Article 18 of the EU AI Act requires providers to keep key compliance documents, including the technical documentation, quality management system documentation, notified body decisions and the EU declaration of conformity, at the disposal of national competent authorities for ten years after the high-risk AI system is placed on the market or put into service.
EU AI Act Article 18: The Ten-Year Documentation Keeping Obligation
What Article 18 Covers
Article 18 of Regulation (EU) 2024/1689 is the retention rule for the paper trail created by the rest of the high-risk regime. It requires the provider to keep a defined set of documents at the disposal of the national competent authorities for a period of ten years after the high-risk AI system has been placed on the market or put into service.
The logic is enforcement over time. AI systems often remain in service for years, and harms or disputes can surface long after launch. Market surveillance authorities investigating a system in year seven need to reconstruct what the provider knew, tested and decided at the time of placement, and Article 18 ensures that record survives.
The Five Categories of Documents
Article 18(1) lists what must be kept:
- The technical documentation referred to in Article 11, which is the Annex IV file demonstrating compliance with Articles 9 to 15.
- The documentation concerning the quality management system referred to in Article 17, meaning the policies, procedures and instructions of the QMS.
- The documentation concerning the changes approved by notified bodies, where applicable, which matters for systems that went through third-party conformity assessment under Annex VII.
- The decisions and other documents issued by the notified bodies, where applicable, including certificates and assessment reports.
- The EU declaration of conformity referred to in Article 47.
Note what this implies: the obligation is not satisfied by keeping the latest version only. Documents concerning changes and notified body decisions accumulate, and the retained set must allow an authority to follow the system's compliance history.
Continuity, Insolvency and Financial Institutions
Article 18(2) addresses business discontinuity. Each Member State shall determine the conditions under which the documentation remains at the disposal of the national competent authorities for the ten-year period in cases where a provider, or its authorised representative established in its territory, goes bankrupt or ceases activity before the end of that period. Providers should therefore expect national rules requiring arrangements for document survival beyond the life of the company, and should check the law of the relevant Member State.
Article 18(3) gives financial institutions a familiar route: providers that are financial institutions subject to requirements regarding internal governance, arrangements or processes under Union financial services law shall maintain the technical documentation as part of the documentation kept under the relevant financial services law. This parallels the QMS relief in Article 17(3).
Related Retention Duties Elsewhere in the Act
Article 18 sits within a family of retention rules that are easy to confuse:
- Article 19 requires providers to keep the logs automatically generated by their high-risk AI systems, to the extent the logs are under their control, for a period appropriate to the intended purpose and at least six months.
- Article 22(2) requires the authorised representative of a non-EU provider to keep the provider's contact details, a copy of the EU declaration of conformity, the technical documentation and, where applicable, certificates available for authorities for ten years.
- Article 23(5) requires importers to keep a copy of the certificate issued by the notified body, where applicable, of the instructions for use and of the EU declaration of conformity for ten years.
- Article 26(6) requires deployers to keep logs under their control for at least six months.
A provider designing its retention architecture should plan all of these together rather than treating Article 18 in isolation.
How to Implement Article 18 in Practice
- Create a retention register listing each high-risk AI system, its market placement date, the five Article 18 document categories and the computed retention end date.
- Define the trigger correctly. The clock runs from placing on the market or putting into service of the system; where versions constitute substantial modifications assessed anew, retain documentation for each assessed configuration.
- Store documents in durable, access-controlled, backed-up repositories with integrity protection, so that a file produced in year two is still readable and demonstrably unaltered in year nine.
- Version-control rather than overwrite. Keep the documentation history, including superseded technical documentation versions and all notified body correspondence.
- Prepare an authority-response procedure: who receives a request from a national competent authority, how documents are assembled, and in what timeframe, noting that Article 21 requires providers to supply information and documentation to demonstrate conformity on reasoned request.
- Plan for discontinuity in line with the Member State rules adopted under Article 18(2), for example through escrow-style arrangements or transfer commitments in acquisition scenarios.
A Concrete Example
A provider places a high-risk recruitment screening system on the market in September 2026 and retires the product in 2029. Article 18 still requires the technical documentation, QMS documentation and EU declaration of conformity to remain at the disposal of authorities until September 2036. If the provider is acquired in 2030, the retention obligation needs to be addressed in the transaction, and if the provider were instead wound up, the national rules adopted under Article 18(2) would govern how the documents remain available.
How Article 18 Connects to Other Provisions
Article 18 preserves the outputs of Articles 11, 17, 43, 44 and 47. It underpins market surveillance under Article 74 and following, because authorities exercise their documentation access rights against the retained set. Article 16(d) lists keeping this documentation among the core provider obligations, and failure is sanctionable under Article 99 as non-compliance with provider obligations, with fines up to 15 million euros or 3 percent of total worldwide annual turnover, whichever is higher. For non-EU providers, Article 22 effectively mirrors the retention duty inside the Union through the authorised representative.
Actions to Take Before August 2, 2026
Retention is cheap to set up and painful to repair. Before the high-risk obligations apply on August 2, 2026, providers should stand up the document repository, define the retention register, fold Article 19 log retention into the same design, and contractually allocate retention responsibilities with authorised representatives and, in acquisition or wind-down scenarios, with successors. This article provides general information about Regulation (EU) 2024/1689 and is not advice on any specific retention setup.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.