IV specifies nine main areas that the technical documentation must cover. Here we explain what each section entails.

1. General description of the AI system

An overall description of the system’s intended purpose, developer, version, and how the system interacts with hardware and software. Includes the system’s name, its function in plain language, and a description of who it is intended for.

2. Detailed description of the system’s components and development process

Methodology, design choices, and architectural decisions. Description of computational resources, model selection (including why a particular model type was chosen), training methodology, validation techniques, and test results. Also technical specifications such as inputs, outputs, and interfaces.

3. Information on monitoring, functioning, and control

Description of how the system is monitored during operation, its capabilities and limitations, expected performance under different conditions, and the degree of human oversight. Includes information on the system’s predictability and interpretability.

4. Description of the risk management system

Documentation of the risk management system established under Article 9: identified risks, assessment of likelihood and severity, measures taken, and residual risks. Must demonstrate that risks have been managed systematically and iteratively.

5. Use of data — data governance and data quality

Detailed description of training, validation, and test data: data sources, data collection methods, preprocessing, labeling, data volume, and data quality measures. Must demonstrate that data meets the requirements in Article 10, including relevance, representativeness, and error handling.

6. Information on logging (recording of activities)

Description of the automatic logging capabilities required under Article 12: what data is logged, retention period, format, and how logs can be used for post-control and incident investigation.

7. Description of changes throughout the system’s lifecycle

Plan for how the system will be maintained, updated, and monitored after deployment. Includes version management, change management processes, and procedures for re-conformity assessment upon substantial modifications.

8. List of applied standards

List of harmonized standards, common specifications, or other technical specifications that have been applied — in whole or in part. If harmonized standards are missing, describe what other reference points were used.

9. Description of the conformity assessment procedure

Description of the conformity assessment that was conducted, including results and any decisions from notified bodies. A copy of the EU declaration of conformity.

Step by step: How to create the documentation

Creating Annex IV documentation may seem overwhelming, but with the right structure and tools it doesn’t have to be. Here is a recommended approach:

  1. Classify your system — Confirm that your AI system is high-risk by reviewing the criteria in Annex III. Use our free classification.
  2. Inventory existing documentation — Most organizations already have parts of the information needed: architecture documents, data flow descriptions, test reports, and risk analyses. Gather what exists.
  3. Create a structured draft — Use the nine-part structure of Annex IV as a template. Our documentation tool generates a complete draft based on your answers.
  4. Fill in technical details — Supplement the draft with specific information about your model, data, performance, risks, and test results.
  5. Legal review — Have a lawyer or compliance specialist review the documentation. Verify that all requirements in Article 11 are met.
  6. Establish maintenance processes — Annex IV is not a one-time document. Plan for ongoing updates with every substantial change to the system.

Common mistakes to avoid

  • Waiting too long — The documentation must exist before the system is released. Starting afterwards means risk of gaps and delays.
  • Too vague risk assessment — Describe concrete risks, not just general ones. "Risk of bias" is not sufficient — specify which groups may be affected and what measures have been taken.
  • Insufficient data documentation — Section 5 (data) is often the most deficient. Track data sources, preprocessing, and quality controls from the start.
  • No update plan — Documentation without a lifecycle plan does not meet the requirements. Define when and how the documentation will be updated.
  • Confusing provider and deployer — Annex IV applies to providers. Deployers have other obligations. Ensure the right person in your organization owns the right documentation.

Start creating your documentation

Instead of starting with a blank document, you can use our tool to generate a structured Annex IV draft. Answer questions about your AI system, and we’ll create a complete draft covering all nine sections.

The draft is ready for review by your lawyer or compliance specialist. You can export it as PDF.

Generate your Annex IV draft

Answer questions about your AI system and get a structured documentation draft — ready for review. From €49.

Create documentation

Related guides

EU AI Act: Complete guideOverview of the regulation, risk levels, and who is affected
Risk management system (Article 9)How to build and maintain a risk management system for high-risk AI
Data governance (Article 10)Requirements for training, validation, and testing data
Quality management system (Article 17)Building a quality management system for AI Act compliance