Source: OJ L, 2024/1689, 12.7.2024

Current language: EN

Article 18 Documentation keeping


Summary What does Article 18 of the AI act regulation say?

This article sets out the record-keeping obligations for providers of high-risk AI systems, requiring them to retain a defined set of compliance documentation and make it available to national competent authorities for a period of 10 years following the system being placed on the market or put into service.

It connects directly to several other articles in the regulation, as the documents to be retained are those produced under the technical documentation, quality management system, and EU declaration of conformity requirements established elsewhere.

The article also addresses two specific edge cases: what happens to documentation availability if a provider ceases to exist before the retention period ends, and how financial institutions that are providers can integrate their record-keeping obligations into existing requirements under Union financial services law.

Important points:

  • Retain all key compliance documentation, including technical documentation, quality management system records, notified body decisions, and the EU declaration of conformity, for 10 years after the high-risk AI system is placed on the market or put into service.
  • Member States are required to determine the conditions under which documentation remains accessible to national competent authorities if a provider or its authorised representative goes bankrupt or ceases activity before the 10-year period ends.
  • Providers that are financial institutions subject to Union financial services law may maintain the required technical documentation as part of their existing record-keeping obligations under that law.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The provider shall, for a period ending 10 years after the high-risk AI system has been placed on the market or put into service, keep at the disposal of the national competent authorities:

      1. the technical documentation referred to in Article 11;

      2. the documentation concerning the quality management system referred to in Article 17;

      3. the documentation concerning the changes approved by notified bodies, where applicable;

      4. the decisions and other documents issued by the notified bodies, where applicable;

      5. the EU declaration of conformity referred to in Article 47.

    1. Each Member State shall determine conditions under which the documentation referred to in paragraph 1 remains at the disposal of the national competent authorities for the period indicated in that paragraph for the cases when a provider or its authorised representative established on its territory goes bankrupt or ceases its activity prior to the end of that period.

    1. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the technical documentation as part of the documentation kept under the relevant Union financial services law.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod