EU AI Act Article 10: data governance for high-risk AI

EU AI Act Article 10: data governance for high-risk AI

For AI startups building high-risk systems under the EU AI Act, Article 10 goes directly to the heart of the development process: your training data. It does not merely require that data is legal to use; it requires that you can demonstrate your data governance practices are rigorous, documented, and fit for the task. For a CTO overseeing model development, this article has direct implications for how your data pipelines, labelling workflows, and dataset curation processes are designed and recorded from the outset.

What the EU AI Act requires

Article 10(2) requires that training, validation, and testing datasets for high-risk AI systems are subject to data governance and management practices covering the design choices behind data collection, data preparation operations (annotation, labelling, cleaning, enrichment, and aggregation), and the formulation of relevant assumptions. Article 10(3) requires that datasets be relevant, sufficiently representative, and free of errors and complete to the extent possible for the intended purpose. Article 10(5) explicitly permits the processing of special categories of personal data, such as health data or data revealing racial or ethnic origin, for the purpose of detecting and correcting biases, subject to appropriate safeguards. Article 10(6) allows Member States to designate specific national frameworks for processing sensitive data in the bias correction context. The overall obligation is to ensure that bias-related risks identified under Article 9 are actually addressed at the data level.

What this means for your business

If you are training a model on historical recruitment data, you need to document the demographic composition of that dataset and show you have assessed and mitigated representational biases. If you are building a medical AI system, your training data curation process needs to be documented in sufficient detail that a notified body reviewing your technical documentation under Article 11 can follow the logic from raw data to deployed model. Data quality is no longer an internal engineering concern; it is a compliance artefact. For startups using third-party datasets or foundation models fine-tuned on licensed data, you also need to document the provenance of that data and confirm it meets the Article 10 relevance and representativeness standards for your specific use case.

Steps to get compliant

1. Inventory every dataset used in training, validation, and testing for each high-risk AI system, documenting source, collection method, and any preprocessing steps applied.
2. Assess each dataset against the Article 10(3) criteria of relevance, representativeness, and freedom from errors, and document the findings and any remediation actions taken.
3. If your system operates in a domain where protected characteristics are relevant to bias assessment (employment, credit, healthcare), design a bias detection protocol and document the process and outcomes.
4. Integrate dataset documentation into your Article 11 technical documentation package so that data governance records are maintained alongside model cards, architecture descriptions, and test results.

Free EU AI Act risk assessment

Not sure where your AI system stands? The free ActComply risk screener classifies your system in under 5 minutes. No sign-up required.

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener