The EU AI Act (Regulation (EU) 2024/1689) requires every provider of a high-risk AI system to produce, maintain, and defend a comprehensive technical documentation package before the system may be placed on the EU market. This guide translates every material requirement into concrete engineering practices, governance processes, and organisational structures.
The Practitioners Implementation Guide is the technical reference for meeting the EU AI Act's documentation obligations for high-risk AI systems. It covers eighteen interconnected domains across twenty-one sections, addressing the complete lifecycle from risk classification through conformity assessment to post-market monitoring and decommissioning. Each domain follows a three-layer structure: regulatory requirement, engineering approach, and compensating controls. The guide is anchored on the AI System Documentation Package (AISDP), the central artefact that national competent authorities will scrutinise. First-year compliance costs range from EUR 350,000 to EUR 2.9 million depending on organisational size and system count. The preparation timeline for a medium-complexity system spans twenty to twenty-eight weeks. Two complete worked examples, TalentLens Pro and MediAssist AI, demonstrate the full AISDP preparation cycle.
The EU AI Act (Regulation (EU) 2024/1689) requires every provider of a high-risk AI system to produce, maintain, and defend a comprehensive technical documentation package before the system may be placed on the EU market.
The EU AI Act (Regulation (EU) 2024/1689) requires every provider of a high-risk AI system to produce, maintain, and defend a comprehensive technical documentation package before the system may be placed on the EU market. The full high-risk framework becomes enforceable on 2 August 2026. The penalties for non-compliance reach EUR 15 million or 3 per cent of global annual turnover.
This guide is the technical reference for meeting that obligation. It translates every material requirement of the Act into concrete engineering practices, governance processes, and organisational structures, anchored on a single central artefact: the .
Eighteen interconnected domains across twenty-one sections address the complete lifecycle of a high-risk AI system.
Eighteen interconnected domains across twenty-one sections address the complete lifecycle of a high-risk AI system. The guide covers risk assessment and the Fundamental Rights Impact Assessment; including the GPAI provider boundary; and GDPR alignment; ; across six artefact types; with governance gates; with cross-regulatory mapping to NIS2, the Cyber Resilience Act, and DORA; under Annex VI; and the legal consequences of signing the Declaration of Conformity; and EU database registration; through to system end-of-life and decommissioning; with a six-level pyramid; ; and five advanced compliance domains covering , , , , and .
Each domain section follows a three-layer structure: the REGULATORY REQUIREMENT sets out what the Act mandates, the recommended ENGINEERING APPROACH provides the technical implementation, and COMPENSATING CONTROLS offer procedural alternatives for organisations at different maturity levels.
Each domain section follows a three-layer structure: the regulatory requirement sets out what the Act mandates, the recommended provides the technical implementation, and offer procedural alternatives for organisations at different maturity levels. Readers should treat the engineering approach as the target state and the compensating controls as interim measures for organisations building capability.
Compliance investment ranges from hundreds of thousands to low single-digit millions of euros depending on organisational size and system count.
Compliance investment ranges from hundreds of thousands to low single-digit millions of euros depending on organisational size and system count. First-year costs span approximately EUR 350,000 for a small organisation with a single high-risk system to EUR 2,900,000 for a large organisation with twenty-five systems. Annual ongoing costs range from EUR 155,000 to EUR 1,800,000. These figures are a fraction of the enforcement exposure they are designed to avoid: a single Article 99(3) fine at 3 per cent of turnover for a mid-sized organisation would exceed a decade of compliance programme costs.
Organisations that begin systematic AISDP preparation now, using the seven-phase delivery process as a starting framework, will reach the August 2026 deadline with a compliance posture that can withstand regulatory scrutiny.
Organisations that begin systematic aisdp preparation now, using the as a starting framework, will reach the August 2026 deadline with a compliance posture that can withstand regulatory scrutiny. The preparation timeline for a medium-complexity system spans approximately twenty to twenty-eight weeks. Organisations that delay will find this timeline leaves insufficient margin for the remediation cycles that first-time assessments invariably require.
Each domain section covers the regulatory requirement (what the Act mandates), the engineering approach (recommended technical implementation), and compensating controls (procedural alternatives for organisations at different maturity levels).
TalentLens Pro (a classical ML recruitment screening system) and MediAssist AI (an LLM-based RAG clinical decision support system) trace the full AISDP preparation cycle from classification through conformity assessment.
A single Article 99(3) fine at 3% of turnover for a mid-sized organisation would exceed a decade of compliance programme costs. Maximum fines reach EUR 15 million or 3% of global annual turnover.
Providers must produce, maintain, and defend a comprehensive technical documentation package (AISDP) before placing the system on the EU market, with the full framework enforceable from August 2026.
Eighteen domains across twenty-one sections covering risk assessment, model selection, data governance, architecture, version control, CI/CD, cybersecurity, conformity assessment, certification, regulator interaction, post-market monitoring, oversight, delivery, and five advanced compliance areas.
First-year costs range from EUR 350,000 for a single high-risk system to EUR 2.9 million for twenty-five systems, with annual ongoing costs of EUR 155,000 to EUR 1.8 million.
Approximately twenty to twenty-eight weeks for a medium-complexity system using the seven-phase delivery process.
Two complete worked examples trace the full aisdp preparation cycle from classification through conformity assessment: TalentLens Pro, a classical ML recruitment screening system, and MediAssist AI, an LLM-based RAG clinical decision support system. The worked examples apply every domain in the guide to a realistic system, demonstrating how abstract guidance translates into concrete documentation decisions. The Deployer and Operator Handbook provides a standalone reference for organisations that use, rather than build, high-risk AI systems.
CTO of Standard Intelligence. Leads platform engineering and contributes to the PIG series technical content.
Technical Documentation Contents
