EU AI Act Art.18 Documentation Keeping: 10-Year Retention Architecture, Record Types, MSA Access Obligations, and Art.18 × Art.11 × Art.17 × Art.72 Integration (2026)
Article 18 of the EU AI Act establishes one of the most consequential and consistently underestimated compliance obligations for high-risk AI providers: a mandatory documentation retention regime that runs for ten years from the date the last unit of a high-risk AI system is placed on the market or put into service.
This is not a record-keeping recommendation. Art.18 is an enforceable legal obligation backed by the penalty regime in Art.99 — violations related to documentation availability to supervisory authorities can attract fines up to €15 million or 3% of global annual turnover. The documentation retention obligation is also structural: it interacts with Art.11 (technical documentation), Art.17 (QMS records), Art.47 (EU Declaration of Conformity), Art.72 (post-market monitoring), and Art.20 (corrective actions) to create a continuous, version-tracked compliance record that must survive the operational life of the AI system by a full decade.
Two implementation failures are common. The first is treating Art.18 as a storage problem — a question of where to put files — rather than as a lifecycle governance obligation that begins before the AI system exists and extends years after it is retired. The second is failing to recognise that the 10-year clock starts from the last placement on market, not the first: for providers who continuously update and re-release AI systems, the retention window extends accordingly.
The Legal Architecture of Art.18
Art.18(1) states that providers of high-risk AI systems shall keep the technical documentation referred to in Art.11 at the disposal of the relevant national competent authorities for a period of 10 years after the high-risk AI system has been placed on the market or put into service.
Three elements of Art.18(1) require precise reading.
"At the disposal of" means actively retrievable and producible on request — not archived in a format that requires reconstruction, not stored with a third party without a retrieval SLA, and not encrypted without key management procedures that survive staff turnover. The documentation must be producible within the response timeframe an MSA requests.
"National competent authorities" refers to the Market Surveillance Authorities (MSAs) designated under Art.70 and Art.74 in each EU Member State. Multiple MSAs may have jurisdiction over a single AI system — the authority in the Member State where the provider is established, the authority in the Member State where the AI system is deployed, and sectoral supervisory bodies for regulated domains (financial supervision, healthcare oversight).
"After the high-risk AI system has been placed on the market or put into service" triggers the question of what constitutes market placement. For AI systems that undergo substantial modifications (Art.3(23)), each substantially modified version that requires a new conformity assessment constitutes a new placement on the market — and resets or extends the retention clock for that version's documentation.
Art.18(2) addresses authorised representatives: where a provider is established outside the EU and has appointed an authorised representative under Art.22, the representative's mandate must include ensuring the technical documentation is available to national competent authorities for the Art.18(1) period.
The Four-Category Retention Schema
Art.18(1) refers specifically to the technical documentation under Art.11, but a complete Art.18 compliance programme requires retaining four categories of documentation — because MSAs have access rights under Art.74 to documentation beyond Art.11 technical documentation.
Category 1 — Technical Documentation (Art.11 + Annex IV)
The mandatory content of technical documentation is specified in Annex IV. Retention must cover:
- General description of the AI system and its intended purpose
- Description of the development process including training data governance records
- Detailed description of the system's elements, including design specifications and architecture
- Monitoring, functioning, and control provisions
- Risk management system documentation (Art.9)
- Changes made during the system's lifecycle and their assessment
- Standards applied and, where harmonised standards not applied, the solutions adopted to meet the requirements
Critically, Annex IV documentation must be kept per version. If the AI system undergoes updates that do not reach the "substantial modification" threshold (Art.3(23)) but change the system's behaviour or performance, those changes must be recorded in the technical documentation and retained. This creates a documentation versioning obligation that runs throughout the operational life of the system.
Category 2 — Quality Management System Records (Art.17)
The QMS required under Art.17 generates ongoing records — design review decisions, test results, validation reports, risk management updates, post-market monitoring analysis. These QMS records are distinct from the static Annex IV technical documentation: they are operational artefacts that evidence the QMS was not merely established but actually run.
MSAs investigating conformity violations routinely request QMS records, not just the formal technical documentation. Under Art.74(3), MSAs have the right to access any documentation or records held by an operator, and QMS operational records fall within that right. Providers who maintain Art.11 documentation but cannot produce evidence of Art.17 QMS operation face significant investigation exposure.
Category 3 — EU Declaration of Conformity (Art.47)
The EU Declaration of Conformity (EU DoC) issued under Art.47 is the legal assertion by the provider that the high-risk AI system meets all applicable requirements. The EU DoC must be kept for the same 10-year period as technical documentation — it is the formal compliance statement that anchors the entire documentation package.
Art.47(3) requires the EU DoC to be translated into any EU official languages required by the Member State where the AI system is placed on the market. Retention obligations extend to all language versions.
Category 4 — Post-Market Monitoring and Incident Records (Art.72 + Art.20)
Art.72 requires providers to implement a post-market monitoring system that continuously collects and analyses data from deployed AI systems. The outputs of that system — performance data, incident reports, corrective action decisions — must be retained as part of the documentation available to MSAs.
Art.20 creates specific documentation obligations for corrective actions: when a provider determines their high-risk AI system presents a risk, they must document the investigation, the corrective measures taken, and the notification to market surveillance authorities and deployers. These corrective action records are critical MSA evidence and must survive for the full 10-year period.
The 10-Year Clock: Mechanics and Edge Cases
The 10-year retention period creates four operationally significant edge cases that compliance teams must resolve during documentation architecture design.
Edge Case 1 — Continuous Update Cycles
For AI systems that are continuously updated (via model fine-tuning, prompt engineering changes, or software updates), each update that constitutes a substantial modification resets the clock for that version. Providers must maintain parallel retention windows for each substantially modified version — and must not delete earlier-version documentation when a new version is released.
In practice, this means the effective retention period for an AI system in active development may extend well beyond 10 years from initial release, as each new substantial version starts a new 10-year window.
Edge Case 2 — Systems Withdrawn from Market
Art.18(1) starts the 10-year clock from the date the system was placed on the market — not from the date it was withdrawn. A high-risk AI system placed on the market in 2025 and withdrawn in 2027 still requires documentation retention until 2035. Providers who wind down AI products must maintain documentation retention programmes even after product discontinuation.
Edge Case 3 — Multi-Version Systems in Market Simultaneously
Where a provider maintains multiple versions of an AI system concurrently (e.g., version 2.x for regulated sectors, version 3.x for general use), each version's documentation must be retained independently. The 10-year window for each version runs from the last placement of that specific version.
Edge Case 4 — End of Company Operations
If a provider ceases operations during the 10-year retention period, the documentation obligation does not automatically expire. Business transfer documentation, asset sale agreements, and wind-down procedures must address how AI compliance documentation will be maintained or transferred to ensure continued MSA access.
MSA Access Rights and Response Obligations
Art.74(3) grants MSAs the right to access any documentation or records held by providers, deployers, importers, distributors, and authorised representatives relating to high-risk AI systems. Art.18's 10-year retention obligation is the operational foundation for that access right.
MSA access requests may arise in three contexts:
Proactive Inspection: MSAs may conduct systematic market surveillance activities under Art.74(1), requesting documentation from providers as part of sector-wide or product-specific compliance audits. These requests are not triggered by a specific incident — they are part of the ongoing surveillance architecture.
Incident Investigation: When a serious incident is reported under Art.73, MSAs have the right to inspect the provider's documentation to determine whether the AI system was conformant at the time of deployment and whether the incident reflects a systematic failure. Documentation produced under Art.18 is the primary evidentiary basis for this investigation.
Enforcement Proceedings: Where an MSA determines that a high-risk AI system presents a risk, Art.79 empowers the MSA to require corrective measures, restrict market access, and impose administrative fines. The adequacy of the provider's documentation — its completeness, currency, and retrievability — directly affects enforcement outcomes.
Providers must establish response procedures for MSA access requests that specify:
- Who is authorised to respond to MSA requests (designated compliance officer)
- Maximum response timeframes (no specific time limit in Art.18, but practical expectation is 5-10 business days for standard requests, 24-48 hours for urgent safety investigations)
- Documentation package assembly procedures (which records are included, in what format, in which language)
- Legal review process for requests that may involve commercially sensitive information
Art.18 × Art.11 × Art.17 × Art.72 Integration Matrix
Art.18 Documentation Keeping (10 Years)
│
┌────────────┼────────────┬────────────────┐
▼ ▼ ▼ ▼
Art.11 Art.17 Art.47 Art.72
Technical QMS EU DoC Post-Market
Documentation Records Retention Monitoring
(Annex IV) (Operational) (All Versions) (+ Art.20)
│ │ │ │
└────────────┴────────────┴─────────────────┘
│
Art.74 MSA Access Rights
(Proactive + Incident + Enforcement)
The integration has four critical links:
Art.18 → Art.11: Art.11 defines what technical documentation must contain (Annex IV). Art.18 defines how long it must be kept. Art.11 compliance without Art.18 retention creates documentation that satisfies conformity assessment but may not be available for post-deployment enforcement. The 10-year retention obligation makes Art.11 a lifecycle management obligation, not just a pre-market requirement.
Art.18 → Art.17: Art.17 requires a QMS that generates ongoing operational records. Art.18's 10-year retention window means QMS operational records — test results, risk management updates, post-market analysis — must be preserved across the full retention period. This creates a QMS records management requirement that goes beyond the QMS design specification.
Art.18 → Art.47: The EU DoC issued under Art.47 is the formal compliance assertion. Art.18 retention ensures that the provenance of the conformity assessment can be reconstructed at any point during the 10-year window. Version-specific EU DoCs must be retained alongside the corresponding technical documentation.
Art.18 → Art.72: Post-market monitoring data collected under Art.72 and corrective action records under Art.20 must be retained for 10 years. This is often overlooked: Art.72 creates an ongoing documentation generation obligation; Art.18 creates the retention obligation for that output. Together, they require a continuous documentation pipeline that extends from before market placement to 10 years after market exit.
GDPR Art.5(1)(e) Conflict: The Storage Limitation Problem
The 10-year retention mandate in Art.18 creates a direct legal tension with GDPR Art.5(1)(e), the storage limitation principle, which requires that personal data be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
High-risk AI systems frequently process personal data — and the technical documentation, training data records, and operational logs required under Art.18 may contain personal data subject to GDPR.
The resolution mechanism is GDPR Art.6(1)(c): processing is lawful where it is necessary for compliance with a legal obligation. Art.18's documentation retention mandate constitutes such a legal obligation. However, the GDPR's data minimisation principle (Art.5(1)(c)) still applies: documentation retention must be limited to what is necessary for AI Act compliance, not used as a justification for retaining personal data beyond what the specific compliance obligation requires.
In practice, this requires:
- Pseudonymisation or anonymisation of training data records to the extent compatible with the technical documentation purpose
- Separation of personal data in operational logs from non-personal performance metrics where possible
- Clear data retention schedules that align AI Act retention periods with GDPR lawfulness bases
- Documentation of the legal basis for each category of retained data in the GDPR Records of Processing Activities (Art.30)
Python DocumentRetentionManager Implementation
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
import hashlib
import json
class DocumentCategory(Enum):
TECHNICAL_DOCUMENTATION = "technical_documentation" # Art.11 + Annex IV
QMS_RECORDS = "qms_records" # Art.17 operational
EU_DOC = "eu_declaration_of_conformity" # Art.47
POST_MARKET_RECORDS = "post_market_records" # Art.72 + Art.20
class AccessStatus(Enum):
AVAILABLE = "available"
ARCHIVED = "archived"
PENDING_RETRIEVAL = "pending_retrieval"
@dataclass
class DocumentRecord:
doc_id: str
category: DocumentCategory
system_id: str
system_version: str
placement_date: date
doc_hash: str
storage_location: str
access_status: AccessStatus = AccessStatus.AVAILABLE
language_versions: list[str] = field(default_factory=lambda: ["en"])
personal_data: bool = False
gdpr_basis: Optional[str] = None # GDPR Art.6(1)(c) for AI Act compliance
@property
def retention_expiry(self) -> date:
return self.placement_date + timedelta(days=365 * 10)
@property
def days_remaining(self) -> int:
return (self.retention_expiry - date.today()).days
def is_within_retention_period(self) -> bool:
return date.today() <= self.retention_expiry
class DocumentRetentionManager:
def __init__(self, system_id: str):
self.system_id = system_id
self.records: dict[str, DocumentRecord] = {}
self.msa_response_log: list[dict] = []
def register_document(
self,
doc_id: str,
category: DocumentCategory,
system_version: str,
placement_date: date,
content_hash: str,
storage_location: str,
personal_data: bool = False,
) -> DocumentRecord:
record = DocumentRecord(
doc_id=doc_id,
category=category,
system_id=self.system_id,
system_version=system_version,
placement_date=placement_date,
doc_hash=content_hash,
storage_location=storage_location,
personal_data=personal_data,
gdpr_basis="GDPR Art.6(1)(c) - AI Act Art.18 legal obligation" if personal_data else None,
)
self.records[doc_id] = record
return record
def check_retention_compliance(self) -> dict:
issues = []
for doc_id, record in self.records.items():
if not record.is_within_retention_period():
issues.append({
"doc_id": doc_id,
"issue": "retention_period_expired",
"expired_on": record.retention_expiry.isoformat(),
})
elif record.days_remaining < 90:
issues.append({
"doc_id": doc_id,
"issue": "approaching_expiry",
"days_remaining": record.days_remaining,
"action": "verify_latest_placement_date_or_extend",
})
if record.access_status != AccessStatus.AVAILABLE:
issues.append({
"doc_id": doc_id,
"issue": "not_immediately_available",
"status": record.access_status.value,
"risk": "Art.18 requires documentation at disposal of MSA",
})
return {
"system_id": self.system_id,
"total_records": len(self.records),
"compliant": len(issues) == 0,
"issues": issues,
}
def handle_msa_request(
self,
requesting_authority: str,
requested_categories: list[DocumentCategory],
urgency: str = "standard",
) -> dict:
requested_docs = [
r for r in self.records.values()
if r.category in requested_categories and r.is_within_retention_period()
]
unavailable = [
r for r in requested_docs
if r.access_status != AccessStatus.AVAILABLE
]
response = {
"request_id": hashlib.sha256(
f"{requesting_authority}{date.today()}".encode()
).hexdigest()[:12],
"requesting_authority": requesting_authority,
"requested_categories": [c.value for c in requested_categories],
"documents_available": len(requested_docs) - len(unavailable),
"documents_unavailable": len(unavailable),
"package": [
{
"doc_id": r.doc_id,
"category": r.category.value,
"version": r.system_version,
"hash": r.doc_hash,
"location": r.storage_location,
}
for r in requested_docs
if r.access_status == AccessStatus.AVAILABLE
],
"escalation_required": len(unavailable) > 0 or urgency == "urgent",
}
self.msa_response_log.append({
"date": date.today().isoformat(),
"authority": requesting_authority,
"response": response,
})
return response
def get_retention_summary(self) -> dict:
by_category = {}
for cat in DocumentCategory:
cat_records = [r for r in self.records.values() if r.category == cat]
by_category[cat.value] = {
"count": len(cat_records),
"available": sum(1 for r in cat_records if r.access_status == AccessStatus.AVAILABLE),
"oldest_expiry": min((r.retention_expiry for r in cat_records), default=None),
"with_personal_data": sum(1 for r in cat_records if r.personal_data),
}
return {
"system_id": self.system_id,
"total_documents": len(self.records),
"by_category": by_category,
"msa_requests_handled": len(self.msa_response_log),
}
Cross-Regulation Retention Landscape
High-risk AI providers operating in regulated sectors face overlapping retention obligations from multiple legal regimes. The Art.18 10-year mandate must be mapped against sector-specific requirements:
| Regulation | Retention Period | Applicable Records | Conflict with Art.18 |
|---|---|---|---|
| GDPR Art.5(1)(e) | As long as necessary | Personal data in training/logs | Storage limitation vs 10-year mandate (resolved by Art.6(1)(c)) |
| DORA Art.25 | 5 years minimum | ICT incident records | Shorter than AI Act — AI Act prevails for high-risk AI incident records |
| NIS2 Art.21(2)(g) | Not specified | Incident reports | AI Act 10-year rule more specific — apply to AI systems |
| MDR (medical devices) | 10 years minimum | Technical documentation | Aligned — but document scope differs from Annex IV |
| IVDR (in vitro diagnostics) | 15 years minimum | Technical documentation | Longer than AI Act — IVDR prevails for IVD AI systems |
| Product Liability Directive | 10 years | Evidence of product safety | Aligned with AI Act |
| GDPR Art.30 | Duration of processing | Records of Processing Activities | Ongoing — not a fixed retention period |
The practical implication: AI providers operating in heavily regulated sectors (healthcare, finance) must apply the longest applicable retention period across all relevant regimes. For AI-enabled in vitro diagnostics, that means 15 years (IVDR), not 10.
The Art.18 Documentation Architecture
A compliant Art.18 documentation architecture has five structural components:
Component 1 — Document Register: A central register of all Art.18-covered documents, including document ID, category, AI system version, placement date, retention expiry, storage location, and access status. The register must be queryable by MSA request category and must flag approaching expiry dates.
Component 2 — Version Control: Technical documentation must be maintained per AI system version. Version control systems used for code development should be extended (or supplemented) to include compliance documentation artefacts — Annex IV documentation, EU DoCs, risk management updates.
Component 3 — Storage Architecture: Documentation must be stored in a format and location that supports rapid retrieval. Cloud storage with access logging is acceptable; cold archive storage that requires reconstruction is not. Encryption is acceptable if key management is documented and keys are recoverable.
Component 4 — MSA Response Procedures: Defined procedures specifying who responds to MSA requests, in what timeframe, in what format, and with what legal review process. The Art.18 obligation is passive (keep documentation available) but the Art.74(3) access right creates active response obligations.
Component 5 — Retention Lifecycle Management: Processes for managing the 10-year retention clock, including: recording placement-on-market dates for each version, tracking substantial modifications that reset the clock, managing retention windows for systems with multiple concurrent versions, and handling documentation obligations for discontinued products.
Art.18 Implementation Checklist (20 Items)
Documentation Inventory
- Complete register of all Art.11 technical documentation with version history
- Complete register of all Art.17 QMS operational records generated
- All EU Declarations of Conformity (Art.47) registered with version linkage
- Post-market monitoring records (Art.72) in retention register
- Corrective action records (Art.20) in retention register
Retention Architecture
- Placement-on-market dates recorded for each AI system version
- 10-year retention expiry dates calculated and calendar-flagged
- Retention windows maintained per version for continuously updated systems
- Storage architecture supports immediate retrieval (not cold archive)
- Backup and redundancy to prevent documentation loss during retention period
Access and Response
- Designated compliance officer for MSA access request handling
- MSA response procedure documented with timeframe commitments
- Documentation package assembly procedures tested
- Language versions of EU DoC available for relevant Member States
- Authorised representative mandate includes Art.18 retention obligations (for non-EU providers)
Cross-Regulation Compliance
- GDPR Art.6(1)(c) basis documented for all retained personal data
- Sector-specific retention periods identified (IVDR 15yr, MDR 10yr, etc.)
- Longer-period obligations identified and applied where Art.18 is superseded
- GDPR data minimisation applied to documentation (pseudonymisation where possible)
- GDPR Art.30 Records of Processing updated to reflect AI Act documentation retention
Key Takeaways
Art.18 is the documentation obligation that makes all other EU AI Act compliance obligations durable. Art.11 creates the documentation; Art.17 generates ongoing records; Art.72 produces monitoring output; Art.20 creates corrective action evidence. Art.18 is the legal commitment that all of that material will remain available to supervisory authorities for the full post-market life of the system plus a decade.
The 10-year clock is the operationally critical element. It runs from the last market placement of each version, not the first. For providers who continuously update AI systems, the retention obligation is effectively perpetual for as long as updates constitute new market placements. Compliance architectures that treat documentation as a pre-deployment exercise will fail Art.18 at the first MSA access request.
The GDPR storage limitation tension is real but resolvable — Art.6(1)(c) provides the lawfulness basis, but data minimisation still constrains what personal data can be retained. Providers who conflate "Art.18 requires retention" with "Art.18 permits unlimited personal data retention" will face dual exposure under both the AI Act and GDPR.
See Also: