EU AI Act Article 50 — 20 days to seal | Get passport
🐉

Technical Documentation

EU AI Act Annex IV · Master Documentation Index · 11 Required Sections · Evidence-Based Compliance · EAT Directive aligned

ANNEX IV 8/11 READY ACTIVE
11
Annex IV Items
8
Sections Ready
3
In Progress
73%
Doc Coverage
47
Linked Pages
236
Crosswalked Frameworks

What is Annex IV Technical Documentation?

Annex IV of the EU AI Act specifies the technical documentation that must be drawn up before a high-risk AI system is placed on the market or put into service. The documentation must demonstrate that the system complies with the requirements set out in Chapter III of the Act (Articles 8-17) and must be provided to national competent authorities upon request.

DEFONEOS maintains a living technical documentation set. Each of the 11 Annex IV items maps to specific pages, evidence files, system artifacts, and verification records. This page serves as the master index — the entry point for any regulator, notified body, or authorised representative seeking to assess DEFONEOS compliance.

Key principle: Technical documentation is not a static deliverable. It evolves with the system. Every deployment, model update, MCP addition, or configuration change triggers a documentation review. The documentation is version-controlled, Ed25519-signed, and timestamped on the SIGIL chain.

⚠️ Honesty Register

Documentation coverage percentages describe the architectural completeness of the documentation framework — not an assessment by a notified body. Items marked "ready" have their structural content defined, linked to evidence, and internally reviewed; they have not been externally audited. DEFONEOS provides the documentation infrastructure required for conformity assessment; the assessment itself must be performed by a notified body for high-risk systems. The "8/11 ready" figure means the documentation framework is structurally complete for those items — evidence quality varies by item and should be assessed item-by-item.

Annex IV — Item-by-Item Index

1
General Description of the AI System (Annex IV §1(a))

Status: READY Annex IV §1(a)

Intent: The intended purpose of the system, the name and contact details of the provider, and the name and contact details of the authorised representative (if applicable).

Evidence:

  • DEFONEOS main page — system overview, mission, architecture summary
  • AI System Card — Annex IV compliant system card with provider identity
  • DEFONEOS-999 compliance overview — 999-day plan
  • Provider: CSOAI Ltd (UK Company 16939677). Authorised representative: TBD (EU representative required for EU market placement).

Gap: EU authorised representative not yet designated. Required before EU market placement under Article 22.

2
System Architecture and Detailed Description (Annex IV §1(b))

Status: READY Annex IV §1(b)

Intent: Detailed description of system architecture, components, development process, how the components interact, and how the system achieves its intended purpose.

Evidence:

  • Architecture overview — 5-layer architecture (L0 Protocol / L1 Data / L2 MCP / L3 C2 / L4 Governance)
  • MCP federation — 30 MCP servers, categories, data flow
  • Sovereign substrate — SIGIL chain, Ed25519, Mamba-2 SSM, BFT council
  • Development process: Git-tracked, CI/CD pipeline, quality gates pre-commit/pre-merge/pre-deploy

Compliance: Article 9 RMS feeds architectural decisions. All component interactions are logged on the SIGIL chain.

3
Development Process — Design, Training, Evaluation (Annex IV §2(a-c))

Status: IN PROGRESS Annex IV §2

Intent: Description of how the system was developed including: (a) methodology and steps for design, training, and testing; (b) design specifications of the model; (c) description of the system's training, validation, and testing data.

Evidence:

  • Methodology: Sovereign substrate development — Mamba-2 SSM + MoE + BFT governance
  • Design specs: System Card Section 2 — architecture and model details
  • Training data: DEFONEOS uses open-source models (no training in the traditional sense). See Data Governance page
  • Testing: 280 automated checks per 5-min cycle — see CISO Self-Scan

Gap: Full development methodology documentation requires engineering narrative covering each MCP build cycle, model selection rationale, and evaluation criteria. Drafted but needs formalisation.

4
Risk Management System (Annex IV §3 → Article 9)

Status: READY Annex IV §3

Intent: Description of the risk management system as required by Article 9.

Evidence:

Compliance: Article 9 iterative RMS implemented as automated 5-min cycle. ISO 14971 structural alignment. Risk register maintained and Ed25519-signed.

5
Data and Data Governance (Annex IV §2(d) → Article 10)

Status: READY Annex IV §2(d)

Intent: Description of the data used for training, validation, and testing, including collection, preparation, and governance.

Evidence:

  • Data Governance — GDPR/DPA 2018 alignment, 7 principles, 6 data categories, 8 subject rights
  • Post-Market Monitoring — data-driven drift detection, 14 monitoring vectors
  • Sovereign storage: All data stored on UK sovereign infrastructure. Zero foreign transfers.
  • DPIA summary available in Data Governance page.

Compliance: Article 10 data governance requirements structurally met. No training data used (open-source models). Operational data governed by GDPR/DPA 2018.

6
Record-Keeping and Logging (Annex IV §2(f) → Article 12)

Status: READY Annex IV §2(f)

Intent: Description of the recording of relevant events (logging) as required by Article 12.

Evidence:

  • Record-Keeping and Logging — Art 12 deep dive (this section links to dedicated page)
  • SIGIL chain — Ed25519-signed, hash-chained event ledger
  • Automated logging: All MCP calls, governance decisions, BFT votes, and system events logged
  • Retention: 6 months automatic, 5 years for governance events. Immutable via hash chain.

Compliance: Article 12 logging implemented via SIGIL chain. Logging capacity meets Annex IV §2(f) requirements. Timestamps Ed25519-signed.

7
Human Oversight Measures (Annex IV §2(g) → Article 14)

Status: READY Annex IV §2(g)

Intent: Description of the human oversight measures as required by Article 14.

Evidence:

  • Human Oversight — 5-level oversight framework (HARD-STOP/BFT/HITL/TRANSPARENCY/MONITORING)
  • DEFONEOS-999 — governance overview, red lines, BFT council structure
  • Stop button: <2s response time. 3 override mechanisms. BFT quorum 23/33.

Compliance: Article 14(2) requirements met — effective oversight through 5-level framework. Automation bias mitigations implemented.

8
Accuracy, Robustness, and Cybersecurity (Annex IV §2(e) → Articles 15-16)

Status: READY Annex IV §2(e)

Intent: Description of how the accuracy, robustness, and cybersecurity requirements of Articles 15 and 16 are met.

Evidence:

Compliance: Articles 15-16 requirements structurally met. Accuracy metrics defined per MCP. Cybersecurity via sovereign infrastructure, PQC roadmap, Ed25519 signatures.

9
Quality Management System (Annex IV §3 → Article 17)

Status: READY Annex IV §3

Intent: Description of the quality management system as required by Article 17.

Evidence:

  • Quality Management System — 9 quality domains, 84 procedures, 23 CAPA closed, 10 KPIs GREEN
  • ISO 9001/13485/42001 structural alignment
  • CI/CD quality gates: pre-commit, pre-merge, pre-deploy, post-deploy
  • Documentation rate: 98.5%. Zero CAPA recurrence.

Compliance: Article 17 QMS implemented as automated CI/CD + documentation + CAPA system. Structurally aligned with ISO standards (not certified).

10
Technical Information for Conformity Assessment (Annex IV §4)

Status: IN PROGRESS Annex IV §4

Intent: A list of harmonised standards applied in full or in part, and description of the solutions adopted to meet the requirements where harmonised standards have not been applied.

Evidence:

  • OSCAL Catalog — 12 frameworks crosswalked (EU AI Act, GDPR, NIST AI RMF, ISO 42001, ISO 27001, etc.)
  • Conformity Assessment — Module A self-assessment readiness, 73% ready
  • Harmonised standards: None formally applied (DEFONEOS uses structural alignment, not certified standards)

Gap: Formal conformity assessment requires notified body engagement for high-risk systems. DEFONEOS is structurally ready but not assessed.

11
EU Declaration of Conformity and CE Marking (Annex IV §5 → Article 47-48)

Status: NOT STARTED Annex IV §5

Intent: Copy of the EU declaration of conformity as required by Article 47.

Evidence:

  • Template available at Conformity Assessment page
  • Cannot be signed until: (1) Conformity assessment completed, (2) Notified body engaged (if applicable), (3) Technical documentation fully assessed

Gap: EU Declaration of Conformity is a formal legal document that can only be signed after conformity assessment. DEFONEOS provides the template and infrastructure but has not completed the assessment.

Documentation Coverage Matrix

#Annex IV ItemArticleStatusEvidence PagesCompleteness
1General Description§1(a)✅ READY3 pages90%
2System Architecture§1(b)✅ READY3 pages85%
3Development Process§2(a-c)⚠️ IN PROGRESS2 pages + draft60%
4Risk Management§3 → Art 9✅ READY3 pages90%
5Data Governance§2(d) → Art 10✅ READY2 pages85%
6Record-Keeping§2(f) → Art 12✅ READY2 pages85%
7Human Oversight§2(g) → Art 14✅ READY2 pages85%
8Accuracy/Robustness/Cyber§2(e) → Art 15-16✅ READY4 pages80%
9Quality Management§3 → Art 17✅ READY1 page80%
10Conformity Standards§4⚠️ IN PROGRESS2 pages65%
11EU Declaration§5 → Art 47❌ NOT STARTEDTemplate only10%

Overall Coverage: 73% — 8/11 items structurally ready

Documentation Lifecycle

PhaseActionFrequencyAutomatedOutput
1. CreateDocumentation drafted when MCP/page/system builtOn buildSemiPage + evidence files
2. ReviewTechnical review for accuracy and completenessOn build + quarterlyManualReview record
3. SignEd25519 signature applied via SIGIL chainOn approvalYesSIGIL digest
4. PublishPage deployed to production (Vercel)On sign-offYesLive URL
5. MonitorPost-market monitoring flags doc gapsContinuousYesDrift alerts
6. UpdateDocumentation revised when system changesOn changeSemiUpdated page
7. ArchivePrevious versions retained for auditOn updateYesSIGIL history
8. AssessExternal conformity assessment (notified body)Pre-marketManualAssessment report

Cross-Framework Documentation Mapping

FrameworkDocumentation RequirementDEFONEOS Coverage
EU AI Act Annex IV11-item technical documentation8/11 ready, 73%
GDPR Art 30Records of processing activitiesSee Data Governance
GDPR Art 35DPIASummary available (full DPIA on request)
NIST AI RMFGovern/Map/Measure/Manage documentationStructural alignment, OSCAL catalog
ISO/IEC 42001AIMS documentationStructural alignment (not certified)
ISO/IEC 27001ISMS documentationStructural alignment (not certified)
JSP 936MOD AI assurance documentationDraft framework (not assessed)
UK AISISystem Card / model evaluationSystem Card drafted
OSCALMachine-readable compliance147 controls, 12 frameworks
STRIDEThreat model documentation6-vector STRIDE model in System Card
OWASP ASIAI security documentationDraft (not assessed)
CIS Controls v8Security baseline documentationStructural alignment via OSCAL

Regulator Access Protocol

How a Regulator Accesses DEFONEOS Documentation

StepActionMethodResponse Time
1Regulator submits documentation requestFormal written request to CSOAI Ltd
2CSOAI verifies requester identity and authorityIdentity verification, scope check24h
3Documentation package preparedThis index + linked pages + evidence files48h
4SIGIL verification of documentation integrityHash chain verification, Ed25519 signature check1h
5Documentation delivered via secure channelEncrypted transfer or secure portal72h total
6Regulator reviews and questionsQ&A process, clarification callsPer regulator

Note: The 72-hour total response time assumes the documentation request is within scope. For requests requiring system changes (e.g., new evidence generation), timelines are negotiated.

⚠️ Honesty Register — Documentation Limitations

What this documentation IS: A comprehensive, structured framework for Annex IV compliance that covers 8/11 items with linked evidence pages, automated verification, and version control. It demonstrates that DEFONEOS has the documentation infrastructure required for conformity assessment.

What this documentation IS NOT: It is not a conformity assessment. It has not been reviewed by a notified body. The "ready" status means the structural framework exists — evidence quality and completeness for each item would be assessed during formal conformity assessment. Items 3 (development process) and 10 (conformity standards) are still being drafted. Item 11 (EU Declaration) cannot be completed until conformity assessment is performed.

What's missing: (1) EU authorised representative designation, (2) Notified body engagement, (3) Full development methodology narrative, (4) Harmonised standards application documentation, (5) Formal conformity assessment report.

SIGIL Verification

All documentation pages are Ed25519-signed on the SIGIL chain. Any page can be verified by checking its SIGIL digest against the hash chain. Tampering is cryptographically detectable. Documentation integrity is maintained from creation through publication to archival.

SIGIL chain verification: $ python3 sigil_verify.py --page defoneos-technical-documentation.html → PASS: Hash chain intact. Ed25519 signature valid. Timestamp: 2026-07-05T23:00Z
🛡️ Ready to put DEFONEOS to work?

7 personas · 5 tiers · 30-second signup · free 30-day sandbox for regulators and end-users.

Sign up · Ed25519-signed receipt → For Defence Primes For Regulators (Free) Series A — £45-90M Round
ED25519 SIGIL receipts · UK-sovereign · AUKUS-compatible · T-27 days to EU AI Act