EU AI Act Technical Documentation: Article 11 and Annex IV Explained
Article 11 requires providers to draw up technical documentation before launch. Annex IV sets nine mandatory sections. Deadline: 2 December 2027.
Before a high-risk AI system can be placed on the EU market or put into service, its provider must draw up technical documentation. Article 11 of Regulation (EU) 2024/1689 states the obligation; Annex IV specifies what must be in it. The two work together: Article 11 is the lock, Annex IV is the key.
This is not a voluntary framework. Without a complete Annex IV file, a high-risk AI system cannot pass the conformity assessment under Article 43, cannot carry CE marking under Article 48, and cannot legally launch. The documentation is also what a notified body reads when it reviews your system — it is the primary evidence against which compliance is judged.
The deadline for stand-alone high-risk systems (the Annex III list) is 2 December 2027, deferred from the original 2 August 2026 date under the Digital Omnibus agreed in May 2026. For high-risk AI embedded in regulated products under Annex I (medical devices, machinery, etc.), the date is 2 August 2028. That is breathing room, not a reprieve — assembling a complete Annex IV file for a non-trivial system takes months.
What Article 11 Actually Requires
Article 11 does three things. First, it imposes the obligation on providers — the entities that develop a high-risk AI system and place it on the market or put it into service under their own name or trademark. Deployers are not obligated to produce the documentation; they receive it.
Second, Article 11 sets the timing: documentation must be drawn up before market placement or commencement of service. It is not something you assemble retrospectively after the conformity assessment.
Third, Article 11 requires the documentation to be kept up to date. Any change to the system — architecture, training data, intended purpose, operational parameters — must be reflected in the file. A static document that describes version 1.0 while the system is running on version 3.2 is non-compliant.
Under Article 18, providers must retain the documentation for ten years from the date the system is last placed on the market. That ten-year clock matters: it means the file must survive product sunset, company restructurings, and potentially changes in cloud provider or document system.
Annex IV: The Nine Required Sections
Annex IV sets out nine sections. The documentation must contain at least these elements — a notified body may ask for more, but the nine are the non-negotiable minimum.
Section 1 — General description of the AI system. The intended purpose, the version and version history, and the hardware and software environment in which the system is designed to operate. This is the anchor: every other section is understood in relation to what the system does and where it runs.
Section 2 — Detailed description of the elements and the development process. This is the longest section in practice. It covers: the methods and steps used to develop the system; the design specifications; the training, validation, and testing data (their characteristics, origin, labelling and collection methodologies); the human oversight measures built into the system during development; and the results of the validation and testing, including the measures taken to identify, prevent and mitigate foreseeable misuse.
The data sub-element is where many providers under-document. Article 10 governs data governance separately, but Annex IV section 2 requires the technical documentation to summarise it: where data came from, how representative it is, what processing was applied, how bias was assessed and addressed.
Section 3 — Detailed description of the monitoring, functioning and control of the AI system. This covers the capabilities and limits of the system's performance, including accuracy, robustness, and cybersecurity as required by Article 15. It also addresses how the system's outputs are generated and what their reliability looks like.
Section 4 — Description of the appropriateness of the performance metrics. You must not only report metrics — you must justify why those particular metrics are the right ones for the system's intended use. A provider that picks accuracy as its sole metric for a system operating in a sensitive context (say, recidivism scoring) without explaining why that is appropriate will struggle here.
Section 5 — Description of the risk management system. This incorporates the output of the Article 9 process: the risk identification methodology, the assessment of probability and severity of harms, the mitigation measures, and the residual risk. The Article 9 risk management system and the Annex IV documentation are not two separate workstreams — the risk file sits inside the technical documentation.
Section 6 — Description of any change made to the system through its lifecycle. All post-market modifications — algorithm updates, retraining on new data, changes to deployment conditions — must be recorded here. This is how the documentation stays current and how a notified body can reconstruct the system's history.
Section 7 — List of the harmonised standards applied. Where you have applied harmonised European standards (EN series) or common specifications issued by the Commission, those are listed here. Where you have diverged from a standard or no applicable standard exists, you document how compliance was achieved by other means.
Section 8 — Copy of the EU declaration of conformity. The Article 47 declaration belongs inside the technical documentation file. The two documents are issued together: the declaration is the formal statement; the technical file is what backs it up.
Section 9 — Detailed description of the post-market monitoring plan. The plan required under Article 72 — how you will track real-world performance, collect incident data, and feed findings back into the risk management system — is documented here before launch. It should specify monitoring frequency, the data sources you will draw on, and the thresholds that would trigger a design review or incident report under Article 73.
The Article 11 / Article 43 / Annex IV Relationship
These three provisions are often conflated. Getting them straight matters for project planning.
Article 11 is the obligation: draw up and maintain technical documentation.
Annex IV is the contents: the nine sections that document must contain.
Article 43 is the conformity assessment: the procedure that reviews whether you have met all the obligations, using the technical documentation as the primary evidence.
A notified body conducting an Article 43 assessment does not generate your technical documentation — it reads it. If the file is thin, incomplete, or self-contradictory, the assessment fails. The documentation work must be done first.
Most Annex III high-risk systems (with the exception of biometric systems, which generally require the Annex VII notified-body route) may use the Annex VI internal conformity assessment procedure — meaning the provider self-assesses rather than instructing a notified body. But the documentation requirements under Article 11 and Annex IV are identical regardless of the assessment route taken.
Simplified Documentation for Smaller Providers
Article 11(3) allows micro, small, and medium-sized enterprises — as defined by EU law — to provide some of the Annex IV elements in a simplified form. The Commission has powers to adopt specific guidance on what "simplified" means in practice.
This is not an exemption from Article 11 obligations. The nine sections are still required. Simplified form means the level of detail and technical elaboration can be proportionate to the scale and complexity of the system, not that the sections can be omitted. A five-person start-up developing a CV-screening tool still needs a risk management section; the question is what depth is sufficient given the system's complexity.
If you are an SME considering the simplified route, document your size classification explicitly and note which elements you have provided in simplified form. This pre-empts questions from a notified body or market surveillance authority.
How Confir Helps
Confir generates the Annex IV technical documentation pack — what we call the AITR (Data & Technical Robustness assessment) — through a structured intake questionnaire. The engine is deterministic and rule-based: the same answers produce the same output, the same rules fire for the same conditions, and the reasoning is human-readable rather than opaque.
The output covers all nine Annex IV sections and can be used as the working draft for your Article 11 file. Because the logic is rule-based, providers can explain why a particular section was populated the way it was — which is exactly what an auditor or notified body will ask.
AITR is one of four assessment areas in Confir's compliance workflow. The others are AIRC (risk classification under Articles 5 and 6), AITO (transparency and human oversight under Articles 13 and 14), and AIGM (governance and post-market monitoring under Articles 9, 72, and 73).
Frequently Asked Questions
What is the difference between Article 11 and Annex IV?
Article 11 is the legal obligation: it requires providers of high-risk AI systems to draw up technical documentation before placing the system on the market and to keep it up to date. Annex IV is the content specification: it lists the nine sections the documentation must contain. The obligation and the template are in separate places in the Regulation but are inseparable in practice. Think of Article 11 as the duty and Annex IV as the filing cabinet you must fill.
Who is required to draw up Article 11 technical documentation — providers or deployers?
Providers. Article 11 places the obligation on the entity that develops the high-risk AI system and places it on the market or puts it into service under its own name or trademark. Deployers receive the documentation from providers and must make it available to competent authorities on request, but they do not produce the Annex IV file. Note that under Article 25, a deployer who substantially modifies a system or rebrands it becomes a provider — at which point the documentation obligation transfers to them.
How long must the technical documentation be retained?
Article 18 sets a ten-year retention period from the date the system is last placed on the market or put into service. This is not five years — a figure that appeared in some earlier guidance — but ten. The ten-year window is long enough to span multiple product generations and means providers need a durable document management system, not a shared drive that gets archived.
What happens if the technical documentation is incomplete at conformity assessment?
The conformity assessment under Article 43 cannot be completed. Without a complete Annex IV file, a notified body has no basis to issue a conformity report, and the provider cannot issue the Article 47 Declaration of Conformity or affix CE marking under Article 48. The system cannot lawfully go to market. Beyond the market-access block, operating a high-risk system without the required documentation exposes the provider to fines of up to €15 million or 3% of total worldwide annual turnover under Article 99(4).
Can smaller companies use a simplified version of the documentation?
Yes. Article 11(3) permits micro, small, and medium-sized enterprises to provide some Annex IV elements in a simplified form, proportionate to the scale and complexity of their system. This is not an exemption — all nine sections are still required — but the depth of technical elaboration can be adapted. The Commission has powers to adopt specific guidance on simplified documentation; check the EU AI Office for the latest published templates and implementing acts.
Does the technical documentation need to be updated after the system goes live?
Article 11 explicitly requires the documentation to be kept up to date throughout the system's lifecycle. Any change that affects the system's performance, risk profile, intended purpose, training data, or architecture must be reflected in the file before the changed system is deployed. Section 6 of Annex IV — lifecycle changes — is where these updates are recorded, creating an auditable history that regulators and notified bodies can reconstruct.
What is the relationship between the technical documentation and the post-market monitoring plan?
Annex IV section 9 requires the post-market monitoring plan to be included inside the technical documentation. The plan — which specifies how you will track real-world performance, collect data on incidents, and feed findings back into the risk management system — must exist before the system launches, not after. Article 72 governs the post-market monitoring obligation itself; Article 73 governs the reporting of serious incidents to authorities. Both are downstream of the plan documented under section 9.
Related guides
- Annex IV documentation requirements
- Article 11 full requirements
- minimum documentation elements
- Article 14 human oversight
- Article 9 risk management
- Article 12 record-keeping obligations
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →