Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Guide

The AI Act for developers: provider duties and documentation

Adopted 2026-06-22 · ≈ 2 min read · Dirk Baaijen

If you build or fine-tune AI, you are often a provider under the AI Act — the role with the heaviest obligations. This guide translates the legal text into what a developer and product team must concretely arrange: technical documentation, data quality, logging and human oversight by design.

Short answer: If you build, train or fine-tune an AI system, you are probably a provider under the AI Act — the role with the most obligations. For high-risk AI this means risk management, data quality, technical documentation, logging, transparency and human oversight. The good news: nearly all of it is engineering you build in early in the design rather than bolt on afterwards.

When are you a provider?

You are a provider if you develop an AI system and place it on the market under your own name or brand. Note: a substantial modification or fine-tuning of an existing model can also make you a provider. That role determines which obligations rest on you — see also the AI Act for procurement for the difference with the deployer.

The core obligations for high-risk AI

  • Risk management system. A continuous process that identifies, evaluates and mitigates risks across the entire lifecycle.
  • Data and data governance. Training, validation and test data must be relevant, representative and as error-free as possible, with attention to bias.
  • Technical documentation. Record how the system was designed, trained and tested — enough for supervisors to assess conformity.
  • Logging. Automatic recording of events during operation, for traceability.
  • Transparency. Instructions for use that enable the deployer to operate the system correctly.
  • Human oversight and robustness. Designed in, not added later — for robustness and security, work with the CISO.

The full picture is in the high-risk obligations overview.

Documentation is not a side issue

Many teams underestimate the technical documentation. Under the AI Act it is the evidence: without watertight documentation you cannot demonstrate conformity, and a system cannot lawfully reach the market. Treat documentation as part of the definition of done, not as an afterthought.

Build compliance into your process

Weave AI Act requirements into your development process: a risk check in the design phase, data quality controls in the pipeline, logging as a standard component and documentation that grows with the code. Anchor this in the broader governance framework and coordinate with the DPO wherever personal data is involved.

What to do

  • Determine your role (provider or not) early in the project.
  • Set up a risk management process that covers the whole lifecycle.
  • Ensure data governance: provenance, representativeness and bias control.
  • Make technical documentation part of the definition of done.
  • Build logging and human oversight by design.
  • Invest in AI literacy within the team.

For the developer the AI Act is mainly a quality framework. The systems that meet it are also the systems you can later trust, explain and maintain.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): provider obligations, technical documentation, logging and risk management for high-risk AI.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): requirements for lawful processing of personal data during training and deployment.

Share on LinkedIn

Read next

W

Preparing for an AI supervisory audit: which documentation to have ready

In an audit a supervisor first requests your documentation. Those with technical documentation, risk management, logging, a declaration of conformity and governance in order pass the test. This guide summarises what to have ready.

W

The EU declaration of conformity under the AI Act (Article 47)

The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.

W

Technical documentation (Annex IV): what high-risk systems must include

Providers of high-risk AI must draw up technical documentation following Annex IV of the AI Act. This file describes the system, design, data, performance and risk management, and forms the basis for conformity assessment. It must stay current throughout the system's lifetime.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.