01 · ARTICLE 11 · THE OBLIGATION
The obligation, before the system goes on sale.
The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to-date.
Regulation (EU) 2024/1689 · Article 11(1) · 13 June 2024
Read the verb tense. Shall be drawn up before. The documentation does not follow the product to market; it precedes it. Read the maintenance clause. Shall be kept up-to-date. The file is not a launch artefact. It is the system's living technical record, walking alongside every retraining, every fine-tune, every integration change, every dataset refresh.
Article 11(1) continues. The documentation shall be drawn up in such a way as to demonstrate that the high-risk AI system complies with the requirements set out in Section 2 of Chapter III, and to provide national competent authorities and notified bodies with the necessary information in a clear and comprehensive form to assess the compliance of the AI system with those requirements. The audience is dual. Notified bodies during conformity assessment under Article 43. National competent authorities during market surveillance under Articles 74 and following.
The documentation shall contain, at a minimum, the elements set out in Annex IV. Small and medium-sized enterprises, including start-ups, may provide the elements of the technical documentation specified in Annex IV in a simplified manner; the Commission shall establish a simplified technical documentation form targeted at the needs of small and microenterprises. Simplified, not omitted. The nine-section structure still applies. The depth of evidence per section is what scales.
Article 11(2) handles the integration case. Where a high-risk AI system is related to a product covered by the Union harmonisation legislation listed in Section A of Annex I, a single set of technical documentation shall be drawn up containing all the information set out in paragraph 1 as well as the information required under those legal acts. The MDR file and the Annex IV file converge into one. The same is true for the Machinery Regulation, the Toy Safety Directive successor, and the rest of the New Legislative Framework family.
Article 11(3) is the delegated-act lever. The Commission is empowered to adopt delegated acts in accordance with Article 97 to amend Annex IV where necessary to ensure that, in the light of technical progress, the technical documentation provides all the information necessary to assess the compliance of the system with the requirements set out in Chapter III, Section 2. Annex IV is not frozen. Section content can shift through delegated act over the lifetime of the regulation.
"Article 12 is what runs in production. Article 11 is what justifies that production exists. Annex IV is the table of contents of that justification."Warrant Compliance · 2026-05-09
02 · ANNEX IV · CHAPEAU
The opening sentence and the nine sections it points at.
The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:
Regulation (EU) 2024/1689 · Annex IV · chapeau
Three operative phrases. At least sets a floor, not a ceiling. The following information introduces the nine sections. As applicable to the relevant AI system permits some sections to be marked not applicable, with reasons given. Standalone software systems will not have section 1(f) photographs of internal product layout. Systems that apply no harmonised standards still answer section 7, with the alternative-solutions form.
The nine sections, in order:
§ 1
A general description of the AI system.SUB-POINTS · (a)–(h) · 8 fields
§ 2
A detailed description of the elements of the AI system and of the process for its development.SUB-POINTS · (a)–(h) · 8 fields
§ 3
Detailed information about the monitoring, functioning and control of the AI system.NARRATIVE · capabilities, limitations, accuracy, foreseeable risks
§ 4
A description of the appropriateness of the performance metrics for the specific AI system.NARRATIVE · justification of metric choice
§ 5
A detailed description of the risk management system in accordance with
Article 9.
CROSS-REFERENCE · Art. 9
§ 6
A description of relevant changes made by the provider to the system through its lifecycle.NARRATIVE · version control + change rationale
§ 7
A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Chapter III, Section 2, including a list of other relevant standards and technical specifications applied.CROSS-REFERENCE · Art. 40, 41
§ 8
A copy of the EU declaration of conformity referred to in Article 47.CROSS-REFERENCE · Art. 47, Annex V
§ 9
A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 72, including the post-market monitoring plan referred to in Article 72(3).CROSS-REFERENCE · Art. 72
03 · ANNEX IV § 1
§ 1 · A general description of the AI system.
The first section is the cover sheet. It tells the reader what system the file refers to, who places it on the market, what it is meant to do, and how it sits in the wider technical context. The eight sub-points:
1(a)
its intended purpose, the name of the provider and the version of the system reflecting its relation to previous versions.READING · the linchpin of every other section. The intended purpose anchors the risk assessment, the metric selection, the deployer instructions, the post-market plan.
1(b)
how the AI system interacts with, or can be used to interact with, hardware or software, including with other AI systems, that are not part of the AI system itself, where applicable.READING · a single-line answer is not enough. Diagram the integrations. Identify upstream APIs, downstream consumers, hardware in the trust boundary.
1(c)
the versions of relevant software or firmware, and any requirements related to version updates.READING · pinning matters. The Annex IV file is a snapshot. State the runtime, the framework, the model, the firmware, by exact version.
1(d)
the description of all the forms in which the AI system is placed on the market or put into service, such as software packages embedded into hardware, downloads, or APIs.READING · the regulator wants to know how the deployer obtains it. SaaS, container image, on-prem appliance, mobile SDK.
1(e)
the description of the hardware on which the AI system is intended to run.READING · GPU class, memory floor, latency budget. For embedded systems, the silicon. For cloud-only, the deployment topology.
1(f)
where the AI system is a component of products, photographs or illustrations showing external features, the marking and internal layout of those products.READING · physical product systems only. Standalone software providers mark this not applicable, with reason.
1(g)
a basic description of the user-interface provided to the deployer.READING · screenshots, wireframes, API spec. The deployer is the regulated audience here.
1(h)
instructions for use for the deployer, and a basic description of the user-interface provided to the deployer, where applicable.READING · the Article 13 transparency artefact lives here. See the sibling post on Article 13.
04 · ANNEX IV § 2
§ 2 · A detailed description of the elements and the development process.
Section 2 is the engineering document. It is the longest section in any well-built Annex IV file, and the section a notified body will spend the most time on. Eight sub-points:
2(a)
the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how those were used, integrated or modified by the provider.READING · the foundation-model question. State the upstream model, the licence, the modifications, the fine-tune data.
2(b)
the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, including with regard to persons or groups of persons in respect of whom the system is intended to be used; the main classification choices; what the system is designed to optimise for and the relevance of the different parameters; the description of the expected output and output quality of the system; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Chapter III, Section 2.READING · the densest sub-point in Annex IV. It is also where most providers under-document. The trade-off clause is the one notified bodies probe.
2(c)
the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system.READING · architecture diagram with named components, training compute floor, inference compute floor.
2(d)
where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including a general description of these data sets, information about their provenance, scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection).READING · this dovetails with Article 10 on data and data governance. Datasheets in the Gebru/Mitchell sense, plus provenance, plus labelling protocol.
2(e)
assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the deployers, in accordance with Article 13(3), point (d).READING · the bridge to the human-oversight obligations. State which Article 14 oversight pattern is implemented and why.
2(f)
where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Chapter III, Section 2.READING · the continuous-learning lane. If the system retrains itself, this sub-point is where the substantial-modification firewall is described.
2(g)
the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness and compliance with other relevant requirements set out in Chapter III, Section 2 as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f).READING · this is where a serious provider attaches the eval suite. Test logs dated and signed is a specific phrasing. It implies named, accountable signatories. See the sibling post on regulator-grade evals.
2(h)
cybersecurity measures put in place.READING · Article 15(5) is the obligation. Section 2(h) is where it is documented. Threat model, attack surface, defences.
05 · ANNEX IV § 3
§ 3 · Detailed information about monitoring, functioning, control.
Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the deployers; specifications on input data, as appropriate.
Regulation (EU) 2024/1689 · Annex IV § 3
Section 3 is narrative, not lettered. Four substantive content categories sit inside the prose. Capabilities and limitations. Foreseeable unintended outcomes and risk sources. Human oversight measures. Input data specifications.
The accuracy clause is sharper than it reads. Degrees of accuracy for specific persons or groups. Aggregate accuracy is not enough. The provider states accuracy by demographic stratification where the system is intended to be used on persons. This pulls in the disaggregated-evaluation literature directly into the regulatory file.
The risk catalogue is qualitative but bounded. Health and safety. Fundamental rights. Discrimination. The provider does not list every conceivable risk. The provider lists what is foreseeable in view of the intended purpose. A credit-scoring system foresees discriminatory pricing. An employment-screening system foresees protected-class disparities. An education-grading system foresees outcome inequity.
06 · ANNEX IV § 4
§ 4 · Appropriateness of the performance metrics.
A description of the appropriateness of the performance metrics for the specific AI system.
Regulation (EU) 2024/1689 · Annex IV § 4
One sentence. The shortest section in Annex IV. The implication is heavier than the wording. The provider does not just report metrics. The provider justifies the choice of metrics. Why F1 and not AUC. Why calibration error and not accuracy alone. Why subgroup-stratified disparity and not aggregate.
For systems where harm is asymmetric, this is where the asymmetry shows up in the metric design. A medical screening system reports sensitivity at fixed specificity, not balanced accuracy. A fraud-decisioning system reports false-positive rate by customer segment, not raw precision. The regulator reads section 4 to test whether the provider has thought about the link between the metric and the harm.
07 · ANNEX IV § 5
§ 5 · Risk management system, in accordance with Article 9.
A detailed description of the risk management system in accordance with Article 9.
Regulation (EU) 2024/1689 · Annex IV § 5
Section 5 inherits its content shape from Article 9. Article 9 obliges a continuous, iterative process throughout the entire lifecycle, requiring regular and systematic review and update. It runs through identification of known and reasonably foreseeable risks, estimation and evaluation of risks, evaluation of post-market data, and adoption of risk-management measures.
The Annex IV file does not duplicate Article 9; it documents how Article 9 is operationalised for the specific system. The risk register. The methodology for identification. The criteria for risk acceptability. The residual risk statement. The link between risk-management measures and the requirements of Chapter III, Section 2.
For a provider with an ISO/IEC 42001 management system, most of section 5 is produced as a natural artefact of the AI risk-management process clause. For a provider without a management system, section 5 is the section that takes the longest to write from scratch.
08 · ANNEX IV § 6
§ 6 · Relevant changes through the lifecycle.
A description of relevant changes made by the provider to the system through its lifecycle.
Regulation (EU) 2024/1689 · Annex IV § 6
Section 6 is the change log of the technical documentation itself. The kept-up-to-date clause in Article 11(1) lands here. As the system evolves, section 6 records what changed, when, and why.
The threshold for inclusion is relevant. Cosmetic UI changes are not relevant. A model checkpoint refresh that shifts subgroup accuracy is relevant. A training-data top-up is relevant. A change to the human oversight pattern is relevant. A change that crosses into Article 3(23) territory is no longer a section 6 entry; it is a substantial modification, triggering a fresh conformity assessment under Article 43(4).
The documentation discipline section 6 enforces is, in effect, a versioned audit trail of design decisions. The Annex IV file is dated. The system is dated. Section 6 is the join.
09 · ANNEX IV § 7
§ 7 · Standards applied and alternative solutions.
A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Chapter III, Section 2, including a list of other relevant standards and technical specifications applied.
Regulation (EU) 2024/1689 · Annex IV § 7
Section 7 is the conformity-route declaration. Article 40 establishes the presumption of conformity for AI systems in compliance with harmonised standards published in the Official Journal. Article 41 reserves the Commission's power to adopt common specifications where the standardisation request fails or is delayed.
The harmonised standards covering the AI Act are being developed by CEN-CENELEC JTC 21 under standardisation request M/593. ISO/IEC 42001:2023 on AI management systems is the leading candidate for citation. ISO/IEC 23894 on AI risk management, ISO/IEC 23053 on machine-learning frameworks, and the forthcoming European hENs are the rest of the field. As of May 2026 not all standardisation deliverables have been published in the OJEU. Section 7 must therefore be ready in two states. The first lists the harmonised standards applied. The second describes the alternative technical solutions where no harmonised standard has been applied yet.
10 · ANNEX IV § 8
§ 8 · A copy of the EU declaration of conformity.
A copy of the EU declaration of conformity referred to in Article 47.
Regulation (EU) 2024/1689 · Annex IV § 8
Article 47(1) requires the provider to draw up a written, machine-readable, physical or electronically signed EU declaration of conformity for each high-risk AI system, and to keep it at the disposal of the national competent authorities for ten years after the system has been placed on the market or put into service. The declaration states that the high-risk AI system in question meets the requirements set out in Chapter III, Section 2.
The declaration's content is specified in Annex V. Identification of the system, identification of the provider, a statement that the declaration is issued under the sole responsibility of the provider, references to the harmonised standards or common specifications applied, and where applicable identification of the notified body. Section 8 of Annex IV is a copy of that declaration, sealed inside the technical documentation.
By signing the declaration, the provider assumes responsibility for compliance with the requirements set out in Chapter III, Section 2. Article 47(5). The declaration is the legal pivot point of the entire file.
11 · ANNEX IV § 9
§ 9 · Post-market monitoring system and plan.
A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 72, including the post-market monitoring plan referred to in Article 72(3).
Regulation (EU) 2024/1689 · Annex IV § 9
Article 72(1) obliges providers to establish and document a post-market monitoring system in a manner proportionate to the nature of the AI technologies and the risks of the high-risk AI system. The system actively and systematically collects, documents and analyses relevant data which may be provided by deployers or which may be collected through other sources on the performance of high-risk AI systems throughout their lifetime, and allows the provider to evaluate the continuous compliance of AI systems with the requirements set out in Chapter III, Section 2.
Article 72(3) ties the system to a written plan. The plan is part of the technical documentation referred to in Annex IV. The Commission is empowered, under Article 72(3), to adopt an implementing act laying down a template for the post-market monitoring plan and the list of elements to be included.
Section 9 is, in effect, the operational counterpart to the static documentation in sections 1 through 8. Sections 1 through 8 describe the system as it is on the day of placing on the market. Section 9 describes how the provider will know whether that description still holds twelve months later, twenty-four months later, sixty months later. Section 9 is where Article 12 logging surfaces back into the file. The post-market monitoring system reads the logs.
12 · CROSS-REFERENCE WEB
Article 11 + Annex IV is the backbone of the regulation.
The Annex IV file is the document where every other obligation in Chapter III lands. Reading the cross-references is the fastest way to see why Annex IV is described internally as the backbone. Each section calls into a substantive article, and each substantive article expects evidence to land in a specific Annex IV section.
| Lands in |
Calls out to |
What the cross-reference enforces |
| § 2(d) | Article 10 | Data and data governance — datasheets, provenance, labelling, cleaning, bias examination. |
| § 1(h), § 2(e) | Article 13 | Transparency to the deployer — instructions for use, output interpretability. |
| § 2(e), § 3 | Article 14 | Human oversight — measures, technical means, override paths. |
| § 2(g), § 2(h), § 3 | Article 15 | Accuracy, robustness, cybersecurity — metrics, test logs, defences. |
| § 5 | Article 9 | Risk management — continuous lifecycle process. |
| § 7 | Articles 40, 41 | Harmonised standards or common specifications, presumption of conformity. |
| § 8 | Article 47, Annex V | EU declaration of conformity. |
| § 9 | Article 72 | Post-market monitoring system and plan. |
| (referenced) | Article 12 | Logging — surfaces into § 9 as the input to post-market monitoring. |
| (referenced) | Article 17 | Quality management system — wraps the lot. |
| (retention) | Article 18 | 10-year availability to national competent authorities. |
| (produces) | Article 43 | Conformity assessment — Annex IV is what the procedure assesses. |
The picture is clear. Article 11 is the obligation to draw up the file. Annex IV is the structure of the file. Articles 9, 10, 12, 13, 14, 15, 17, 47 and 72 are what the file documents. Article 18 is how long it is kept. Article 43 is how it is reviewed. Strip Annex IV out, and the substantive obligations have no shared written form. Strip the substantive obligations out, and Annex IV is empty headings.
13 · FIELD MAPPING
How Annex IV sections map to Warrant evidence fields.
Warrant produces evidence packages from AI agent execution traces — each package is a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant. The package emits structured fields that map back to Annex IV sections. For Annex IV, the runtime fields surface inside section 9 (post-market monitoring) and feed back into sections 2(g) and 3 on validation, accuracy, and operating envelope.
§ 1(a)
Intended purpose, provider name, system version.FIELD · package.system.{provider, name, version, intended_purpose} sealed at signing time.
§ 2(g)
Validation and testing logs, dated and signed.FIELD · package.eval_runs[*] (timestamp, dataset_id, metrics). Each eval run is a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.
§ 3
Capabilities, limitations, accuracy, foreseeable risks.FIELD · package.system.capability_envelope plus per-trace package.actions[*].risk_assessment.
§ 5
Risk management system in accordance with Article 9.FIELD · package.governance.risk_register_ref pointer plus per-trace residual-risk evaluation.
§ 6
Relevant changes through lifecycle.FIELD · package.system.change_log[*] (version, timestamp, change_type, rationale). Append-only, independently verifiable without contacting Warrant.
§ 9
Post-market monitoring system and plan, Article 72(3).FIELD · per-trace evidence packages, each a record mapped to a specific EU AI Act obligation and independently verifiable without contacting Warrant. The post-market monitoring stream is the running, append-only artefact.
W
Sample EU evidence package · Warrant registerRECORD MAPPED TO AN EU AI ACT OBLIGATION · INDEPENDENTLY VERIFIABLE
→ /v/7de85ceaeac42a47
14 · 42001 BRIDGE
The harmonised-standards bridge · ISO/IEC 42001.
Section 7 of Annex IV asks for a list of harmonised standards applied. As of May 2026 the harmonised-standards landscape under standardisation request M/593 is in flight. The published Type-A horizontal standard expected to anchor the framework is ISO/IEC 42001:2023, the AI management system standard.
An ISO/IEC 42001-aligned management system produces, as natural artefacts, large fractions of Annex IV sections 5 (risk management), 6 (lifecycle change), 7 (standards applied), and 9 (post-market monitoring). The 42001 clauses on context establishment, leadership and commitment, risk and impact assessment, and operational planning and control align cleanly with the Article 9 risk-management content that section 5 expects.
For providers without a management system in 2026, the cleanest path to a defensible Annex IV file before the application date is to scope a 42001-aligned management system around the high-risk AI system, document it, and back-fill the Annex IV sections from the management-system artefacts. The sibling post on ISO/IEC 42001 walks through this in detail.
15 · FAQ
Questions a compliance officer asks first.
Do I need to file the Annex IV documentation with anyone, or is it for inspection?
The technical documentation is not filed with any authority on a routine basis. Article 11 obliges the provider to draw it up before placing the system on the market and to keep it up to date. It is presented when a notified body conducts a conformity assessment under Article 43, when a national competent authority requests access under Article 21, or when post-market surveillance is exercised under Articles 79 and following. Separately, the provider registers the abridged Annex VIII dataset in the EU database under Article 71 before placing the system on the market.
How does Annex IV interact with ISO/IEC 42001?
ISO/IEC 42001 is the AI management system standard expected to provide a presumption of conformity once cited as a harmonised standard under Article 40. Annex IV section 7 requires the provider to describe which harmonised standards have been applied. A 42001-aligned management system produces most of the section 5 risk management description and section 6 lifecycle change description as natural artefacts.
Can the Annex IV file be a single document or must it be a folder?
The regulation does not prescribe a format. It prescribes content. A single PDF is acceptable. A versioned folder of cross-referenced documents is acceptable. What matters is that the nine sections are addressed in a clear and comprehensive form, the document set is identifiable as the technical documentation for that specific system version, and the provider can produce it on request. Article 11(1) requires the form to be clear and comprehensive enough to assess compliance.
What is the retention period for the Annex IV technical documentation?
Article 18(1) requires the provider to keep the technical documentation, the documentation concerning the quality management system referred to in Article 17, the documentation concerning changes approved by notified bodies, the decisions and other documents issued by the notified bodies, and the EU declaration of conformity referred to in Article 47, at the disposal of the national competent authorities for ten years after the AI system has been placed on the market or put into service.
Who reviews the Annex IV file in a conformity assessment?
For most Annex III high-risk systems Article 43 permits the provider to follow the conformity assessment procedure based on internal control set out in Annex VI. Where a notified body is involved, including for biometric systems under Annex III(1) where the provider has not applied harmonised standards, the notified body designated under Article 31 reviews the technical documentation as part of the procedure under Annex VII.
Can I redact trade secrets from the Annex IV documentation?
Article 78 imposes a confidentiality obligation on national competent authorities, the Commission, market surveillance authorities, notified bodies, and other natural or legal persons involved in the application of the regulation, in respect of information and data obtained, including for the protection of intellectual property rights and confidential business information or trade secrets. The provider does not redact at source. The provider supplies the full documentation and relies on the statutory confidentiality obligation.
What is the difference between the Annex IV file and the Annex VIII registration?
Annex IV is the full technical documentation, kept by the provider, surfaced on request. Annex VIII is the abridged dataset registered in the EU database referred to in Article 71, including provider identity, system trade name, intended purpose, and a description of the components and functions. Annex VIII registration is public for most fields. Annex IV is not.
Does Annex IV apply to general-purpose AI model providers under Articles 53-55?
Annex IV is the technical documentation specification for high-risk AI systems under Article 11. General-purpose AI model providers carry a separate technical documentation obligation under Article 53(1)(a) with content specified in Annex XI, and supply downstream-provider documentation under Article 53(1)(b) with content specified in Annex XII. A general-purpose model integrated into a high-risk AI system is pulled into the integrating provider's Annex IV perimeter.
16 · READ THE SOURCE
Read the source directly.
Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotations of Article 11 and Annex IV reflect the official English-language text of Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024.
WARRANT