§ AI Act TOPICAL

Technical documentation under Annex IV

The technical file is the deliverable that travels through every audit. Here is what Annex IV actually requires.

Summary

Annex IV is the contents specification for the technical documentation that every high-risk AI system must have. It is nine numbered sections that map onto Articles 9 through 15, plus the post-market monitoring under Article 72. The purpose is to let a market surveillance authority assess conformity from the documentation alone, without re-running the development.

The Annex IV file is typically the largest single deliverable in the entire AI Act compliance program. Done well, it is a single living artifact maintained alongside the codebase. Done poorly, it is a 200-page PDF assembled at the last minute that does not actually reflect what was built.

For Annex I products (medical devices, machinery, vehicles), the Annex IV content is integrated into the existing sectoral technical file under Article 43(3). For Annex III stand-alone systems, the Annex IV file is freestanding.

Who this applies to

Providers of high-risk AI systems, technical writing teams, regulatory affairs, integration with MDR Annex II / IVDR Annex II for medical AI.

Compliance deadline

2 August 2026 — high-risk AI system obligations apply. The Digital Omnibus (Council + Parliament agreed positions, March 2026) may shift this to 2 December 2027 for Annex III systems and 2 August 2028 for Annex I products. Until the amending regulation is published in the Official Journal, plan for 2 August 2026.

§ Key articles

What the law says

Article 11(1)

Technical documentation must be drawn up before the system is placed on the market.

Article 11(2)

Annex IV is the contents specification.

Article 11(3)

SMEs and start-ups may use a simplified form (Article 12 implementing act).

Annex IV §1

General description of the system.

Annex IV §2

Detailed description of design and development.

Annex IV §3

Information about data.

Annex IV §4

Description of monitoring, control, and validation.

Annex IV §5

Risk management measures.

Annex IV §6

Description of changes through the lifecycle.

Annex IV §7

Standards applied.

Annex IV §8

Copy of the EU declaration of conformity.

Annex IV §9

Description of post-market monitoring.

§ Detail

In depth

The nine sections of Annex IV

General description of the AI system. Intended purpose, name and version, persons who developed it, hardware/software requirements, instructions for use.
Detailed description of design and development. Methods used, design choices, computational resources, training and validation procedures, key design decisions.
Information about the data. Provenance, scope, characteristics, quality controls, governance, cleaning and labelling procedures, bias-mitigation measures.
Detailed description of monitoring, functioning, and control of the AI system. Capabilities and limitations, expected performance levels, foreseeable unintended outcomes, human oversight measures, technical measures for output interpretation.
Description of risk management measures and the risk-management system per Article 9. Risk register, residual risk, acceptability rationale.
Detailed description of relevant changes made through the lifecycle. Version control of training data, models, validation; significant-modification analysis under Article 43(4).
List of harmonised standards applied in full or in part, references published in the OJEU; or, where harmonised standards are not applied, a description of solutions adopted to meet the requirements.
Copy of the EU declaration of conformity per Article 47.
Detailed description of the system in place to evaluate the AI system performance in the post-market phase per Article 72.

How to structure the file in practice

The simplest workable structure mirrors Annex IV section-by-section. Each section is a living document maintained in the company's documentation system (Confluence, Notion, an IRP, a Git-based docs repo). At each significant release:

Each section gets a version stamp and change log.
The risk register (Section 5) is updated to reflect any new risks or mitigations.
The data section (Section 3) is updated for any change in training data or governance.
Section 6 (changes through lifecycle) gets the new version's significant-modification analysis.

What auditors actually inspect

Across the three notified bodies that have published preliminary AI Act audit guidance, the focus areas are:

Section 3 (data). Whether the bias-testing methodology actually ran on the data described, with documented results across protected characteristics and edge cases.
Section 4 (functioning). Whether the stated limitations are realistic — auditors test the system against documented edge cases.
Section 5 (risk). Whether residual risks and mitigations form a coherent chain — every Article 9 risk traceable to a mitigation traceable to an Article 10/14/15 implementation.
Section 6 (changes). Whether significant modifications between audits would have triggered re-assessment under Article 43(4).
Section 9 (post-market). Whether the post-market plan is operating, with evidence of input/output flowing.

Trade secrets and IP

Article 78 protects trade secrets in the documentation that authorities access. Providers can mark proprietary methodology, model weights, and architectural details as confidential. The technical-documentation requirement does not require disclosure of training-data sources to the public; the Annex IV file is shared with the relevant authority on request, not published. Article 13 instructions for use are deployer-facing and may be published; Annex IV §3 details remain inside the provider's compliance file.

SME and start-up simplification

Article 11(3) directs the Commission to adopt an implementing act setting up a simplified Annex IV form for SMEs and start-ups. As of April 2026 that implementing act is in preparation and not yet published; SMEs draft against full Annex IV until the simplified form lands. The substantive obligations do not change — only the structure of presentation.

§ Action items

Practical steps

Mirror the Annex IV nine-section structure in your documentation system; maintain it as a living artifact, not a release-time PDF.

Version-stamp each section so auditors can trace what was true at each release.

For each Article 9 risk in Section 5, link to the specific Article 10/14/15 implementation that addresses it.

Maintain Section 6 (changes through lifecycle) at every significant release; pre-write the significant-modification analysis under Article 43(4).

Mark trade-secret material under Article 78; do not publish Annex IV §3 details that are proprietary.

§ What Fontvera found

Documents in our corpus

ai_office EU Fetched 2026-04

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence

ai_office EU Fetched 2026-04

AI Act | Shaping Europe’s digital future

eiopa EU Fetched 2026-04

Opinion on Artificial Intelligence governance and risk management

eurlex EU Fetched 2026-04

EUR-Lex: 32025R0454 (2025-03-07)

eurlex EU Fetched 2026-04

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance)

ai_office EU Fetched 2026-04

AI Act Annex III: High-Risk Use Cases

ai_office EU Fetched 2026-04

AI Act Article 71: EU Database for High-Risk AI Systems

ai_office EU Fetched 2026-04

AI Act Article 57: AI Regulatory Sandboxes

§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?

Search Fontvera ↵ Run the AI Act diagnostic

AI Act enforcement

97 days

until 2026-08-02, when most AI Act provisions begin to apply.