Zum Hauptinhalt springen
← Zurück zu den Vorlagen

Annex IV Technical Documentation

Detailed Annex IV documentation template aligned with Art. 11 and related EU AI Act obligations.

Kategorie: High-Risk Documentation • Risikostufe: High

Annex IV Technical Documentation Template (EU AI Act)

Legal basis: Annex IV + Art. 11 and related obligations (EU AI Act 2024/1689)
Use case: High-risk AI systems requiring structured technical documentation
Document owner: [Name / Role]
Document version: [vX.Y]
Last updated: [YYYY-MM-DD]

0) Document Governance

  • System name: [System]
  • Unique system identifier: [ID]
  • Provider legal entity: [Entity]
  • Documentation owner: [Name]
  • Review cycle: [Monthly/Quarterly]
  • Approval authority: [Role]
  • Linked files repository: [URL/path]

Guidance: Annex IV documentation must be controlled, versioned, and auditable.

1) General Description of the AI System

1.1 Intended purpose: [Describe core purpose]
1.2 Scope of use: [In-scope/out-of-scope]
1.3 Target users/operators: [Who uses it]
1.4 Affected persons/groups: [Who is impacted]
1.5 Deployment context: [Sector/region/process]
1.6 Lifecycle stage: [Development/pilot/production]
1.7 Functional boundaries: [What it does not do]
1.8 Foreseeable misuse summary: [Known misuse scenarios]

Common mistake: vague purpose statements that cannot be audited.

2) Design Specifications and Architecture

2.1 System architecture overview (diagram reference): [Ref]
2.2 Core components/modules: [List]
2.3 Model type(s): [Classifier/LLM/ranker/etc.]
2.4 Input channels and interfaces: [APIs/UI/streams]
2.5 Output formats and confidence signals: [Format]
2.6 Decision logic and thresholds: [Rules]
2.7 External dependencies/vendors: [List]
2.8 Infrastructure environment: [Cloud/on-prem]

Guidance: include enough detail for technical and regulatory review.

3) Development Process and Validation

3.1 Development methodology: [SDLC/MLOps approach]
3.2 Data split strategy: [Train/validation/test]
3.3 Performance metrics used: [Precision/recall/etc.]
3.4 Acceptance thresholds: [Threshold table]
3.5 Robustness/stress testing summary: [Results]
3.6 Adversarial or misuse testing summary: [Results]
3.7 Human evaluation steps: [Who/when]
3.8 Known limitations and failure modes: [List]

Related articles: Art. 15 (accuracy, robustness, cybersecurity).

4) Data Requirements and Governance

4.1 Data sources and provenance: [Source list]
4.2 Data collection method: [Method]
4.3 Data relevance/representativeness checks: [Method]
4.4 Data quality metrics: [Completeness, consistency]
4.5 Labeling and annotation controls: [Process]
4.6 Bias detection/testing approach: [Method]
4.7 Data cleaning and preprocessing pipeline: [Summary]
4.8 Data retention/deletion policy: [Policy]
4.9 Personal data handling and GDPR interfaces: [Summary]

Related article: Art. 10 data governance.

5) Risk Management and Control Measures

5.1 Risk management framework reference: [Doc]
5.2 Identified harms and risk scenarios: [Table]
5.3 Risk scoring methodology: [Likelihood x severity]
5.4 Mitigation controls per risk: [Control list]
5.5 Residual risk acceptance process: [Process]
5.6 Escalation and incident triggers: [Thresholds]
5.7 Reassessment cadence: [Frequency]

Related article: Art. 9 risk management system.

6) Human Oversight Measures

6.1 Oversight roles and responsibilities: [Roles]
6.2 Human intervention points: [Workflow steps]
6.3 Override/stop mechanisms: [Controls]
6.4 User instruction/training plan: [Program]
6.5 Escalation authority map: [Who can decide]
6.6 Safeguards against automation bias: [Measures]

Related article: Art. 14 human oversight.

7) Logging, Monitoring, and Post-Market Activities

7.1 Logging scope/events captured: [Events]
7.2 Log retention and integrity controls: [Policy]
7.3 Monitoring KPIs and thresholds: [KPI table]
7.4 Drift/performance degradation checks: [Method]
7.5 Incident handling workflow: [Process]
7.6 Corrective action workflow: [Process]
7.7 Post-market review cadence: [Schedule]

Related articles: Art. 12 (record-keeping), Art. 72+ (monitoring/incident context).

8) Conformity and Regulatory Information

8.1 Conformity assessment route: [Internal / notified body]
8.2 Harmonised standards used: [Standards list]
8.3 Common specifications used: [If any]
8.4 CE marking status: [Status]
8.5 EU declaration of conformity reference: [Doc]
8.6 EU database registration status/ID: [Status/ID]
8.7 Notified body details (if applicable): [Entity]

Related articles: Art. 43, Art. 47, Art. 49.

9) Cybersecurity and Resilience

9.1 Threat model summary: [Model]
9.2 Access control model: [IAM/segmentation]
9.3 Secure update process: [Procedure]
9.4 Vulnerability management process: [Procedure]
9.5 Backup/recovery strategy: [Plan]
9.6 Business continuity assumptions: [Assumptions]

10) Documentation Quality Checks

  • [ ] All sections complete and current
  • [ ] Technical claims evidenced by test artifacts
  • [ ] Legal references reviewed with compliance owner
  • [ ] Version control and approvals recorded
  • [ ] External dependencies and third-party assumptions documented

11) Annexes

  • Annex A: Architecture diagrams
  • Annex B: Data dictionaries
  • Annex C: Validation test reports
  • Annex D: Risk register extracts
  • Annex E: User instructions and oversight SOPs
  • Annex F: Conformity evidence bundle

Fillable Sign-Off

  • Prepared by: [Name / Date]
  • Reviewed by (Technical): [Name / Date]
  • Reviewed by (Compliance): [Name / Date]
  • Approved by: [Name / Date]
Markdown herunterladen KI-Ausfüllen — Pro-Plan

Verwandte Ressourcen

Risiko-Quiz Glossar Blog