What documentation does the EU AI Act require?
- The central document is the Annex IV technical documentation proving the system meets the requirements.
- Providers also supply instructions for use; high-risk systems must keep automatic logs.
- Conformity records (declaration of conformity, CE marking, EU database registration) are required before market.
- Some deployers must complete a fundamental rights impact assessment before use.
- Current as of June 2026. This is general information, not legal advice.
Technical documentation
The central document is the technical documentation, broadly described in Annex IV. It must show that a high-risk system meets the Act's requirements and be detailed enough for authorities to assess compliance. It typically covers the system's purpose and design, its development process, the data used, the risk management measures, performance and accuracy, human oversight, and the steps taken for robustness and cybersecurity. It is prepared before the system is placed on the market and kept current.
Instructions for use
Providers must give deployers clear instructions for use: what the system does, its intended purpose, its capabilities and limitations, the human oversight measures, and the conditions for correct and safe use. This is what allows a deployer to meet its own obligations.
Records and logs
High-risk systems must automatically record events over their lifetime. These logs support traceability, help detect when a system is operating outside expected parameters, and underpin post-market monitoring. Deployers must keep the logs that are under their control.
Conformity records
For high-risk systems, the provider draws up an EU declaration of conformity, completes the conformity assessment, affixes the CE marking where applicable, and registers the system in the EU database. These records evidence that the assessment was done and the system may be placed on the market.
Fundamental rights impact assessment
Certain deployers of high-risk systems, particularly public bodies and some private entities providing essential services, must carry out a fundamental rights impact assessment before putting the system into use, considering the impact on the people affected and the measures to mitigate it.
The practical challenge
The documents are individually clear, but keeping them accurate and consistent across a changing AI estate is the hard part. A model update, a new data source, or a change of use can make a technical file out of date, and a disclosure that no longer matches reality is worse than none. The organisations that handle this well generate each document from the live state of the system, so that when the system changes, the affected documents are flagged for review rather than silently drifting out of date.
Key terms
- Annex IV
- The annex setting out the contents of the technical documentation for a high-risk AI system.
- Instructions for use
- The provider's information to deployers explaining purpose, capabilities, limits, and oversight.
- Logs
- Automatic records of events generated by a high-risk system over its operational life.
- Declaration of conformity
- The provider's signed statement that a high-risk system meets the Act's requirements.
- FRIA
- Fundamental rights impact assessment carried out by certain deployers before putting a high-risk system into use.