EU AI Act Annex IV: Technical Documentation Requirements
AI Law · EU AI Act Compliance
EU AI Act Annex IV: What Technical Documentation High-Risk AI Providers Must Prepare
Every high-risk AI provider knows Annex IV exists. Few have a complete document. Here are the 8 required elements — with a readiness tracker to identify your gaps.
1
What Annex IV is and who needs it
Article 11 · provider obligation · timing
2
8 required elements
Complete structure with sub-items
3
Documentation readiness tracker
Mark what’s done · live score
4
Get Annex IV prepared
WCR Legal · EU AI Act compliance
5
Common questions
ISO 42001 · updates · notified body
!
ISO 42001 is not Annex IV
Different documents · different purpose
Section 1
What Is Annex IV and Who Needs It?
Annex IV of the EU AI Act defines the mandatory structure of technical documentation that providers of high-risk AI systems must prepare under Article 11. This is not a governance policy or management system document. It is a system-specific technical file — one per AI system — that regulators, notified bodies, and market surveillance authorities can request at any time. The enforcement deadline is August 2, 2026. See also our NIST / ISO 42001 / EU AI Act services for how Annex IV fits into your broader compliance architecture.
Annex IV — 3 Key Framing Points
Before you start writing: understand the object, the obligor, and the timing
Article 11
1
Object
Per-system document, not an organisational policy
Annex IV documentation is specific to a single AI system — its architecture, training data, test results, performance metrics, and intended use. It is not an AI policy, an AIMS document, or a general governance statement. If you operate three high-risk AI systems, you need three separate Annex IV technical documentation files. There is no single document that covers all systems.
2
Who is obliged
Provider obligation only — deployers do not prepare Annex IV
Under the EU AI Act, it is the provider — the entity that develops and places the AI system on the market — who must prepare and maintain Annex IV documentation. Deployers (organisations that use a high-risk AI system developed by a third party) are not required to prepare Annex IV. However, deployers should verify that their providers hold compliant Annex IV documentation before deployment, as this affects their own exposure under Article 26. If you modify a third-party system’s intended purpose, you may assume provider obligations for those changes.
3
Timing
Before market placement — and continuously updated
Annex IV documentation must be complete before the high-risk AI system is placed on the EU market or put into service. It is not a post-deployment exercise. Following deployment, the documentation must be kept up to date: any change to the system that affects its conformity — version updates, retraining, changes to intended purpose — requires the technical documentation to be updated accordingly. Market surveillance authorities can request it at any time, without notice.
Section 2
The 8 Required Elements of Annex IV
The following elements are mandated by Annex IV. Each must be addressed in the technical documentation file for every high-risk AI system in scope. Missing or incomplete elements will fail regulatory review.
1
Annex IV § 1
General Description
Intended purpose · versions · hardware
Intended purpose of the system and specific use cases in scope
Version information and version history of the system
Hardware and software requirements for deployment
Description of the categories of natural persons or groups intended to use the system
Interaction with other systems where applicable
2
Annex IV § 2
Design & Development
Architecture · methodology · design choices
Design specifications and overall architecture of the AI system
Training methodology and techniques used
Key design choices made and the rationale behind them
Description of the system components and development environment
Computational resources used during development and deployment
3
Annex IV § 3
Training Data
Sources · governance · bias mitigation
Description of training, validation, and test datasets used
Data sources and data collection methodologies
Data governance and data management practices applied
Bias examination measures and mitigation steps taken
Known data limitations and how they were addressed
4
Annex IV § 4
Testing & Validation
Datasets · methodologies · known limitations
Testing and validation datasets used and their characteristics
Testing methodologies applied and the rationale for selection
Results of testing including performance outcomes
Known limitations identified during testing
Testing conducted in real-world conditions where applicable
5
Annex IV § 5
Performance Metrics
Accuracy · robustness · cybersecurity
Performance metrics established for the system (accuracy, error rates, recall)
Robustness measures and resilience against errors and inconsistencies
Cybersecurity measures and protection against adversarial attacks
Performance thresholds and acceptable risk tolerances
Benchmarks used and comparison against baseline performance
6
Annex IV § 6
Human Oversight
Built-in mechanisms · intervention capability
Human oversight measures built into the system design
Capability for a natural person to monitor, interrupt, and override the system
Technical interfaces enabling human intervention
Documentation of how oversight measures were validated
Roles and competencies required to exercise oversight effectively
7
Annex IV § 7
Instructions for Use
For deployers · capabilities · limitations
Instructions provided to downstream deployers for correct use
Clear description of system capabilities and known limitations
Foreseeable misuses and warnings against them
Information needed for deployers to implement human oversight
Contact details of the provider for post-market support
8
Annex IV § 8
Changes & Versions
Version control · post-market monitoring plan
Version control records and change history of the system
Description of changes made and their conformity impact assessment
Post-market monitoring plan and data collection strategy
Serious incident reporting procedures and timelines
Process for updating documentation following material changes
Section 3
How Complete Is Your Annex IV Documentation?
Click each element to mark it as documented. Your readiness score and status update in real time. Use this as a gap identification tool — anything unmarked is an open item before August 2, 2026.
Annex IV Documentation Tracker
Click each element to mark it documented
0 / 8
General description of the AI system
Intended purpose, versions, hardware & software requirements, user categories
§ 1
Design and development documentation
Architecture, training methodology, key design choices and rationale
§ 2
Training data description and governance
Data sources, governance practices, bias examination and mitigation
§ 3
Testing and validation results
Test datasets, methodologies, outcomes, known limitations
§ 4
Performance metrics and robustness measures
Accuracy, error rates, cybersecurity measures, performance thresholds
§ 5
Human oversight mechanisms
Built-in oversight measures, intervention interfaces, competency requirements
§ 6
Instructions for use (for deployers)
Capabilities, limitations, foreseeable misuses, oversight implementation guidance
§ 7
Version control and post-market monitoring plan
Change history, conformity impact assessment, monitoring strategy, incident reporting
§ 8
ISO 42001 is not Annex IV
ISO 42001 organisational documentation is not the same as Annex IV technical documentation. Your AIMS certifies your organisation’s governance system. Annex IV documents a specific AI product’s architecture, data, testing, and performance. You need both — for different regulatory purposes. See: Does ISO 42001 Satisfy EU AI Act Requirements?
Need help preparing Annex IV documentation? WCR Legal prepares system-specific Annex IV technical files for high-risk AI providers before the August 2026 deadline.
Start Documentation Review
Prepare Your Annex IV Documentation Before August 2026
WCR Legal prepares Annex IV technical documentation files for high-risk AI providers — structured, audit-ready, and aligned with EU AI Act requirements. We cover all 8 elements per system. See our NIST / ISO 42001 / EU AI Act services and AI Governance & Risk practice.
FAQ
Annex IV Documentation — Common Questions
For high-risk AI system classification questions, see our EU AI Act high-risk SaaS classification guide. For AI governance strategy, see our AI Governance & Risk practice.
Frequently Asked Questions
Click a question to expand
1
How long must Annex IV documentation be retained after the AI system is withdrawn from the market?
+
Under Article 18 of the EU AI Act, providers must retain Annex IV technical documentation for a period of 10 years after the high-risk AI system has been placed on the market or put into service. This retention obligation applies regardless of whether the provider is still active, whether the system is still in use, or whether the company has been acquired or restructured. Documentation must be made available to national competent authorities on request throughout this period. This has significant implications for data retention architecture and corporate restructuring planning.
2
Does every software update to a high-risk AI system require an Annex IV update?
+
Not every update, but substantive changes that affect the system’s conformity with the EU AI Act require the technical documentation to be updated before the changed system is placed on the market or put into service. The EU AI Act distinguishes between minor updates (bug fixes, security patches) and changes that affect the system’s intended purpose, performance characteristics, risk profile, or the accuracy of existing documentation. Providers should establish a change management process that includes a conformity impact assessment for each update — documenting whether a documentation update is required and why.
3
Can a single Annex IV document cover multiple versions of the same AI system?
+
A single Annex IV document can cover multiple versions of an AI system if it is structured to address each version clearly — with the version history, changes between versions, and conformity impact assessments documented in the changes and versions section (Annex IV §8). However, if versions differ substantially in architecture, training data, performance characteristics, or intended purpose, separate Annex IV documentation for each distinct system configuration is the safer approach. Market surveillance authorities expect documentation that can be matched unambiguously to the specific system they are reviewing.
4
Does a deployer need to see the provider’s Annex IV documentation?
+
Deployers are not entitled to receive the full Annex IV technical documentation — which may contain commercially sensitive technical details — but they are entitled to the information they need to fulfil their own obligations under Article 26. Specifically, providers must supply deployers with: instructions for use (Annex IV §7), information about the system’s capabilities and limitations, guidance on how to implement human oversight measures, and information relevant to any FRIA the deployer may need to conduct. Deployers should contractually require this information from providers before deployment and verify its completeness. See our high-risk SaaS classification guide for provider vs deployer role analysis.
5
Does Annex IV documentation need to be submitted to any authority before deployment?
+
For most high-risk AI system categories, Annex IV documentation is not submitted proactively — it is held by the provider and made available on request by national competent authorities or notified bodies. However, there are exceptions: for certain Annex III categories that require notified body involvement under Article 43 (such as biometric identification systems), the notified body will review relevant technical documentation as part of the conformity assessment. Additionally, registration in the EU AI database under Article 71 requires submission of specific information about the system — not the full Annex IV file, but information drawn from it. Providers should treat their Annex IV documentation as audit-ready at all times from the date of market placement.
Post Comment