Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

Your Customer's Compliance Team Just Asked for Your "Annex IV Technical Documentation" — Here's Exactly What Goes In It

Published
7 min read
A
Ari Volcoff

The questionnaire arrived on Tuesday. Section 3, Question 11:

"Please attach your full Annex IV technical documentation for your AI system, as required under Article 11 of Regulation (EU) 2024/1689."

The CTO of a 30-person SaaS company stared at the cell. They had a system architecture diagram, a Notion page about the model, and a one-pager their head of AI had once written for an investor. Was that "Annex IV technical documentation"? Probably not.

They had four working days to respond. The deal was worth €180,000 in ARR.

This question — "send us your Annex IV technical documentation" — is now appearing on European procurement questionnaires every week. Buyers learned the term from their own legal counsel. They expect a real answer. Here is exactly what Annex IV asks for, what to write in each section, and what to do if you do not yet have it.

Why Annex IV Exists (And Why It Is Not Optional)

Article 11 of the EU AI Act requires every provider of a high-risk AI system to draw up technical documentation before the system is placed on the market, and to keep that documentation up to date. Annex IV of the Act lists the minimum content of that documentation.

Two things to understand up front.

First, Annex IV is not a marketing document. It is the file a regulator (or a customer's auditor) opens when something goes wrong. The level of specificity is closer to a certification report than a product brochure.

Second, Annex IV is mandatory if your AI system is classified as high-risk under Annex III. If you are a B2B SaaS company in HR tech, fintech credit scoring, education, healthcare, or any other Annex III category, this is not optional. Article 11(1) is explicit: providers "shall draw up the technical documentation."

If you are not high-risk, you are not legally required to produce Annex IV. But your customer may still ask. Many enterprise buyers now request Annex IV-style documentation as a procurement default, regardless of your classification, because their compliance team finds it the fastest way to assess vendor AI risk.

The 9 Sections of Annex IV — and What Each One Means

Annex IV is structured as nine numbered sections. The Act uses formal language; here is what each section actually requires.

Section 1 — General description of the AI system

What it asks: a clear description of the AI system's intended purpose, the people who developed it, the date and version, the form in which it is placed on the market (SaaS, on-prem, embedded), and how it interacts with hardware or other software.

What to write: 1–2 paragraphs covering the system name, version, who built it, what it does, and where it runs.

Section 2 — Detailed description of the elements of the AI system and its development process

What it asks: the methods used to develop the system, the design specifications, the system architecture, the data requirements, the human oversight measures, and any pre-determined changes to the system.

What to write: a system architecture diagram, a description of the model type (transformer, gradient-boosted trees, neural net, etc.), the input data schema, the output schema, and a list of components (frontend, backend, model, vector store, retrieval layer).

Section 3 — Detailed information about the monitoring, functioning, and control of the AI system

What it asks: capabilities and limitations in performance, expected accuracy levels, foreseeable unintended outcomes, sources of risks to health, safety, and fundamental rights, and the human oversight measures in place.

What to write: a list of known failure modes (hallucinations, drift, miscalibration on specific subgroups), the accuracy metric you measured at training time, the threshold below which the system should not be used, and the human-in-the-loop checkpoints in your product flow.

Section 4 — Description of the appropriateness of the performance metrics

What it asks: why the metrics you chose are appropriate for the system's intended purpose.

What to write: if your AI ranks job candidates, you need a metric beyond accuracy — usually a fairness metric across protected groups. Justify why you picked it.

Section 5 — Detailed description of the risk management system

What it asks: a description of the risk management system required by Article 9.

What to write: how you identify, evaluate, and mitigate risks across the AI lifecycle. This is a process description, not a list of risks.

Section 6 — Description of relevant changes made by the provider through the lifecycle

What it asks: a log of material changes to the system since launch.

What to write: a versioned changelog with the date, what changed (model, training data, threshold, UI), and the impact assessed.

Section 7 — List of harmonised standards applied

What it asks: which European harmonised standards (when published) you applied, in full or in part.

What to write: today most of these standards are still being drafted by CEN-CENELEC. If you applied none, write "no harmonised standards applied at the time of publication." Do not invent compliance with standards you did not apply.

Section 8 — Copy of the EU declaration of conformity

What it asks: the formal declaration referred to in Article 47.

What to write: the declaration is a one-page document signed by your company stating that the AI system conforms to the requirements of the Act. A template is provided in Annex V.

Section 9 — Detailed description of the post-market monitoring plan

What it asks: the post-market monitoring plan required by Article 72 — what you measure, how often, and what triggers a review.

What to write: the metric you track in production, the cadence (weekly, monthly), the threshold that triggers review, and how customers are notified if a material issue is found.

What Annex IV Is Not

Annex IV is not a SOC 2 report. It is not your privacy policy. It is not your security whitepaper. It is not a screenshot of your admin panel.

Buyers' compliance teams send vendors all four of those documents back marked "non-responsive" and ask again, more sharply, for actual Annex IV. If you have ever received a follow-up email saying "this is not what we asked for," that is why.

What to Do If You Do Not Yet Have It

Here is a sequence that works for a 10–50 person SaaS company.

  1. Decide whether your system is high-risk. Look at Annex III categories. If yes, Annex IV is mandatory. If unclear, document your reasoning and assume yes.
  2. Inventory every AI feature in your product. Each AI feature is a candidate AI system. Some can be grouped, some cannot.
  3. For each AI feature, write a short Section 1 (general description). This alone unlocks 80 percent of customer questionnaire answers.
  4. Draft Sections 2 and 3 next. These are the sections customers actually read closely.
  5. Sections 4–9 can be drafted iteratively over the next quarter. Send what you have so far when asked, and tell the buyer when the rest will be ready.

Most B2B SaaS companies under 100 employees can produce a usable Annex IV in 5–7 working days if a product owner, a head of engineering, and a writer block the time.

What to Send the Buyer Today

If a customer asks for Annex IV technical documentation tomorrow and you do not have it yet, this is a defensible response:

"We are completing our Annex IV technical documentation in line with Article 11 of the EU AI Act. We can share Sections 1, 2, and 3 today (general description, system architecture and development process, and capabilities and limitations including known failure modes and human oversight measures). The remaining sections (risk management description per Article 9, changelog, harmonised standards, EU declaration of conformity per Article 47, and post-market monitoring plan per Article 72) are scheduled to be complete by [date] and we will share them as they are finalised. Please find Sections 1–3 attached."

This works because it is specific, it cites the right Articles, and it gives the buyer's compliance team something to put in their file today.

A vague answer ("yes, we are working on it") almost always loses the deal. A specific, partial answer almost always keeps it open.

The Question Behind the Question

When a buyer asks for Annex IV, they are not really asking for a 50-page document. They are asking three things:

  1. Have you actually thought about the risks of your AI system?
  2. Can you describe your system precisely enough that we trust you understand what you ship?
  3. Will you be able to answer when our regulator audits us through you?

A founder-led, specific, accurate Annex IV answers all three. A boilerplate one answers none.

The August 2 2026 deadline for high-risk AI obligations is not abstract anymore. It is the date your enterprise customer's compliance team has circled. If you can hand over a real Annex IV before they ask twice, you win the deal. If you cannot, the next vendor in their pipeline will.

Try Complizo free at complizo.com — paste your first questionnaire and get answers traceable back to the AI features you actually ship.

#b2b#compliance#eu-ai-act#saas

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts