EU AI Act Requirements: Technical Documentation and Conformity Assessments
Why This Topic Is Important
The EU AI Act is the world's first comprehensive legal framework specifically designed to regulate artificial intelligence. Within this framework, technical documentation and conformity assessments are two of the most critical compliance mechanisms for organizations developing or deploying AI systems, particularly those classified as high-risk. Understanding these requirements is essential for AI governance professionals because they represent the practical, enforceable obligations that organizations must meet to legally place AI systems on the EU market. For anyone preparing for the AIGP (Artificial Intelligence Governance Professional) certification, this topic sits at the intersection of legal compliance, risk management, and operational governance — making it a frequently tested area.
What Are Technical Documentation and Conformity Assessments?
Technical Documentation
Technical documentation under the EU AI Act refers to a comprehensive set of records that providers of high-risk AI systems must create and maintain before placing the system on the market or putting it into service. The documentation must demonstrate that the AI system complies with the requirements set out in the Act. It serves as the evidentiary backbone of compliance.
According to the EU AI Act (particularly Annex IV), technical documentation must include:
• General description of the AI system: Its intended purpose, the name and version of the system, how it interacts with hardware or software, and the forms in which it is placed on the market.
• Detailed description of the elements of the AI system and its development process: Including methods and steps taken for development, design specifications, system architecture, data requirements, and computational resources used.
• Information about training, validation, and testing data: Data governance measures, data preparation approaches (labeling, cleaning), data provenance, the characteristics of datasets, known limitations, and how data was obtained.
• Information about the system's performance: Metrics used, known foreseeable risks to health, safety, and fundamental rights, and risk mitigation measures applied.
• Detailed description of the risk management system: How risks were identified, analyzed, estimated, and evaluated throughout the AI system's lifecycle.
• Description of the monitoring, functioning, and control mechanisms: Including human oversight measures built into the system.
• Description of the quality management system: The procedures, policies, and frameworks the provider has in place to ensure ongoing compliance.
• A description of changes made throughout the lifecycle: Version control and change management documentation.
• Relevant harmonised standards or other technical specifications applied.
• EU declaration of conformity.
• Post-market monitoring plan.
Technical documentation must be kept up to date and available for inspection by national competent authorities for a period of 10 years after the AI system has been placed on the market or put into service.
Conformity Assessments
A conformity assessment is the process by which a provider of a high-risk AI system demonstrates — before placing the system on the market — that the system meets all the requirements of the EU AI Act. It is a formal, structured evaluation that may be conducted internally or by an independent third party (a notified body), depending on the type of AI system and the sector in which it operates.
There are two main types of conformity assessment procedures under the EU AI Act:
1. Internal conformity assessment (self-assessment): The provider conducts its own assessment of the AI system's compliance with the Act's requirements. This is the default path for most high-risk AI systems listed under Annex III of the Act (e.g., AI used in employment, education, law enforcement, migration management, essential services).
2. Third-party conformity assessment: This involves an independent notified body evaluating the AI system. This path is required for certain high-risk AI systems that are safety components of products already covered by existing EU harmonisation legislation (listed under Annex I), where third-party assessment is already mandated under that legislation (e.g., medical devices, machinery, aviation). It is also required for remote biometric identification systems used in publicly accessible spaces by law enforcement (an Annex III system where third-party assessment is explicitly required).
How Conformity Assessments Work in Practice
The conformity assessment process generally follows these steps:
1. Classification: Determine whether the AI system is high-risk (based on Annex I or Annex III).
2. Compliance with requirements: Ensure the system meets all Chapter 2 requirements of the Act, including risk management, data governance, transparency, human oversight, accuracy, robustness, and cybersecurity.
3. Prepare technical documentation: Compile all required documentation as specified in Annex IV.
4. Establish a quality management system: Implement policies and procedures as required by the Act.
5. Conduct the assessment: Either internally or via a notified body, verify that all requirements are met.
6. Draw up the EU Declaration of Conformity: A formal declaration stating that the AI system complies with the requirements of the Act.
7. Affix the CE marking: Indicates conformity with EU legislation, making the system eligible for placement on the EU market.
8. Register in the EU database: High-risk AI systems must be registered in the EU-wide public database before being placed on the market.
Key Relationships and Concepts
• Provider obligations: The provider (the entity that develops or has an AI system developed and places it on the market) bears the primary responsibility for conformity assessments and technical documentation.
• Deployer obligations: Deployers (users of high-risk AI systems) must use systems in accordance with instructions and monitor performance, but they do not conduct the conformity assessment themselves.
• Notified bodies: Independent organizations designated by EU Member States to carry out third-party conformity assessments. They must meet strict independence and competence criteria.
• Post-market monitoring: Conformity is not a one-time event. Providers must establish post-market monitoring systems and update documentation and assessments when substantial modifications are made to the AI system.
• Substantial modification: A change to the AI system after placing it on the market that affects its compliance with the Act's requirements or modifies its intended purpose. Substantial modifications trigger a new conformity assessment.
• CE marking: The visible indicator that the AI system has undergone the required conformity assessment and meets EU requirements.
• EU Declaration of Conformity: Must contain information identifying the provider, the AI system, a statement of conformity, references to relevant harmonised standards, and must be kept for 10 years.
How This Differs from Other Frameworks
Unlike frameworks such as the NIST AI RMF (which is voluntary and risk-based) or the OECD AI Principles (which are aspirational), the EU AI Act's technical documentation and conformity assessment requirements are legally binding. Non-compliance can result in fines of up to €35 million or 7% of global annual turnover, whichever is higher, depending on the violation. This makes it the most consequential AI governance framework from an enforcement perspective.
Exam Tips: Answering Questions on EU AI Act Technical Documentation and Conformity Assessments
1. Know the distinction between Annex I and Annex III systems: Annex I systems are high-risk because they are safety components of products governed by existing EU harmonisation legislation. Annex III systems are stand-alone high-risk AI systems in sensitive domains (employment, education, law enforcement, etc.). The conformity assessment pathway differs between them.
2. Remember the default is self-assessment: For most Annex III high-risk AI systems, the provider conducts an internal conformity assessment. Third-party assessment via a notified body is the exception, not the rule — it applies primarily to Annex I systems where existing sectoral legislation requires it, and to remote biometric identification systems.
3. Memorize the key contents of Annex IV: Questions may ask what must be included in technical documentation. Focus on: system description, development process, data governance, performance metrics, risk management, human oversight measures, and the quality management system.
4. Understand the 10-year retention requirement: Both the technical documentation and the EU Declaration of Conformity must be kept for 10 years after the system is placed on the market.
5. Substantial modifications trigger re-assessment: If a question presents a scenario where an AI system has been significantly changed (e.g., retrained on new data that changes its performance characteristics or its intended purpose has changed), recognize that a new conformity assessment is required.
6. Link technical documentation to other obligations: Technical documentation is not an isolated requirement — it supports transparency obligations, enables effective oversight by authorities, feeds into the risk management system, and is reviewed during conformity assessments. Questions may test your understanding of how these pieces fit together.
7. Distinguish provider vs. deployer responsibilities: The provider is responsible for creating technical documentation and conducting the conformity assessment. The deployer is responsible for using the system as intended, conducting fundamental rights impact assessments (where applicable), and cooperating with authorities. Do not confuse these roles in exam questions.
8. Watch for trick answers regarding voluntary vs. mandatory: Unlike many AI governance frameworks, the EU AI Act requirements are mandatory. If an answer choice suggests that technical documentation or conformity assessments are optional or best-practice recommendations, it is incorrect.
9. Know the enforcement penalties: Questions may reference the penalty structure. The highest fines (€35 million / 7% turnover) apply to violations involving prohibited AI practices. Requirements related to high-risk AI systems (including documentation and conformity assessments) can attract fines of up to €15 million or 3% of global annual turnover.
10. Understand the role of harmonised standards: The EU AI Act allows the use of harmonised standards to demonstrate compliance. If a provider follows relevant harmonised standards, there is a presumption of conformity with the requirements covered by those standards. This is a common exam topic.
11. Practice scenario-based reasoning: The AIGP exam often presents practical scenarios. When you encounter a question about a company developing an AI-powered medical device for the EU market, for example, you should identify it as a high-risk system (likely under Annex I, as medical devices are covered by existing EU legislation), recognize that third-party conformity assessment may be required, and know that comprehensive technical documentation per Annex IV is mandatory.
12. Remember the CE marking: After successful conformity assessment, the CE marking must be affixed to the AI system (or its packaging/accompanying documentation). This is the final step before market placement and signals compliance to regulators and users alike.
By mastering these concepts and their interconnections, you will be well-prepared to handle any question on EU AI Act technical documentation and conformity assessments in the AIGP examination.
