What documents are needed for Annex IV? A complete reference for providers
Annex IV of the EU AI Act lists the technical documentation every high-risk AI system provider must produce. This guide breaks down each requirement and explains what regulators expect to see.
Overview of Annex IV sections
Annex IV is divided into several sections covering: (1) a general description of the AI system, (2) a detailed description of the elements and development process, (3) monitoring, functioning, and control of the system, (4) risk management, (5) changes throughout the lifecycle, and (6) the standards applied or other means used to demonstrate conformity. Each section requires specific deliverables with evidence.
The documentation must be kept up to date throughout the system's lifecycle and for 10 years after the system is placed on the market (Article 18). This is not a one-time filing β it is a living technical file that regulators can request at any time.
Section-by-section requirements
Section 1 (General description): intended purpose, provider identity, system version, hardware requirements, product integration details, and user instructions. Section 2 (Development): design specifications, system architecture, training methodologies, data sets used (with origin, scope, and characteristics), validation and testing procedures with results. Section 3 (Monitoring): capabilities for human oversight, logging functions, and computational resource requirements during deployment.
Section 4 (Risk management): the complete risk management process including identified risks, residual risks and their acceptability, and risk mitigation measures. Section 5 (Lifecycle changes): description of all changes made during the system's lifecycle. Section 6 (Standards): list of harmonised standards applied, and where no harmonised standards exist, a description of the solutions adopted to meet requirements. Each section must contain traceable evidence, not just statements of intent.
Practical tips for SMEs
Start with a documentation inventory: map what you already have (model cards, test reports, architecture diagrams) to Annex IV sections. You likely have 40β60% of the content scattered across internal tools β the challenge is structuring and filling the gaps. Prioritise Section 2 (development details) and Section 4 (risk management) as these are typically the most scrutinised by notified bodies.
Use version-controlled templates rather than Word documents. Every update should be timestamped and linked to the system version it describes. ActLoom's Annex IV module provides a structured template that maps each field to the regulation, auto-populates from your system registry, and tracks evidence freshness so nothing goes stale.