Annex IV
Annex IV Technical File
The full technical dossier: system description, data provenance, training process, accuracy evidence, and the human-oversight measures actually in place.
Autonomous compliance for AI builders
Your technical file, generated from the code itself.
Normis AI drafts your Article 11 documentation from your repository, your model registry, and the AI tools your employees actually use — then runs agents against the code to prove every paragraph still holds.
- EU AI Act
- GDPR
- DSA
- ISO 42001
- IEC 62304
- SOC 2
Why now
The preparation window is already open.
Conformity assessments take six to twelve months to produce. The calendar does not move.
- August 2, 2026
Obligations for high-risk AI systems under Article 6 and Annex III begin to apply across the Union.
- December 2, 2027
Backstop date for standalone high-risk systems already placed on the market before the primary deadline.
Source: Regulation (EU) 2024/1689, Articles 6, 111, and 113.
What you get
Four artefacts, produced end-to-end.
Art. 72
Post-Market Monitoring
A live monitoring plan with incident logging, root-cause tracking, and the corrective-action workflow the regulation mandates.
Art. 10
Data Governance Records
Training, validation, and test-set governance — provenance, representativeness, and bias examination captured as evidence rather than attestation.
Art. 13
Deployer Instructions
Instructions for use covering intended purpose, known limitations, accuracy bounds, and the human oversight each deployer is expected to maintain.
How we prove it
Documentation is only worth the code behind it.
Normis AI rejects self-attestation. Every paragraph in your technical file is anchored to the article it answers and the evidence in your repository that proves it.
Regulation
Documentation claim
Technical documentation · Art. 11
1.2 Technical documentation maintenance.
Annex IV technical documentation is regenerated from the repository on every release. System description, architecture, training-data provenance, and deployment topology are sourced directly from the codebase and the model registry, so the dossier reflects the production system rather than a snapshot taken at submission.
The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up to date.
Code evidence
docs/annex_iv_render.pylines 12–24
from documentation import AnnexFour, ANNEX_IV_SECTIONS
from registry import current_release, release_hook
@release_hook
def regenerate(release_id: str) -> None:
# Art. 11 — technical documentation kept up to date
snapshot = current_release(release_id)
AnnexFour.from_snapshot(snapshot).render(
sections=ANNEX_IV_SECTIONS,
evidence_sources=("repo", "model_registry", "ci_logs"),
).publish(release_id)
VerifiedRegenerated 9m ago
Who this is for
Built for the companies with real exposure on enforcement day.
For you if
- You run an AI system that falls under Annex III — recruitment, credit scoring, education, critical infrastructure, law enforcement, or medical devices.
- You are layering AI Act duties on top of an existing regime — IEC 62304, MDR, MiFID, or a sector equivalent.
- You have fifty to five hundred employees and cannot justify staffing a compliance team large enough to draft the dossier by hand.
Not for you if
- You already retain an external firm to run the engagement and are satisfied with the output.
- Your AI is experimental, internal-only, and clearly outside the scope of Annex III.
- You want a wall of dashboards rather than an artefact a regulator can read.
Who we are
Two people — one built the playbook, one built the auditor.
Lenka Molins
Co-founder, CEO
Designed Deloitte's audit and assurance framework for the Digital Services Act, now running against Very Large Online Platforms across Europe. Advises the continent's largest platforms on the AI Act, NYC Local Law 144, and Colorado SB 21-169. Chairs the NYC Bar Association's Subcommittee on International Regulation of AI. Seat on the C2PA Government Affairs Board. Qualified New York attorney. MSc, Oxford Internet Institute.
Kyle Bossonney
Co-founder, CTO
Ships an autonomous agentic system at Google that tracks cryptographic key propagation across an 86-terabyte monolithic codebase. Published at ACM SIGMOD/PODS on regex engine internals. First place in Programmable Cryptography at ETHOxford 2025. MSc, Advanced Computer Science, University of Oxford.
What it costs
Benchmarked against the alternative you're already pricing.
Governance dashboards give you a to-do list. Consultants give you a report. We give you a codebase that runs compliance automatically.
Common questions
What teams ask before signing.
Are you a notified body or an auditor?
Neither. Normis AI is the infrastructure that prepares the technical file your notified body or internal control procedure ultimately relies on. Where Annex III requires third-party assessment, we hand off a dossier your chosen notified body can review.
How does this sit alongside our DPO, General Counsel, or compliance team?
Normis AI produces the working draft and the live evidence base. Your team reviews, signs off, and remains the regulatory counterparty. Nothing ships without human approval.
Can one source of truth cover AI Act and GDPR together?
Yes. The DPIA, Records of Processing Activities, and AI Act risk-management records are generated from one dataset and cross-reference each other, so nothing drifts out of sync.
Does any of this work outside the EU?
The EU AI Act is the anchor. The platform already produces artefacts for NYC Local Law 144, Colorado SB 21-169, the UK's principles-based framework, and ISO 42001. Additional regimes are added as they come into force.
Do you copy our source code into your own systems?
No. Our auditing agents run against your repository inside your environment. Only the extracted citations and evidence references leave the perimeter.
Book a walkthrough.
Share a few details about the system you're preparing and the deadline you're working against. We reply within one business day.