EU AI Act Technical Documentation Template
Last reviewed: 2026-06-23
Who Should Use This Template
- Teams building or operating AI features for customers.
- Teams using AI in sensitive workflows.
- Teams preparing for legal, compliance, customer, or investor review.
Technical Documentation Structure
| Section | What to include | Evidence examples |
|---|---|---|
| System overview | Name, owner, version, purpose, users, deployment status. | Product spec, architecture note, owner list. |
| Intended purpose | What the system is designed to do and not do. | User story, approved use policy. |
| Role analysis | Provider, deployer, or other role questions. | Role checklist, vendor contract, branding notes. |
| Risk screening | Prohibited, high-risk, transparency, or lower-risk signals. | Risk questionnaire, use-case map. |
| Data inputs | Prompts, files, logs, training or fine-tuning data if any. | Data inventory, retention policy, DPIA notes. |
| Vendor details | Model, vendor, API, version, vendor evidence. | DPA, model card, security docs. |
| Human oversight | Review, override, escalation, approval process. | SOP, audit log, training docs. |
| Transparency | AI disclosure or synthetic-content label. | UI copy, privacy notice, consent text. |
Minimum Evidence Packet
- AI system inventory.
- Intended purpose statement.
- Role checklist.
- Risk screening questionnaire.
- Data inventory.
- Vendor documentation folder.
- Human oversight description.
- User-facing AI disclosure.
- Privacy and retention notes.
- Issue escalation owner.
Example Intended Purpose Statement
The system drafts suggested support replies for customer support agents. It uses the current ticket text, prior help center content, and configured brand rules. The output is a draft only. A human support agent must review and send the final response. The system is not intended to make eligibility, employment, credit, legal, medical, or public-service decisions.
Common Documentation Gaps
| Gap | Why it matters |
|---|---|
| "We use AI" but no named system | You cannot assess a category without a system boundary. |
| No owner | Evidence collection stalls. |
| No version history | Changes cannot be reviewed. |
| No data inventory | Privacy and model-risk questions remain open. |
| No human oversight policy | Review claims are hard to prove. |
| No UI disclosure | Transparency obligations may be missed. |
| No vendor folder | Third-party evidence is scattered. |
FAQ
Is this template only for high-risk AI systems?
No. It is a readiness evidence structure that can help many AI teams organize system facts before review.
Can we use this for a third-party AI tool?
Yes. Include vendor documentation, DPA or terms, model details, data flow, and how your team uses outputs.
Should engineering or legal own this?
Product and engineering usually own system facts; legal, privacy, security, or compliance can review the evidence and open questions.
Use the existing ActCheck assessment flow from the homepage.
Related Pages
- EU AI Act checklist hub
- EU AI Act self-assessment
- Provider vs deployer checklist
- Risk classification checklist
- GDPR chatbot checklist