Annex IV Technical Documentation Guide

Annex IV of the EU AI Act specifies the minimum content requirements for the technical documentation that providers must create and maintain for every high-risk AI system. This technical file serves as the primary evidence of compliance — it is what supervisory authorities will request and review during market surveillance activities, and what notified bodies will assess during conformity assessments. The technical file must be drawn up before the AI system is placed on the market or put into service. It must be comprehensive at launch and kept up to date throughout the entire lifecycle of the system — including any modifications made after deployment. The obligation to maintain the file does not end at market placement: it continues for at least 10 years after the system is last placed on the market.

The technical file must begin with a general description of the AI system that gives a supervisory authority sufficient context to understand the system's purpose, capabilities, and limitations before reviewing the more technical sections. This section should include: the intended purpose of the system; the natural persons or categories of persons for whom the system is intended to be used; the geographic markets or territories where the system is to be placed; and a description of the hardware on which the AI system is intended to run.

This is the most technically detailed section of the Annex IV file. It must include a description of the methods and steps used to develop the AI system, including pre-training, training, testing, and validation procedures, as well as the design specifications, training methodologies, techniques, and tools used. For AI systems that learn continuously after deployment, the technical file must describe the mechanisms in place to ensure that training during operation does not result in risks to applicable requirements. This is a significant obligation for providers of adaptive or online learning systems.

The technical file must contain detailed information about the training, validation, and testing datasets used, including: their provenance, scope, and main characteristics; a description of the data labelling methodology; information about the relevant characteristics, limitations, and potential biases; and measures taken to detect, prevent, and mitigate these biases. Data governance documentation is frequently the weakest part of technical files submitted by companies undergoing first-time compliance reviews. Many organisations have incomplete records of their training data — particularly for systems built before the EU AI Act came into force.

The technical file must include detailed testing and validation procedures, including the metrics used to measure accuracy, robustness, and cybersecurity, and the testing results. For high-risk AI systems, testing must be conducted using representative data that reflects the conditions under which the system will be used. This section must demonstrate that the AI system performs at the level claimed in its intended purpose documentation, across the full range of conditions it may encounter in deployment.

The technical file must include the provider's post-market monitoring plan and, for systems placed on the market, a summary of post-market monitoring activities conducted and findings addressed. Over time, this section grows into an audit log of the system's performance in production and the provider's response to emerging risks. Incident reports — formal notifications to supervisory authorities of serious incidents — must also be referenced in the technical file, along with the corrective actions taken in response.