← All posts
Documentation7 min read15 May 2026

Does My AI System Need an Annex IV Technical File? A Complete Guide

What is an Annex IV technical file?

Annex IV of Regulation (EU) 2024/1689 specifies the technical documentation that providers of high-risk AI systems must prepare before placing their system on the market.

It is the formal record that proves your AI system meets EU AI Act requirements. Regulators can request it at any time.

Who needs an Annex IV technical file?

You need an Annex IV technical file if:

  1. You are a provider (you built the AI)
  2. Your system qualifies as high-risk under Annex III

Annex III high-risk categories:

  • Biometric identification systems
  • AI in critical infrastructure
  • Educational or vocational training AI
  • Employment and workforce management AI
  • Access to essential private and public services (including credit scoring)
  • Law enforcement AI
  • Migration and border control AI
  • Administration of justice AI

If you are a deployer using OpenAI or Anthropic APIs to build a general-purpose application, you likely do not need a full Annex IV file — but you do have Article 26 deployer obligations.

The 8 sections of Annex IV

Section 1: General description

What it requires:

  • Intended purpose of the AI system
  • Version information
  • Hardware and software requirements
  • Which Annex III category applies

What it looks like in practice:

"System Name: [Name]. Provider: [Company]. Version: 1.2.3. Intended purpose: automated resume screening for employment decisions. Annex III: Section 4(a) — AI used in employment."

Section 2: Development process

What it requires:

  • Methods and steps used to develop the system
  • Design choices and their justification
  • System architecture description

Section 3: Monitoring and control

What it requires:

  • Capabilities and limitations
  • Foreseeable risks and unintended outputs
  • Human oversight mechanisms
  • Input data specifications

Section 4: Performance metrics

What it requires:

  • Metrics used to evaluate the system
  • Why these metrics are appropriate

Section 5: Risk management system

What it requires:

  • Documentation of the risk management process per Article 9
  • Risk register with identified risks, mitigations, and residual risks

Section 6: Lifecycle changes

What it requires:

  • Description of changes made across the system's lifetime
  • Change log or release history

Section 7: Standards applied

What it requires:

  • List of harmonized standards used
  • Any other technical specifications

Common standards to list:

  • ISO/IEC 42001:2023 (AI management systems)
  • ISO/IEC 23894:2023 (AI risk management)
  • prEN 18286 (QMS for AI)

Section 8: EU Declaration of Conformity

What it requires:

  • Signed declaration that the system meets Annex IV requirements
  • Must reference the technical file

How complete does it need to be?

For the August 2026 enforcement deadline, the documentation must be complete enough to demonstrate compliance to a market surveillance authority.

In practice: Sections 1, 2, 3, and 5 are the most critical. An incomplete Section 4 or 6 is less likely to trigger enforcement than a missing risk management system.

How EU ACT Guard helps with Annex IV

When you run a scan on EU ACT Guard, we automatically generate a draft Annex IV technical file based on:

  • What we find in your code (libraries, architecture, oversight mechanisms)
  • Your questionnaire answers (purpose, risk category, data practices)
  • Your privacy policy (legal basis, data subjects)

The draft covers all 8 sections with your actual system details pre-filled. It is a starting point for your legal team, not a final document.

Generate your Annex IV draft free →

Find violations like these in your own codebase

EU ACT Guard scans your GitHub repository, website, and privacy policy in 5 minutes. Free first scan.

Run free scan →