Before you place a high-risk AI system on the market, you must prepare a technical documentation file that covers nine categories of information. You keep it for 10 years. Regulators can ask for it at any time during that period. Here is exactly what goes in it.
Technical documentation is one of the eight obligations listed in Art 16(d). Failing to keep it — or keeping documentation that does not reflect the actual system — violates provider obligations under Article 16.
Under Art 99(4), fines reach up to €15,000,000 or 3% of global annual turnover — the lower figure for SMEs. Providing incorrect or misleading information to authorities about the documentation adds a further tier: Art 99(5) (€7,500,000 / 1% — lower for SMEs).
Not sure which documentation obligations apply to your system?
Regumatrix checks your AI system description against the full EU AI Act and returns your risk classification, every Article 11 obligation that fires, the conformity assessment pathway you must follow, and your fine exposure — all with article citations.
Check my obligations — 3 free analysesTiming
Before market placement
Under Art 11(1), technical documentation must be drawn up before the system is placed on the market or put into service. It must also be kept up-to-date throughout the system's lifecycle as component versions, training data, or risk levels change.
Responsible party
The provider
The provider of the high-risk AI system — the company that develops, places on the market, or puts into service the system under its own name or trademark — holds the obligation under Art 16(d). The authorised representative must verify the documentation exists under Art 22.
Retention period
10 years
Under Art 18(1), documentation must be kept available to national competent authorities for 10 years after the system is placed on the market or put into service. Financial institutions integrate this with documentation required under Union financial services law (Art 18(3)).
Regulated products
Single combined document
Under Art 11(2), where the AI system is part of a product covered by Union harmonisation legislation (medical devices, machinery, aviation), one set of documentation covers both the AI Act requirements and the product safety requirements. No need for two separate files.
Article 11(1) says documentation must contain, at a minimum, the elements set out in Annex IV. There are nine top-level sections, each with sub-requirements. "At a minimum" means these are the floor — not a comprehensive ceiling.
General description of the AI system
Intended purpose, provider name, version history. How the system interacts with hardware or other software. Firmware/ software version requirements. All the forms in which the system is placed on the market (packages, downloads, APIs). Hardware the system runs on. Photographs of any product incorporating the AI. The user interface the deployer sees. Instructions for use.
Detailed description of development
Methods and steps used to build the system, including any pre-trained models or third-party tools. Design specifications: the logic of the system, key algorithmic choices, assumptions, what the system optimises for. System architecture and compute resources. Data requirements and training data description: where the data came from, how it was selected, labelling methods, data cleaning. Assessment of human oversight measures needed under Art 14. Description of any pre-determined changes to the system. Validation and testing procedures, metrics, test logs. Cybersecurity measures.
Monitoring, functioning, and control
Capabilities and limitations in performance — including accuracy for specific groups of persons. Foreseeable unintended outcomes and sources of risk to health, safety, fundamental rights, and discrimination. Human oversight measures needed under Art 14 and the technical measures to help deployers interpret outputs. Input data specifications.
Appropriateness of performance metrics
A description of why the performance metrics chosen are appropriate for this specific AI system. Why is accuracy measured the way it is? Why do the thresholds applied match the intended purpose and context of use?
Risk management system
A detailed description of the risk management system in accordance with Art 9. This is not a summary — it must be detailed enough to demonstrate the iterative process: risk identification, estimation, evaluation, and the specific mitigation measures adopted.
Changes made through the system's lifecycle
A description of all relevant changes the provider makes to the system over time. Technical documentation is a living document — it must reflect the system as it actually is at each point, not only as it was when first certified.
Harmonised standards applied (or alternatives)
A list of harmonised standards applied in full or in part, with their Official Journal references. If no harmonised standards covering the relevant requirements exist, a detailed description of the alternative solutions adopted — including any other relevant standards and technical specifications used.
EU declaration of conformity
A copy of the EU declaration of conformity drawn up in accordance with Art 47. This is the formal statement that the system meets all applicable requirements.
Post-market monitoring system
A detailed description of the system in place to evaluate AI performance after the system is deployed, in accordance with Art 72. This must include the post-market monitoring plan required under Art 72(3) — covering what metrics are tracked, how often, and how incidents are identified and escalated.
Article 11(1) provides that SMEs, including start-ups, may provide the Annex IV elements in a simplified manner. The Commission is required to establish a simplified technical documentation form targeted at the needs of small and microenterprises. Two rules apply when using it:
You must use the Commission's form — not a customised simplified version of your own design. Once the Commission publishes the form, SMEs and start-ups who chose the simplified route must use that specific form.
Notified bodies must accept it — any notified body conducting a conformity assessment is required to accept the simplified form. It cannot be rejected on the grounds that it differs from the full Annex IV format.
Full Annex IV documentation remains available to SMEs if they prefer it. The simplified form is a permitted alternative, not a downgraded standard. The underlying requirements — demonstrating compliance with Chapter III Section 2 — remain the same.
Under current Article 11(1), the simplified form is available to SMEs and start-ups only. If COM(2025) 836 is enacted:
The change to Article 17(2) in the same 836 proposal also extends proportionality provisions for quality management systems to SMCs — so the theme is consistent: SMC relief across the board.
Regumatrix tells you which Articles 9–21 obligations apply to your specific system, with article citations, so you can structure your documentation against the exact obligations that fire — rather than preparing a generic file that may miss what regulators will look for.
Get my obligations list — 3 free analysesBefore the system is placed on the market or put into service — not after. Article 11(1) is explicit on this. You cannot prepare it retrospectively once a regulator asks. The documentation must also be kept up-to-date throughout the system's lifecycle.
For 10 years after the high-risk AI system was placed on the market or put into service, under Article 18(1). The documentation must remain available to national competent authorities for the entire period. If your company ceases operation before those 10 years are up, Member States determine the conditions under which availability is maintained.
Yes. Article 11(1) provides that SMEs, including start-ups, may provide the Annex IV elements in a simplified manner using a form the Commission will establish. If your company qualifies as an SME or start-up, you must use that form — you cannot provide a different simplified version of your own design. Notified bodies are required to accept the form for conformity assessment purposes.
No. Under Article 11(2), where a high-risk AI system is part of a product covered by Union harmonisation legislation (such as medical devices or machinery), a single set of technical documentation is drawn up. It must contain all the Article 11 information plus everything required under the applicable product safety legislation. This avoids duplication.
Keeping technical documentation is one of the Article 16 provider obligations. Failure to comply with Article 16 is an infringement under Article 99(4), carrying fines up to €15 million or 3% of global annual turnover — whichever is lower for SMEs. Providing incorrect or misleading information to national competent authorities about documentation also triggers the Article 99(5) tier (€7.5 million / 1%).
COM(2025) 837 proposes no changes relevant to Article 11 technical documentation requirements.
Regumatrix analyses your AI system against all high-risk requirements — including Articles 9–21 — and returns the specific obligations that apply, with article citations, Annex references, and fine exposure under Article 99. Use the output to structure your Annex IV documentation against what regulators will actually check. ~30 seconds, no credit card required.
Start free — 3 analyses included