Loading…
Loading…
If your AI system falls under Annex III (high-risk) of the EU AI Act (Regulation 2024/1689), you must produce a defined set of documentation before placing it on the EU market — the Article 11 / Annex IV technical file, a lifecycle risk-management record (Art. 9), data-governance records (Art. 10), and a conformity-assessment trail (Art. 43). These high-risk obligations were originally set for 2 August 2026, but the EU's 2026 Digital Omnibus has postponed them — the phased roll-out now extends toward 2 December 2027 for standalone Annex III systems (still being finalised, so verify the exact date for your system class). The documentation burden has not gone away: you still need the technical file, the risk-management system, and the conformity-assessment trace, and they take months to build — so start now.
This guide explains what is required, then shows how to generate the architecture and compliance documentation that supports your conformity assessment — drafted from your own system, not a blank template. It is not legal advice.
Free risk classifier · free first architecture audit · no signup
The EU AI Act applies to providers and deployers whose AI systems are placed on the market or used in the EU — including providers based outside the EU. The obligations scale with risk. A small number of practices are prohibited outright (Art. 5). Most of the documentation burden falls on high-risk systems listed in Annex III. Limited-risk systems carry transparency duties (Art. 50), and minimal-risk systems have no mandatory obligations.
The first thing to establish, therefore, is your risk tier — because it determines exactly which documents you owe. A five-minute self-assessment with the free EU AI Act risk classifier maps your system to a tier and the specific articles that apply.
If your AI operates in one of these areas and targets the EU market, it is most likely high-risk and carries the full documentation obligation.
AI used to screen CVs, rank candidates, allocate tasks, or evaluate performance and promotion. One of the most widely deployed high-risk categories.
AI that evaluates the credit score of natural persons or decides access to financial services (with narrow exceptions for fraud detection).
AI used in medical diagnosis, prognosis, triage, or clinical decision support — frequently also regulated as a medical device.
AI as a safety component in the management and operation of energy, water, gas, transport, and digital infrastructure.
AI that determines access to education, evaluates learning outcomes, or monitors and detects prohibited behaviour during exams.
AI used in policing, evidence assessment, border control, asylum processing, or to assist judicial authorities — subject to the strictest oversight.
These four obligations carry most of the documentation weight for an Annex III system. Each must exist — and be kept current — before the system reaches the EU market.
A technical file covering all eight Annex IV sections: a general description of the system, its design and development, the monitoring and control logic, the risk-management measures, the data and data-governance practices, the validation and testing performed, and the post-market plan. It must be drawn up before the system is placed on the market and kept up to date.
A continuous, documented process that identifies and analyses the foreseeable risks to health, safety, and fundamental rights, then specifies the mitigation measures. It runs across the entire lifecycle, not as a one-time sign-off, and the record is part of the evidence an assessor reviews.
Documentation of the training, validation, and testing data sets — their provenance, the data-governance practices, examination for bias, and the measures taken to address it. Gaps here are a common reason high-risk documentation is sent back.
Before market placement, a high-risk system goes through a conformity assessment — self-assessment for most Annex III systems, or a notified body where required — ending in an EU Declaration of Conformity and CE marking. Registration in the EU database (Art. 71) and a post-market monitoring plan (Art. 72) complete the picture.
Each has a place. Law firms advise on your obligations; templates hand you empty files; Archiet drafts the documentation from your system so you start from a populated first draft — then review it with your advisor.
Archiet generates the documentation that supports your conformity assessment. It is not legal advice and does not make your system compliant — you and a qualified advisor review and own the result.
What this is — and what it is not
This page and Archiet's tools provide structured information and generated documentation to support your EU AI Act work. They do not constitute legal advice and do not, on their own, make any system compliant. Regulation 2024/1689 contains nuanced provisions, recitals, and delegated acts that affect your obligations. Consult a qualified EU AI Act legal advisor before making any regulatory filing or compliance decision.
Classify your risk tier for free, then run a free instant architecture audit that maps your system to compliance concerns and returns a shareable, evidence-backed report. When you need the full document set — the risk-tier assessment, the Article 11 / Annex IV technical documentation, transparency obligations, the conformity-assessment checklist, and the post-market monitoring plan — the Architect plan pairs the generated artifacts with a dedicated solution architect.
Free risk classifier and first audit · the Architect plan delivers the full documentation set for compliance-heavy builds.
For a high-risk system under Annex III, Regulation 2024/1689 requires: technical documentation covering all eight sections of Annex IV (Article 11); a documented, lifecycle-long risk-management system (Article 9); data-governance records for the training, validation, and testing data (Article 10); evidence of accuracy, robustness, and cybersecurity (Article 15); a record of the conformity assessment (Article 43); an EU Declaration of Conformity (Article 47) and CE marking (Article 49); registration in the EU database (Article 71); and a post-market monitoring plan with serious-incident reporting (Articles 72–73). The technical documentation must exist before the system is placed on the EU market.
Annex III lists the high-risk use cases: employment, recruitment, and worker management; creditworthiness and credit scoring; medical and healthcare decision support; critical infrastructure (energy, water, transport, digital) where AI is a safety component; access to education and vocational training; law enforcement, border control and migration, and the administration of justice; and certain biometric identification and categorisation systems. If your AI operates in one of these areas and targets the EU market, it is most likely high-risk and carries the full documentation burden.
The Regulation entered into force on 1 August 2024 and applies in phases. Prohibited-practice bans applied from 2 February 2025, and general-purpose AI model obligations began on 2 August 2025. The high-risk Annex III obligations — the technical documentation, risk management, and conformity assessment — were originally set for 2 August 2026, but the EU has moved to postpone them: the Commission published the Digital Omnibus on AI on 19 November 2025, and the Council and Parliament reached a provisional political agreement in May 2026 to defer standalone Annex III high-risk obligations to 2 December 2027 (and AI embedded in regulated products under Annex I to 2 August 2028). Treat 2 December 2027 as the working target while the amending regulation is formally adopted, and verify the exact date for your specific system class — but do not wait: the documentation itself (the Article 11 / Annex IV technical file, the Article 9 risk-management system, the Article 43 conformity-assessment trace) takes months to build, so the extra runway is preparation time, not a reason to stop.
Start by classifying your system’s risk tier (prohibited, high-risk, GPAI, limited, or minimal). For a high-risk system, map each Annex IV section to evidence in your actual system — the architecture, the data pipeline, the human-oversight controls, the monitoring. Draft the technical file (Article 11), the risk-management record (Article 9), and the data-governance documentation (Article 10), then run the conformity assessment (Article 43). The fastest route to a first draft is to generate the architecture and compliance documentation from your system description, then have a qualified EU AI Act advisor review it before any regulatory filing.
No — and any tool that claims to make you compliant should be treated with caution. Compliance is a legal determination that depends on your specific system, deployment, and a conformity assessment. What Archiet does is generate the architecture and compliance documentation that supports your conformity assessment: a free instant architecture audit that maps your system to compliance concerns, a free EU AI Act risk classifier that identifies your tier and the articles that apply, and — on the Architect plan — the full set of documentation artifacts (risk-tier assessment, the Article 11 / Annex IV technical documentation, transparency obligations, the conformity-assessment checklist, and the post-market monitoring plan). You and a qualified legal advisor review and own the result; the documentation is not legal advice.
Yes. Two free, no-signup surfaces get you moving: the EU AI Act risk classifier (archiet.com/tools/eu-ai-act-risk-classifier) tells you which tier and which articles apply in about five minutes, and the instant architecture audit (archiet.com/audit-my-architecture) returns an evidence-backed traceability report mapping your architecture to compliance concerns in about fifteen seconds. Both produce a shareable result you can forward to your team or advisor.