Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systems and other partiesArticle 18

Article 18: Documentation Keeping

Applies from 2 Aug 20264 min readEUR-Lex verified Apr 2026

Article 18 requires providers of high-risk AI systems to keep specified documentation available for market surveillance authorities for a period of 10 years after the system has been placed on the market or put into service. The documentation includes: (a) the technical documentation (Annex IV); (b) the documentation on the quality management system; (c) any changes approved by notified bodies (where applicable); (d) the decisions and documents issued by notified bodies; (e) the EU declaration of conformity. Providers must also keep automatically generated logs within their control, to the extent such logs are generated by the system under Article 12.

Start free assessment All articles

Who does this apply to?

-Providers of high-risk AI systems who must retain documentation for 10 years
-Authorised representatives keeping documentation on behalf of third-country providers
-Market surveillance authorities requesting documentation during inspections
-Compliance teams managing document retention and archival policies

Scenarios

A provider places a high-risk employment screening AI on the market in January 2027. In 2033, a market surveillance authority requests the full technical documentation.

The provider must produce Annex IV documentation, QMS records, the EU declaration of conformity, and any notified body certificates — all within the 10-year retention window.

Ref. Art. 18

A provider stores system-generated logs in a cloud environment but loses access after switching vendors.

Non-compliant — Article 18 requires logs within the provider's control to be kept. Migration plans must preserve log continuity.

Ref. Art. 18 + Art. 12

What must be kept (plain terms)

Providers must keep at the disposal of national competent authorities for 10 years after market placement or putting into service:

1. Technical documentation drawn up under Article 11 (content per Annex IV) 2. QMS documentation under Article 17 3. Changes approved by notified bodies (where Annex VII assessment was used) 4. Decisions and other documents issued by notified bodies 5. EU declaration of conformity under Article 47

Additionally, providers must keep automatically generated logs (to the extent within their control) as generated under Article 12.

How Article 18 connects to the rest of the Act

Article 11 + Annex IV — What the technical documentation must contain.
Article 12 — Logging capabilities whose output Article 18 requires to be retained.
Article 16(d) — Documentation keeping is a lettered provider obligation.
Article 17 — QMS documentation to be retained.
Article 47 — EU declaration of conformity to be kept.
Article 22 — Authorised representative may hold documentation on behalf of non-EU providers.
Article 23 + Article 24 — Importers and distributors must be able to present certain documentation on request.

Compliance checklist

Establish a 10-year document retention policy for all Article 18 categories.
Ensure technical documentation, QMS records, and EU declarations are version-controlled and timestamped.
Implement secure, tamper-evident storage for automatically generated logs.
Plan for vendor migrations that preserve log and documentation access.
For authorised representatives: contractually secure documentation custody and transfer rights.
Test retrieval: can you produce full documentation within a reasonable timeframe upon authority request?

Read the official text on EUR-Lex

Set up your documentation retention plan—free assessment.

Start Free Assessment

Article 11: Technical Documentation

Article 12: Record-keeping

Article 16: Obligations of Providers of High-Risk AI Systems

Article 17: Quality Management System for High-Risk AI

Article 22: Authorised Representatives of Providers of High-Risk AI Systems

Article 23: Obligations of Importers

Article 24: Obligations of Distributors

Article 47: EU Declaration of Conformity

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Annex IV: Technical Documentation for High-Risk AI Systems

Related annexes

Annex IV — Technical documentation content

Frequently asked questions

Does the 10-year clock start from market placement or first deployment?

It starts from when the system is placed on the market or put into service — whichever comes first. Verify the exact trigger on EUR-Lex.

Must documents be in a specific format?

Article 18 does not prescribe format, but they must be readily available for authorities. Digital, searchable formats are best practice.

What about logs — does the provider keep all inference logs?

Article 18 requires keeping automatically generated logs 'to the extent' they are within the provider's control. Deployer-side logs are the deployer's responsibility under Article 26.

On this page

Key terms

Documentation keeping: The obligation to retain and make available specified compliance documentation for 10 years after market placement, enabling authority inspection at any time.
Technical documentation retention: The obligation to keep Annex IV technical documentation available for market surveillance authorities for at least 10 years after the system is placed on the market.
EU declaration of conformity: The provider's formal statement that their high-risk AI system complies with the requirements of the AI Act, following the template in Annex V.

At a glance

Article: 18
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now