All articles
Annex IV Technical Documentation for Medical AI (EU AI Act)
AI Act

Annex IV Technical Documentation for Medical AI (EU AI Act)

You do not build a separate AI Act technical file. For medical AI, you extend your MDR/IVDR technical documentation to cover the Annex IV elements, assessed inside your existing conformity assessment under Article 43(3). Here is the Annex IV element list and how it maps to what you already hold. Cited.

Pedram Madani5 min read
Share

Annex IV Technical Documentation for Medical AI

TL;DR

Annex IV is the EU AI Act's technical-documentation requirement (via Article 11). For medical AI, the key point is that you do not produce a standalone AI Act file:

  • You extend your existing MDR/IVDR technical documentation to also cover the Annex IV elements.
  • It is assessed inside your existing conformity assessment under Article 43(3), not as a separate submission.
  • Much of Annex IV overlaps with your MDR/IVDR file (intended purpose, risk management, validation, cybersecurity, standards). The genuinely new parts are AI-specific: training-data provenance and governance, model architecture, performance-metric justification, and predetermined changes.

Map, do not rebuild. This guide lists the Annex IV elements and shows where each likely lives in your medical-device file.

Every legal claim below is cited. See Sources.

What Annex IV requires

Annex IV sets out the technical documentation for a high-risk AI system. In summary, it covers:

  • A general description of the system: its intended purpose, the provider, the version, how it interacts with hardware and software, and the forms in which it is placed on the market.
  • A detailed description of the system's elements and development: the methods and design choices, the system architecture, the computational resources, and the data (training methodologies, datasets, their provenance, and cleaning procedures).
  • Human oversight measures and the technical measures that make the output interpretable (per Article 13).
  • Predetermined changes to the system and its performance, and how continued compliance is ensured.
  • Validation and testing procedures: test data, accuracy and performance metrics, and the metrics you chose and why.
  • Cybersecurity measures.
  • A description of performance: capabilities, limitations, expected accuracy, foreseeable risks, and human-oversight needs.
  • The risk management system (per Article 9).
  • Lifecycle changes made by the provider.
  • The standards applied, or the technical solutions used to meet the requirements.
  • A copy of the EU declaration of conformity (Article 47).
  • The post-market monitoring plan (per Article 72).

For a general walk-through of these elements, see our AI Act technical documentation guide. This page is about the medical overlay.

Is your AI system high-risk?

Find out in 2 minutes, free, no signup required.

Take the free assessment

How Annex IV maps to your MDR/IVDR file

If you already maintain MDR/IVDR technical documentation (Annex II and III of the MDR), a large share of Annex IV is a re-expression of what you have. The table shows the pattern:

Annex IV elementLikely already in your MDR/IVDR fileAI-specific gap to close
General description, intended purposeIntended-purpose statement, device descriptionVersion and model interaction detail
Development, architecture, dataDesign documentationTraining-data provenance, governance, cleaning; model architecture
Human oversightUsability engineering (IEC 62366)Output interpretability measures (Art 13)
Validation and testingClinical/performance evaluation, verificationAccuracy metrics and why they were chosen
CybersecurityMDCG 2019-16 securityAI-specific robustness against manipulation
Risk managementISO 14971 fileAI-specific risks (drift, feedback, misuse)
Standards appliedEN/ISO/IEC standards listAI Act harmonised standards (still emerging)
Declaration of conformityEU DoCExtended to cover the AI Act
Post-market monitoring planMDR/IVDR PMS, PMCF/PMPFAI performance-monitoring plan (Art 72)

The AI Act × MDR/IVDR crosswalk turns this into a printable, obligation-by-obligation checklist.

Integration: one file, not two (Article 43(3))

Because Article 43(3) folds the AI Act check into your MDR/IVDR conformity assessment, the sensible structure is a single technical documentation set that satisfies both regimes, with the AI-specific sections added where they belong. That is also what the Commission's MDCG 2025-6 guidance points to: integrate the AI-specific elements into your existing documentation and quality system rather than duplicating them.

Common mistakes

  • Building a standalone AI Act dossier. Extend the MDR/IVDR file; a parallel document set is wasted effort and a maintenance liability.
  • Treating training data as an afterthought. Data provenance, governance and cleaning are among the most-scrutinised and most-often-missing Annex IV elements for AI.
  • Skipping the metric justification. Annex IV wants not just your accuracy numbers but why those metrics are the right ones for the intended purpose.
  • Forgetting predetermined changes. If your model updates, document the planned changes and how conformity is maintained.

FAQ

Do I need a separate AI Act technical file for my medical device?

No. You extend your existing MDR/IVDR technical documentation to cover the Annex IV elements, and it is assessed inside your existing conformity assessment under Article 43(3). A standalone dossier is unnecessary duplication.

What is genuinely new in Annex IV compared with my MDR documentation?

Mostly the AI-specific parts: training, validation and test data provenance and governance, model architecture and development methods, the justification for your performance metrics, and predetermined changes to the model. Much of the rest re-expresses your existing design, risk, validation and cybersecurity documentation.

Where does the risk management description go?

Annex IV points to the risk management system under Article 9. For a medical device, that builds on your ISO 14971 file, extended to cover AI-specific risks such as data drift and foreseeable misuse of the model.

Does Annex IV include a post-market plan?

Yes. Annex IV requires the post-market monitoring plan under Article 72. For medical AI this sits alongside your MDR/IVDR post-market surveillance and adds AI-specific performance monitoring.

Sources (official)

  • EU AI Act, Regulation (EU) 2024/1689: official text on EUR-Lex; per-article on the European Commission AI Act Service Desk. Cited: Article 11 and Annex IV (technical documentation), Article 9 (risk management), Article 13 (transparency and oversight interpretability), Article 43(3) (integrated conformity), Article 47 (declaration of conformity), Article 72 (post-market monitoring plan).
  • MDR, Regulation (EU) 2017/745: official text on EUR-Lex. Cited: Annexes II and III (technical documentation).
  • MDCG 2025-6, FAQ on the interplay between the MDR/IVDR and the AI Act (19 June 2025): Commission page.

Legalithm provides compliance information and tooling, not legal advice. Documentation requirements depend on your specific system; confirm with your notified body and qualified counsel. Article references are to Regulation (EU) 2024/1689 (the AI Act).

AI Act
Annex IV
Technical Documentation
MDR
Medical Devices
SaMD
Conformity