Annex IV Technical Documentation for Medical AI
TL;DR
Annex IV is the EU AI Act's technical-documentation requirement (via Article 11). For medical AI, the key point is that you do not produce a standalone AI Act file:
- You extend your existing MDR/IVDR technical documentation to also cover the Annex IV elements.
- It is assessed inside your existing conformity assessment under Article 43(3), not as a separate submission.
- Much of Annex IV overlaps with your MDR/IVDR file (intended purpose, risk management, validation, cybersecurity, standards). The genuinely new parts are AI-specific: training-data provenance and governance, model architecture, performance-metric justification, and predetermined changes.
Map, do not rebuild. This guide lists the Annex IV elements and shows where each likely lives in your medical-device file.
Every legal claim below is cited. See Sources.
What Annex IV requires
Annex IV sets out the technical documentation for a high-risk AI system. In summary, it covers:
- A general description of the system: its intended purpose, the provider, the version, how it interacts with hardware and software, and the forms in which it is placed on the market.
- A detailed description of the system's elements and development: the methods and design choices, the system architecture, the computational resources, and the data (training methodologies, datasets, their provenance, and cleaning procedures).
- Human oversight measures and the technical measures that make the output interpretable (per Article 13).
- Predetermined changes to the system and its performance, and how continued compliance is ensured.
- Validation and testing procedures: test data, accuracy and performance metrics, and the metrics you chose and why.
- Cybersecurity measures.
- A description of performance: capabilities, limitations, expected accuracy, foreseeable risks, and human-oversight needs.
- The risk management system (per Article 9).
- Lifecycle changes made by the provider.
- The standards applied, or the technical solutions used to meet the requirements.
- A copy of the EU declaration of conformity (Article 47).
- The post-market monitoring plan (per Article 72).
For a general walk-through of these elements, see our AI Act technical documentation guide. This page is about the medical overlay.
Is your AI system high-risk?
Find out in 2 minutes, free, no signup required.
Take the free assessmentHow Annex IV maps to your MDR/IVDR file
If you already maintain MDR/IVDR technical documentation (Annex II and III of the MDR), a large share of Annex IV is a re-expression of what you have. The table shows the pattern:
The AI Act × MDR/IVDR crosswalk turns this into a printable, obligation-by-obligation checklist.
Integration: one file, not two (Article 43(3))
Because Article 43(3) folds the AI Act check into your MDR/IVDR conformity assessment, the sensible structure is a single technical documentation set that satisfies both regimes, with the AI-specific sections added where they belong. That is also what the Commission's MDCG 2025-6 guidance points to: integrate the AI-specific elements into your existing documentation and quality system rather than duplicating them.
Common mistakes
- Building a standalone AI Act dossier. Extend the MDR/IVDR file; a parallel document set is wasted effort and a maintenance liability.
- Treating training data as an afterthought. Data provenance, governance and cleaning are among the most-scrutinised and most-often-missing Annex IV elements for AI.
- Skipping the metric justification. Annex IV wants not just your accuracy numbers but why those metrics are the right ones for the intended purpose.
- Forgetting predetermined changes. If your model updates, document the planned changes and how conformity is maintained.
FAQ
Do I need a separate AI Act technical file for my medical device?
No. You extend your existing MDR/IVDR technical documentation to cover the Annex IV elements, and it is assessed inside your existing conformity assessment under Article 43(3). A standalone dossier is unnecessary duplication.
What is genuinely new in Annex IV compared with my MDR documentation?
Mostly the AI-specific parts: training, validation and test data provenance and governance, model architecture and development methods, the justification for your performance metrics, and predetermined changes to the model. Much of the rest re-expresses your existing design, risk, validation and cybersecurity documentation.
Where does the risk management description go?
Annex IV points to the risk management system under Article 9. For a medical device, that builds on your ISO 14971 file, extended to cover AI-specific risks such as data drift and foreseeable misuse of the model.
Does Annex IV include a post-market plan?
Yes. Annex IV requires the post-market monitoring plan under Article 72. For medical AI this sits alongside your MDR/IVDR post-market surveillance and adds AI-specific performance monitoring.
Sources (official)
- EU AI Act, Regulation (EU) 2024/1689: official text on EUR-Lex; per-article on the European Commission AI Act Service Desk. Cited: Article 11 and Annex IV (technical documentation), Article 9 (risk management), Article 13 (transparency and oversight interpretability), Article 43(3) (integrated conformity), Article 47 (declaration of conformity), Article 72 (post-market monitoring plan).
- MDR, Regulation (EU) 2017/745: official text on EUR-Lex. Cited: Annexes II and III (technical documentation).
- MDCG 2025-6, FAQ on the interplay between the MDR/IVDR and the AI Act (19 June 2025): Commission page.
Legalithm provides compliance information and tooling, not legal advice. Documentation requirements depend on your specific system; confirm with your notified body and qualified counsel. Article references are to Regulation (EU) 2024/1689 (the AI Act).



