Article 18 of Regulation (EU) 2024/1689 — Documentation keeping. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 18 of Regulation (EU) 2024/1689 establishes mandatory documentation retention obligations for providers of high-risk AI systems classified under Annex III or developed under the provisions of Title III, Chapter 2. The article requires providers to keep, for a period of ten years following the date on which the high-risk AI system is placed on the market or put into service, a specific set of documents and records that substantiate compliance with the Regulation.
The documentation that must be retained includes: the technical documentation prepared pursuant to Article 11 and Annex IV; the quality management system documentation required by Article 17; the EU declaration of conformity issued under Article 47; where applicable, the documentation and certificates issued by notified bodies following conformity assessments under Article 43; and post-market monitoring plans and resulting data collected under Article 72.
Where a provider is established outside the European Union, the obligation to maintain accessible documentation falls jointly on the provider and on the EU-based authorised representative designated under Article 22. The article further clarifies that where sector-specific Union law — such as the Medical Device Regulation (EU) 2017/745 or the Machinery Regulation (EU) 2023/1230 — prescribes a longer retention period for equivalent technical records, the more stringent sectoral requirement applies, ensuring coherence across regulatory frameworks.
What This Means in Practice
For compliance teams and product owners, Article 18 translates into a concrete records management programme that must be designed before a high-risk AI system reaches the market, not retrofitted afterwards.
Who is affected. Any legal entity that qualifies as a "provider" under Article 3(3) — typically the organisation that develops or has a high-risk AI system developed and places it on the market under its own name or trademark — carries the primary obligation. Third-party distributors and importers are not directly subject to Article 18 but may trigger equivalent obligations if they substantially modify a system under Article 25.
What to retain. The obligation covers the full documentary lifecycle: design-phase technical documentation (architecture, training datasets, risk assessment), the quality management system records including internal audit trails, the signed declaration of conformity, any notified body certificates, and the evolving post-market monitoring record. Version control is implicitly required because updates that constitute a substantial modification reset conformity obligations and therefore the documentation cycle.
Practical examples. A fintech company deploying a credit-scoring model classified as high-risk must archive the model card, bias testing reports, conformity declaration, and all post-deployment incident logs for ten years. A medical device manufacturer integrating an AI-powered diagnostic tool that already falls under MDR must check whether MDR's 15-year retention rule applies, in which case that longer period governs.
Operational recommendation. Providers should implement a document management system (DMS) with role-based access, automated retention schedules tied to market-placement dates, and an audit trail of who accessed or modified records — all of which also support readiness for market surveillance inspections under Article 74.
Key Obligations
- Retain the technical documentation compiled under Article 11 and Annex IV for a minimum of 10 years from the date of market placement or entry into service of the high-risk AI system.
- Keep the quality management system documentation required by Article 17, including records of internal controls, testing outcomes, and corrective actions, for the same 10-year period.
- Preserve the EU declaration of conformity issued under Article 47 and, where a conformity assessment was conducted by a notified body under Article 43, all certificates and related correspondence issued by that body.
- Maintain post-market monitoring records collected pursuant to the plan required by Article 72, including incident reports and any serious incident notifications submitted under Article 73.
- Ensure documentation is stored in a manner that allows prompt production to national market surveillance authorities upon request throughout the entire retention period.
- Where an authorised representative is designated under Article 22, that representative must hold a copy of the documentation and be empowered to provide it to competent authorities on the provider's behalf.
Relationship to Other Articles
Article 18 functions as the archival backbone of the high-risk AI compliance framework and cannot be understood in isolation.
It is downstream of Article 11 (technical documentation) and Annex IV, which define what must be created; Article 18 then governs how long it must be kept. It depends on Article 17 (quality management system) because the QMS records it mandates must be preserved. It references Article 47 (EU declaration of conformity) and Article 43 (conformity assessment), whose outputs form part of the retained file.
Post-market obligations under Article 72 (post-market monitoring plan) and Article 73 (serious incident reporting) feed continuously into the document archive throughout the system's operational life. Article 74 (market surveillance) and Article 75 (access to data and documentation) are the enforcement counterparts: inspectors exercising powers under those articles will require access to precisely the records that Article 18 mandates be kept.
For providers outside the EU, Article 22 on authorised representatives must be read alongside Article 18 to determine which entity holds the physical or electronic records within the Union.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, beginning the phased application schedule.
Article 18 falls within Title III, Chapter 3, which governs obligations for providers and deployers of high-risk AI systems listed in Annex III. These provisions apply from 2 August 2026 — the general high-risk AI application date, 24 months after entry into force.
For high-risk AI systems covered by the sectoral legislation listed in Annex I (e.g., machinery, medical devices, civil aviation), the deadline is extended to 2 August 2027, 36 months after entry into force, in recognition of the need to align with existing sectoral conformity frameworks.
Providers should note that the 10-year retention clock starts running from the moment a system is placed on the market or put into service — which may occur on or shortly after the applicable application date. Documentation obligations therefore effectively begin on the same date that the high-risk obligations as a whole become enforceable. Organisations that anticipate placing systems on the market at or near the August 2026 date should have their records management infrastructure operational well in advance, as technical documentation under Article 11 must exist before the conformity assessment is completed.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Providers must retain the technical documentation drawn up under Article 11, the EU declaration of conformity, the quality management system documentation required by Article 17, any decisions and documents issued by notified bodies, and post-market monitoring reports. These records must be kept for a period of 10 years after the high-risk AI system has been placed on the market or put into service.
Article 18 places documentation keeping obligations primarily on providers. However, deployers have separate obligations under Article 26, including retaining logs automatically generated by high-risk AI systems to the extent such logs are under their control. The two obligations are complementary and should be read together.
The general retention period is 10 years from the date the high-risk AI system is placed on the market or put into service. Where sector-specific Union law imposes a longer retention period, the stricter sectoral requirement prevails.
Documentation must be kept so that it can be made available to national competent authorities upon request throughout the retention period. There is no explicit requirement that records be held in a specific country, but providers must be able to produce them promptly to the market surveillance authority of any Member State where the system is deployed.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.