EU AI Act Annex IV Template: What Deployers Actually Need in 2026

By Marc Dubois · May 2026 · 8 min read

TL;DR: Enterprise customers are now inserting EU AI Act compliance checks into vendor assessments. As a deployer of AI systems, you need an Article 26 record — not the full Annex IV technical file (that's your provider's job). This article gives you the exact checklist, a downloadable template, and the fastest way to generate it.

Three months ago, a CTO of a Berlin-based legal AI startup told me he lost a €200K/year enterprise contract because the buyer's procurement team asked for "EU AI Act documentation" and he sent back a blank stare. The deal went to a competitor who had a two-page PDF ready.

That's the 2026 EU AI Act reality for B2B AI companies: compliance is no longer a legal checkbox. It's a sales filter.

Wait — is Annex IV your obligation?

Here's the confusion most CTOs have: Annex IV technical documentation is a provider obligation, not a deployer obligation.

Under the EU AI Act:

Role	Who you are	Your obligation
Provider	You built the AI model (OpenAI, Anthropic, your in-house team)	Full Annex IV technical file: architecture, training data, test results, risk management
Deployer	You use an AI model in your product or service	Article 26 compliance record: use cases, human oversight, logs, incident reporting

Most B2B AI startups are deployers — they build on top of Claude, GPT-4, or Mistral. That means the heavy Annex IV work is on Anthropic's or OpenAI's side. Your obligation is the Article 26 Deployer Record.

But here's the catch: your enterprise customers don't know the difference. When their procurement team says "we need EU AI Act documentation," they want to see that you have your house in order. That means producing a clean deployer record, even if it's technically not called an Annex IV.

Omnibus update (May 7, 2026): The EU AI Act Omnibus provisional agreement shifted Annex III high-risk standalone obligations to December 2, 2027 (Annex I embedded products: August 2028). However, enterprise procurement teams haven't updated their checklists — vendor assessments across Europe are still requesting deployer documentation today. The compliance gap between legal reality and procurement expectation is your immediate risk. Penalties when rules apply: up to €35M or 7% of global annual turnover.

Article 26 Deployer Obligations: The Full Checklist

Want the deep dive? Each of the eleven duties below is unpacked with worked SaaS examples, the Article 27 FRIA trigger, the provider/deployer split and a one-page-per-duty memo template procurement signs in the dedicated Article 26 deployer obligations guide. The checklist on this page is the summary view; that one is the working file.

Here is what Article 26 actually requires if you're deploying a high-risk AI system (defined by Annex III — this includes HR hiring tools, credit scoring, legal interpretation, and more):

Implement technical and organisational measures in line with the instructions for use provided by the AI provider
Assign human oversight to a natural person with competence, authority, and resources to fulfill that role
Ensure input data is relevant and sufficiently representative for the intended purpose
Monitor the AI system's operation during intended use and report incidents to the provider
Maintain logs automatically generated by the system for at least 6 months (or longer if sector-specific rules apply)
Inform affected natural persons that they are subject to AI decision-making (where applicable)
Document and retain records of any conformity assessment your provider has made available to you
Register in the EU database if operating a high-risk system in publicly accessible spaces
Report serious incidents to national market surveillance authorities

The Annex IV-Style Template for Deployers

Even though Annex IV is technically a provider document, I recommend preparing a deployer companion document structured like Annex IV — because enterprise procurement teams expect that format. Here's the template structure:

Section 1: System Description

Name and version of the AI system you deploy
Intended purpose and use context
Provider name (e.g., "Anthropic Claude claude-sonnet-4-6 via API")
EU AI Act risk classification (Minimal / Limited / High-Risk / Unacceptable)
Applicable Annex III categories (if high-risk)

Section 2: Human Oversight

Name/role of designated human oversight officer
Oversight procedures (how decisions are reviewed)
Override and escalation procedure
Training provided to oversight personnel

Section 3: Audit Trail

Log retention policy (minimum: 6 months)
What is logged per AI interaction (inputs, outputs, timestamps, model version)
Access controls on logs
Log integrity guarantees (tamper-evident storage)

Section 4: Risk Management

Risk classification rationale
Known limitations communicated by provider
Mitigation measures applied
Incident reporting procedure and escalation path

Section 5: Data Governance

Input data sources and validation
GDPR compliance overlap (if personal data processed)
Data retention and deletion policy

Section 6: Contact & Update Log

Responsible person within deployer organisation
Document version history
Last review date
Next scheduled review

The fastest way to generate this document

Filling this manually takes 3–5 hours if you're doing it for the first time. The bottleneck isn't the words — it's collecting the structured audit log data to back up Section 3.

That's exactly why I built auditai: a Python SDK that wraps your Claude or GPT calls, logs every interaction automatically, classifies your EU AI Act risk, and generates the Article 26 Deployer Report as a PDF. Two lines of code:

from auditai import wrap_client
import anthropic

client = wrap_client(anthropic.Anthropic(), project="my-app")
# Every call is now logged, risk-classified, and audit-ready

Then when you need the document:

auditai report --project my-app --company "Acme GmbH" --email "cto@acme.com"

It outputs a PDF structured exactly like the template above, with real log data from your system — not placeholder text.

Need this done in 48 hours?

If you've lost a deal or have a vendor assessment coming up, I'll do the full EU AI Act risk classification and Article 26 Deployer Report for your system — manually reviewed, PDF delivered, ready to send to your buyer's legal team.

Get the Managed Audit — €199

When are you actually "high-risk"?

Before you fill in any Annex IV template, you need to know whether you're actually high-risk in the first place. If you're not sure, work through the EU AI Act high-risk classification decision tree first — it walks through Article 6, the Annex III categories, the Article 6(3) carve-out, and the common false positives that trip up B2B SaaS teams. If your use case looks like Annex III on paper but a human still owns the substantive decision, the Article 6(3) exemption deep dive shows how the four sub-paragraphs typically take B2B AI products out of the high-risk regime — with a memo template procurement actually accepts.

Most B2B AI startups overestimate their compliance burden. The Annex III high-risk categories are specific:

Annex III Category	Typical B2B AI Use Cases
Employment, workers management	AI hiring tools, CV screening, performance review AI
Access to essential services	AI credit scoring, loan eligibility, insurance pricing
Administration of justice	Legal research AI used in court proceedings
Critical infrastructure	AI in energy grid management, water systems
Education and vocational training	AI assessment tools for student performance
Biometric identification	Real-time facial recognition in public spaces

If your AI product doesn't fall in these categories, you're likely limited or minimal risk — the Article 26 obligations still technically apply if you handle personal data, but the documentation is far lighter. The auditai classify wizard runs you through 9 questions and gives you the definitive answer.

What your enterprise customer actually wants to see

Based on deal room experience in 2026, enterprise procurement teams evaluating AI vendors want three things:

A one-page risk classification summary — "We are Minimal/Limited/High-Risk because..."
Evidence of audit logging — screenshots or a sample log showing inputs, outputs, timestamps
A named human oversight officer — even if it's the CTO. They want a person, not a process

The full 20-page Annex IV document is rarely asked for at the qualification stage. The one-pager and the logs get you through procurement. The full document closes legal review.

Frequently asked questions

Is the Annex IV template required only if I am a high-risk provider?

Yes. Annex IV is the technical documentation required of providers placing high-risk AI systems on the EU market. If your system is not high-risk under Article 6 and Annex III, you do not need to file Annex IV — but enterprise procurement may still request equivalent evidence such as audit logs, data governance summary, and human oversight. Always pair the document with a one-page classification memo.

How long should the Annex IV document be?

For a B2B SaaS using a third-party LLM, a well-structured Annex IV file is typically 15–25 pages. The bottleneck is not the prose but the structured audit log data backing the human oversight, risk management, and audit trail sections. Filling it manually takes 3–5 hours when the log data already exists.

Did the May 2026 Omnibus change Annex IV requirements?

The Omnibus delayed Annex III applicability from August 2026 to December 2027, and Annex I from August 2027 to August 2028 — see the deadlines timeline. The format and contents of Annex IV did not change. Enterprise procurement is asking for the document today regardless of the delay.

Can I use the same Annex IV file for multiple AI systems?

No. Annex IV is per high-risk system. If you operate multiple high-risk systems you need one file per system, each kept up to date. A change in intended purpose, training data, or model triggers a refresh under Article 3(23).

Do enterprise customers actually read the whole Annex IV file?

Rarely at qualification stage. Procurement teams typically want a one-page classification summary, sample audit log lines, and a named human oversight officer. The full Annex IV closes legal review later in the deal cycle. Have both ready.

Bottom line

If you're a B2B AI startup selling to European enterprises, the EU AI Act Omnibus (May 7, 2026) shifted most high-risk legal deadlines to late 2027 — but it didn't shift enterprise procurement checklists. Buyers are asking for compliance documentation right now. The companies that have a clean PDF ready are winning deals. The ones waiting for legal clarity are losing them.

The template above is a start. The auditai SDK automates the hard part. And if you need it done before your next deal closes, the managed audit delivers a buyer-ready PDF in 48 hours for €199.

Questions? Reply to marc@auditaisdk.com.

— Marc Dubois, auditaisdk.com