Skip to main content
HashnodeReguliaRegulia

Command Palette

Search for a command to run...

EU AI Act Annex IV: How to Write Technical Documentation for High-Risk AI

Updated
6 min read
EU AI Act Annex IV: How to Write Technical Documentation for High-Risk AI
D
Diego Torres

Article 11 of the EU AI Act requires providers of high-risk AI systems to maintain technical documentation before placing the system on the market. Annex IV defines exactly what this documentation must contain. It's the core evidence package for conformity assessment.

Most providers don't know what's in Annex IV. Here's the full structure with a working template.

What Annex IV Requires

Technical documentation for a high-risk AI system must contain, at a minimum, these sections:

1. General Description of the AI System

  • Intended purpose
  • Provider identity and contact
  • System version
  • Whether it's a safety component or a standalone system
  • Hardware/software interfaces with other systems
  • Versions of relevant software/firmware
  • Instructions for use and installation

2. Detailed Description of Elements and Development Process

System architecture:

  • Design specifications
  • Key algorithms used
  • Data requirements (training, validation, testing sets)
  • System capabilities and limitations
  • Measures to prevent biased outputs

Development methodology:

  • Techniques, approaches, and procedures used
  • Technical specifications (thresholds, parameters, accuracy metrics)
  • Any relevant design choices and rationale
  • Optimization of the system
  • Trade-offs made regarding accuracy, fairness, or privacy

Human oversight design:

  • How the system is designed to enable oversight
  • Technical measures facilitating output interpretation

3. Information About Monitoring, Functioning, and Control

  • Performance metrics and indicators
  • Expected accuracy levels
  • Specific metrics for the intended purpose
  • Known or foreseeable risks
  • Impact on rights, health, safety, environment

4. Description of the Risk Management System (Art. 9)

  • Risk identification methodology
  • Estimation and evaluation approach
  • Measures taken to eliminate or reduce risks
  • Testing procedures
  • Remaining residual risks

5. Description of Changes Made During Lifecycle

  • Version history
  • Nature of changes
  • Updates to risk management
  • Performance changes after updates

6. Standards and Specifications Applied

  • Harmonised standards used (if any)
  • Common specifications applied
  • When no standards applied: explanation of how requirements are met

7. EU Declaration of Conformity

  • Reference to the specific AI system
  • Statement of conformity
  • List of requirements met
  • Provider's signature and date

8. Post-Market Monitoring Plan (Art. 72)

  • Plan for collecting real-world data
  • Metrics monitored post-deployment
  • Procedures for incident reporting
  • Update mechanisms

The Common Mistakes

1. Writing documentation after the fact

Annex IV documentation should be written alongside development, not retrofitted at the end. Why? Because if your development process doesn't generate the required evidence naturally, you can't fabricate it post-hoc without lying.

2. Copy-pasting generic content

"The system uses machine learning algorithms" is useless. Annex IV requires specificity. Name the algorithms. Explain the trade-offs. Document the data.

3. Hiding known limitations

Annex IV requires disclosure of known limitations, foreseeable risks, and impact on rights. Providers who try to hide these create legal liability — the documentation is evidence, and evidence of concealment is worse than evidence of limitations.

4. Skipping the accessibility section

Article 16(l) requires accessibility compliance. Annex IV section 2 (development process) should document how accessibility was considered in the design. Most providers skip this entirely. When auditors check, it's an immediate failure.

5. Static documentation

Annex IV must be kept up to date. Every significant change to the system requires documentation update. Version control and change tracking are not optional.

Template Structure (Copy This)

Here's the template we use in eucompliance:

# Technical Documentation — Annex IV
## EU AI Act (Regulation 2024/1689)

**AI System:** [Name]
**Provider:** [Organization]
**Version:** [e.g., 1.0.0]
**Risk Level:** HIGH
**Date:** [Date]

---

## 1. General Description

**Intended purpose:** [Specific, detailed]
**Description:** [2-3 paragraphs]
**Data types processed:** [List]
**Infrastructure:** [Hardware/software requirements]

## 2. Development Process

### 2.1 Design and Architecture
[Detailed description]

### 2.2 Training Data
- Datasets used
- Data collection process
- Preparation and labelling
- Bias examination results
- Data governance measures

### 2.3 Methodology
- Techniques and procedures
- Tools used
- Validation approach

## 3. Monitoring, Functioning, and Control

### 3.1 Performance Metrics
[Specific metrics with thresholds]

### 3.2 Expected Accuracy
[Numerical targets]

### 3.3 Known Limitations
[Honest disclosure]

## 4. Risk Management (Article 9)

[Full risk management system description]

## 5. Human Oversight (Article 14)

[How the system enables human oversight]

## 6. Accuracy, Robustness, Cybersecurity (Article 15)

[Technical measures]

## 7. Accessibility Compliance (Article 16(l))

**Status:** REQUIRED
[How the system meets EN 301 549 / EAA requirements]
[Link to AAIA report]

## 8. Post-Market Monitoring (Article 72)

[Monitoring plan]

## 9. Standards Applied

- [ ] Harmonised standard: [name/version]
- [ ] Common specification: [reference]
- [ ] EN 301 549 (accessibility)

## 10. Declaration of Conformity

[Formal statement]

Generating the Template Automatically

You can generate an Annex IV skeleton from your AI classification:

import { classify } from '@eucompliance/ai-act-classifier'
import { generateAnnexIV } from '@eucompliance/docs-generator'

const classification = classify({
  name: 'Resume Screener',
  purpose: 'Automated CV screening for recruitment',
  dataTypes: ['personal'],
  affectedPersons: ['employees'],
  decisionMaking: 'semi_automated',
})

const doc = generateAnnexIV({
  systemName: 'Resume Screener',
  provider: 'TechCorp GmbH',
  version: '1.0.0',
  classification,
  description: 'An AI system that screens CVs and ranks candidates.',
  intendedPurpose: 'Automated first-stage screening of job applications.',
  dataTypes: ['personal', 'professional'],
  infrastructure: 'Cloud-based SaaS (AWS EU-West-1)',
  // ... other fields
})

// doc is a Markdown template with all 9 conformity steps as checklists

The template includes placeholders for every required section plus the 9 conformity assessment steps as checkboxes — so you can use it as a living document that tracks your progress toward full compliance.

The Accessibility Section Nobody Writes

Let me emphasize this because it's going to trip up most providers:

Your Annex IV documentation must include a section on how the system complies with Article 16(l).

This section should:

  1. Reference the applicable EN 301 549 clauses
  2. Document which WCAG 2.1 AA criteria the web interface meets
  3. Explain how human oversight controls are accessible
  4. Describe the accessibility testing methodology used (automated + manual)
  5. List known accessibility limitations with remediation timeline
  6. Include the AI Accessibility Impact Assessment (AAIA) as annex

If you've never done an AAIA, our accessibility-bridge package generates one automatically based on your AI system's risk classification and interface type.

When Conformity Assessment Happens

For AI systems under Annex III (most high-risk cases), the conformity assessment uses internal controls (Annex VI). The provider assesses their own conformity. Notified bodies are not mandatory for these systems.

For AI systems under Annex I (regulated products), the conformity assessment must use a notified body.

In both cases, the technical documentation is the primary evidence. If it's incomplete or inaccurate, the conformity assessment fails.

Retention and Updates

  • Retention period: 10 years after placing on the market
  • Update obligation: Whenever significant changes occur
  • Accessibility to authorities: Must be provided on request
  • Language: Must be in a language understood by the competent authority

Checklist Before Submission

Before declaring conformity, verify your Annex IV documentation includes:

  • [ ] All 8 required sections
  • [ ] Specific metrics (not generic statements)
  • [ ] Honest disclosure of limitations
  • [ ] Accessibility compliance section (Article 16(l))
  • [ ] Risk management evidence (Article 9)
  • [ ] Human oversight design (Article 14)
  • [ ] Standards applied (or explanation of alternative approach)
  • [ ] Post-market monitoring plan (Article 72)
  • [ ] Version history
  • [ ] Signed declaration of conformity

Resources

  • EU AI Act Annex IV full textEUR-Lex
  • eucompliance docs-generatornpm
  • Conformity assessment guidance — (pending publication by AI Office)
  • Harmonised standards tracker — CEN-CENELEC

Regulia generates Annex IV technical documentation templates with AI-assisted content based on your system's classification. Try it.

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

R

Regulia

9 posts

The EU compliance blog for SMEs. Articles about EAA accessibility, NIS2 cybersecurity, AI Act governance, and the open source tools that power it all.