Annex IV of the EU AI Act specifies the technical documentation that must be drawn up before a high-risk AI system is placed on the market or put into service. The documentation must demonstrate that the system complies with the requirements set out in Chapter III of the Act (Articles 8-17) and must be provided to national competent authorities upon request.
DEFONEOS maintains a living technical documentation set. Each of the 11 Annex IV items maps to specific pages, evidence files, system artifacts, and verification records. This page serves as the master index — the entry point for any regulator, notified body, or authorised representative seeking to assess DEFONEOS compliance.
Key principle: Technical documentation is not a static deliverable. It evolves with the system. Every deployment, model update, MCP addition, or configuration change triggers a documentation review. The documentation is version-controlled, Ed25519-signed, and timestamped on the SIGIL chain.
Documentation coverage percentages describe the architectural completeness of the documentation framework — not an assessment by a notified body. Items marked "ready" have their structural content defined, linked to evidence, and internally reviewed; they have not been externally audited. DEFONEOS provides the documentation infrastructure required for conformity assessment; the assessment itself must be performed by a notified body for high-risk systems. The "8/11 ready" figure means the documentation framework is structurally complete for those items — evidence quality varies by item and should be assessed item-by-item.
Status: READY Annex IV §1(a)
Intent: The intended purpose of the system, the name and contact details of the provider, and the name and contact details of the authorised representative (if applicable).
Evidence:
Gap: EU authorised representative not yet designated. Required before EU market placement under Article 22.
Status: READY Annex IV §1(b)
Intent: Detailed description of system architecture, components, development process, how the components interact, and how the system achieves its intended purpose.
Evidence:
Compliance: Article 9 RMS feeds architectural decisions. All component interactions are logged on the SIGIL chain.
Status: IN PROGRESS Annex IV §2
Intent: Description of how the system was developed including: (a) methodology and steps for design, training, and testing; (b) design specifications of the model; (c) description of the system's training, validation, and testing data.
Evidence:
Gap: Full development methodology documentation requires engineering narrative covering each MCP build cycle, model selection rationale, and evaluation criteria. Drafted but needs formalisation.
Status: READY Annex IV §3
Intent: Description of the risk management system as required by Article 9.
Evidence:
Compliance: Article 9 iterative RMS implemented as automated 5-min cycle. ISO 14971 structural alignment. Risk register maintained and Ed25519-signed.
Status: READY Annex IV §2(d)
Intent: Description of the data used for training, validation, and testing, including collection, preparation, and governance.
Evidence:
Compliance: Article 10 data governance requirements structurally met. No training data used (open-source models). Operational data governed by GDPR/DPA 2018.
Status: READY Annex IV §2(f)
Intent: Description of the recording of relevant events (logging) as required by Article 12.
Evidence:
Compliance: Article 12 logging implemented via SIGIL chain. Logging capacity meets Annex IV §2(f) requirements. Timestamps Ed25519-signed.
Status: READY Annex IV §2(g)
Intent: Description of the human oversight measures as required by Article 14.
Evidence:
Compliance: Article 14(2) requirements met — effective oversight through 5-level framework. Automation bias mitigations implemented.
Status: READY Annex IV §2(e)
Intent: Description of how the accuracy, robustness, and cybersecurity requirements of Articles 15 and 16 are met.
Evidence:
Compliance: Articles 15-16 requirements structurally met. Accuracy metrics defined per MCP. Cybersecurity via sovereign infrastructure, PQC roadmap, Ed25519 signatures.
Status: READY Annex IV §3
Intent: Description of the quality management system as required by Article 17.
Evidence:
Compliance: Article 17 QMS implemented as automated CI/CD + documentation + CAPA system. Structurally aligned with ISO standards (not certified).
Status: IN PROGRESS Annex IV §4
Intent: A list of harmonised standards applied in full or in part, and description of the solutions adopted to meet the requirements where harmonised standards have not been applied.
Evidence:
Gap: Formal conformity assessment requires notified body engagement for high-risk systems. DEFONEOS is structurally ready but not assessed.
Status: NOT STARTED Annex IV §5
Intent: Copy of the EU declaration of conformity as required by Article 47.
Evidence:
Gap: EU Declaration of Conformity is a formal legal document that can only be signed after conformity assessment. DEFONEOS provides the template and infrastructure but has not completed the assessment.
| # | Annex IV Item | Article | Status | Evidence Pages | Completeness |
|---|---|---|---|---|---|
| 1 | General Description | §1(a) | ✅ READY | 3 pages | 90% |
| 2 | System Architecture | §1(b) | ✅ READY | 3 pages | 85% |
| 3 | Development Process | §2(a-c) | ⚠️ IN PROGRESS | 2 pages + draft | 60% |
| 4 | Risk Management | §3 → Art 9 | ✅ READY | 3 pages | 90% |
| 5 | Data Governance | §2(d) → Art 10 | ✅ READY | 2 pages | 85% |
| 6 | Record-Keeping | §2(f) → Art 12 | ✅ READY | 2 pages | 85% |
| 7 | Human Oversight | §2(g) → Art 14 | ✅ READY | 2 pages | 85% |
| 8 | Accuracy/Robustness/Cyber | §2(e) → Art 15-16 | ✅ READY | 4 pages | 80% |
| 9 | Quality Management | §3 → Art 17 | ✅ READY | 1 page | 80% |
| 10 | Conformity Standards | §4 | ⚠️ IN PROGRESS | 2 pages | 65% |
| 11 | EU Declaration | §5 → Art 47 | ❌ NOT STARTED | Template only | 10% |
Overall Coverage: 73% — 8/11 items structurally ready
| Phase | Action | Frequency | Automated | Output |
|---|---|---|---|---|
| 1. Create | Documentation drafted when MCP/page/system built | On build | Semi | Page + evidence files |
| 2. Review | Technical review for accuracy and completeness | On build + quarterly | Manual | Review record |
| 3. Sign | Ed25519 signature applied via SIGIL chain | On approval | Yes | SIGIL digest |
| 4. Publish | Page deployed to production (Vercel) | On sign-off | Yes | Live URL |
| 5. Monitor | Post-market monitoring flags doc gaps | Continuous | Yes | Drift alerts |
| 6. Update | Documentation revised when system changes | On change | Semi | Updated page |
| 7. Archive | Previous versions retained for audit | On update | Yes | SIGIL history |
| 8. Assess | External conformity assessment (notified body) | Pre-market | Manual | Assessment report |
| Framework | Documentation Requirement | DEFONEOS Coverage |
|---|---|---|
| EU AI Act Annex IV | 11-item technical documentation | 8/11 ready, 73% |
| GDPR Art 30 | Records of processing activities | See Data Governance |
| GDPR Art 35 | DPIA | Summary available (full DPIA on request) |
| NIST AI RMF | Govern/Map/Measure/Manage documentation | Structural alignment, OSCAL catalog |
| ISO/IEC 42001 | AIMS documentation | Structural alignment (not certified) |
| ISO/IEC 27001 | ISMS documentation | Structural alignment (not certified) |
| JSP 936 | MOD AI assurance documentation | Draft framework (not assessed) |
| UK AISI | System Card / model evaluation | System Card drafted |
| OSCAL | Machine-readable compliance | 147 controls, 12 frameworks |
| STRIDE | Threat model documentation | 6-vector STRIDE model in System Card |
| OWASP ASI | AI security documentation | Draft (not assessed) |
| CIS Controls v8 | Security baseline documentation | Structural alignment via OSCAL |
| Step | Action | Method | Response Time |
|---|---|---|---|
| 1 | Regulator submits documentation request | Formal written request to CSOAI Ltd | — |
| 2 | CSOAI verifies requester identity and authority | Identity verification, scope check | 24h |
| 3 | Documentation package prepared | This index + linked pages + evidence files | 48h |
| 4 | SIGIL verification of documentation integrity | Hash chain verification, Ed25519 signature check | 1h |
| 5 | Documentation delivered via secure channel | Encrypted transfer or secure portal | 72h total |
| 6 | Regulator reviews and questions | Q&A process, clarification calls | Per regulator |
Note: The 72-hour total response time assumes the documentation request is within scope. For requests requiring system changes (e.g., new evidence generation), timelines are negotiated.
What this documentation IS: A comprehensive, structured framework for Annex IV compliance that covers 8/11 items with linked evidence pages, automated verification, and version control. It demonstrates that DEFONEOS has the documentation infrastructure required for conformity assessment.
What this documentation IS NOT: It is not a conformity assessment. It has not been reviewed by a notified body. The "ready" status means the structural framework exists — evidence quality and completeness for each item would be assessed during formal conformity assessment. Items 3 (development process) and 10 (conformity standards) are still being drafted. Item 11 (EU Declaration) cannot be completed until conformity assessment is performed.
What's missing: (1) EU authorised representative designation, (2) Notified body engagement, (3) Full development methodology narrative, (4) Harmonised standards application documentation, (5) Formal conformity assessment report.
All documentation pages are Ed25519-signed on the SIGIL chain. Any page can be verified by checking its SIGIL digest against the hash chain. Tampering is cryptographically detectable. Documentation integrity is maintained from creation through publication to archival.
7 personas · 5 tiers · 30-second signup · free 30-day sandbox for regulators and end-users.
Sign up · Ed25519-signed receipt → For Defence Primes For Regulators (Free) Series A — £45-90M Round