Data-Empowered Leadership

The Ultimate Guide to EU AI Act Data-Readiness

Written by Micah Horner, Product Marketing Manager, TimeXtender | June 18, 2026

Most organizations are racing to put AI into production. Few can prove the data behind it would survive a regulator's questions.

That gap is now a legal problem. The EU AI Act is the first comprehensive law for artificial intelligence anywhere in the world, and it does not treat all AI the same. It bans a narrow set of uses, leaves most low-risk applications alone, and concentrates its real demands on high-risk systems: the AI that decides who gets credit, who gets hired, who gets seen by a clinician first, etc.

Build or deploy one of those in the EU, and the Act sets the terms for how it has to be governed.

The timeline has shifted, but not in the way most hoped. The Digital Omnibus on AI, agreed in principle in May 2026, moves the high-risk obligations to December 2027 for use-based systems and August 2028 for AI built into regulated products.

The work lands where most teams are weakest: the data.

  • Datasets must be governed, relevant, representative, and checked for bias (Article 10).
  • Documentation must capture how data was sourced and prepared (Article 11).
  • Systems must log their behavior so it stays traceable over time (Article 12).
  • Deployers must be told, clearly and accurately, what the system was trained and run on (Article 13).

Every one of those is decided by the data feeding the model, long before the model itself comes into scope.

This is the part most organizations cannot answer for. They can describe their AI ambitions in detail, then go quiet when asked where the data came from, what was done to it, and who touched it along the way. A model can look convincing in a demo and still be impossible to put into production, because no one can show the inputs hold up.

That is not a modeling problem. It is a data foundation problem. The organizations that will be ready are the ones already treating their data as governed, documented, and controlled by design. The ones still moving data with hand-written scripts and reconciling definitions in spreadsheets are about to discover that the Act has turned a long-standing data problem into a regulatory one.

What the EU AI Act actually regulates

The Act is not a data privacy law, and it is not a voluntary code of conduct. It is a product-safety regime for artificial intelligence. It sorts AI systems by the risk they pose to people, then sets obligations that scale with that risk. The higher the stakes for the person on the other end of the system, the more the law asks of the organization running it.

There are four tiers.

  1. Unacceptable risk: A small set of uses is banned outright: social scoring, systems that manipulate people by exploiting their vulnerabilities, most real-time biometric identification in public spaces. These have been prohibited since February 2025.
  2. High risk: This is the regulated core, and where almost all of the compliance work lives. A system is high-risk if it is used in a sensitive domain the Act lists, such as hiring, credit, education, essential services, or law enforcement (Annex III), or if it is a safety component of a regulated product like a medical device or industrial machine (Annex I). High-risk systems carry the full weight of the Act: risk management, data governance, documentation, logging, transparency, human oversight, accuracy, and security.
  3. Limited risk: Some systems are not dangerous but are easy to mistake for something human. Chatbots, and AI that generates images, audio, or video, have to disclose what they are. The obligation is transparency, not redesign.
  4. Minimal risk: Everything else, which is most AI in use today, from spam filters to recommendation engines. The Act leaves it alone.

Who it binds, and where

The Act splits responsibility between providers, who build an AI system or place it on the market, and deployers, who put it to use under their own authority. Most organizations are deployers. Some are quietly providers without realizing it, the moment they build or substantially modify a system in-house.Geography does not exempt you. The Act reaches any system placed on the EU market or whose output is used in the EU, wherever the company sits.

How the timeline actually runs

The Act was adopted in 2024 and applies in stages, not all at once. Prohibited uses took effect in February 2025. Obligations for general-purpose AI models followed in August 2025. The high-risk obligations, the heaviest set, were due in August 2026, until the Digital Omnibus on AI moved them to December 2027 for use-based systems and August 2028 for AI built into regulated products. That agreement is provisional and still being finalized, so the dates are the planning baseline, not a reason to wait.

Why it is not "GDPR for AI"

The two are often spoken of in the same breath, and they are not the same thing. GDPR governs personal data: how it is collected, stored, and used, and what rights individuals have over it. The AI Act governs AI systems: how they are built, documented, and operated, sorted by risk. An organization can be fully GDPR-compliant and still face a long list of unmet AI Act obligations, because the Act asks questions GDPR never did, about training data, model documentation, logging, and human oversight. It does not replace GDPR, and it does not replace sector rules like DORA or NIS2. It sits alongside them.

Strip away the legal language and the high-risk obligations resolve into four questions about data: where it came from, what was done to it, whether it holds up, and who touched it. Those are not questions a model can answer. They are answered by the data foundation underneath it.

What this means for US companies

For US companies, the instinct is to read a European law as a European problem. GDPR taught a different lesson, and the AI Act is built on the same principle: it follows the system, not the company.

You are in scope if you place an AI system on the EU market, including through a reseller, distributor, or marketplace; if you put one into service inside the EU, including an internal tool used by EU-based staff; or if the output of your system is used in the EU, even when your servers and your headquarters never leave the United States.

A US company can be pulled in by a single European customer, often without knowing it. There is no requirement to keep an EU office, and no requirement to have set out to sell there.

The categories most exposed are the ones US mid-market companies live in. AI used in hiring, credit and lending, insurance pricing, clinical decision support, or education becomes high-risk the moment a European deployer relies on it. A US software provider whose product makes one of those decisions for an EU customer carries provider obligations, and that EU customer carries deployer obligations that depend on documentation only the provider can supply.

That turns readiness into a commercial issue, not only a legal one. If you cannot give an EU customer what they need to meet their own obligations, they will find a provider who can.

Some of what the Act requires is legal and procedural, and it is not a data platform's job. A non-EU provider of a high-risk system generally has to appoint an EU authorized representative, complete a conformity assessment, and maintain the technical file the Act specifies. That work belongs with qualified counsel and a compliance function, and no platform stands in for either. Be wary of anyone who tells you otherwise.

Strip the procedure away, though, and the substance is identical. The documentation, the lineage, the data quality, and the records the Act asks for are produced by the data foundation, not the legal team. A US company that gets that foundation right is not only ready for the EU. It is ready for what is coming at home.

There is no comprehensive federal AI law yet, but a patchwork is forming in states like Colorado, California, New York City, and more, and it leans on the same risk-based logic the EU set in motion.

Building to the EU standard is the most efficient way to be ready for all of it.

Why the EU AI Act is urgent, not just interesting

The cost of not being ready arrives on two fronts at once: the fine you might pay, and the AI you will never ship.

The fines are not symbolic

Article 99 sets three tiers, and each is calculated as the higher of a fixed amount or a percentage of worldwide annual turnover:

  • Prohibited practices: up to €35 million or 7% of global turnover.
  • High-risk and transparency breaches, including the core provider and deployer obligations: up to €15 million or 3%.
  • Supplying incorrect or misleading information to authorities: up to €7.5 million or 1%.

There is a carve-out for genuine SMEs and startups, who pay the lower of the two figures rather than the higher. For everyone else, the math is unkind to the comfortable assumption that this is an enterprise-only problem.

Three percent of €300 million in turnover is €9 million, which sits below the €15 million ceiling, so the ceiling is what applies.

A mid-market company does not get a mid-market discount, and enforcement is not theoretical: the Act is policed by national authorities and coordinated by the European AI Office, using criteria modeled closely on GDPR, which regulators have spent a decade learning to apply.

The larger cost is the AI that never reaches production

The fine is the visible risk. The quieter, bigger one is opportunity.Gartner expects organizations to abandon 60% of AI projects through 2026 for one reason above all others: the data underneath them is not ready.

The same research found that 63% of organizations either lack the data management practices AI needs or are not sure they have them.

Read those two numbers together with the Act and the picture sharpens. The thing that stalls AI projects, an ungoverned, undocumented, unreliable data layer, is now also the thing that will fail an audit.

What "not ready" actually looks like

For most organizations, unreadiness is not a decision anyone made. It accumulated. It shows up as a familiar set of symptoms:

  • A detailed AI roadmap, and no way to produce lineage for the data feeding it.
  • Documentation assembled by hand, from scratch, every time an auditor asks.
  • Business definitions living in spreadsheets that no one formally owns.
  • Sensitive data copied into outside tools to get the work done, so questions about residency and access have no clean answer.
  • Every new high-risk use case restarting the evidence work from zero.

Readiness is not a document you write the month before the deadline. It is a property of the data foundation: it’s either built in, or missing.

What EU AI Act data-readiness actually looks like

The Act never uses the phrase "AI-ready data," but Articles 10 through 13 describe it in detail. Gartner's working definition lands in the same place: data aligned to its use case, governed at the asset level, supported by automated quality, and kept continuously trustworthy.

Put plainly, AI-Act-ready data is data you can trace, govern, trust, and account for, on demand. Four principles separate a foundation that can carry a high-risk system from one that cannot. They answer the four questions every auditor, and every honest data leader, eventually asks: where did the data come from, what was done to it, does it hold up, and who can touch it:

1. Traceability by design

  • What it is: Every dataset carries its own history. You can follow any value from a model output or report back through each transformation to the source it came from, without reconstructing the path by hand.
  • Why it matters: Articles 10, 11, and 13 all assume you can show where data originated and what happened to it on the way. Lineage rebuilt after the fact, from memory and scattered scripts, is precisely what collapses under audit.
  • What maturity looks like: Lineage is generated automatically as data is built, not maintained as a separate document. Ask what feeds a given model and what changed last week, and the answer is a query, not a two-week investigation.

2. Governance enforced as policy, not effort

  • What it is: Access rules, data classification, and handling policies are defined once and applied consistently across every system, through configuration rather than individual discipline.
  • Why it matters: Article 10 expects training, validation, and test data to be governed appropriately, and the Act assumes those controls are consistent and provable. Policies that depend on people remembering to apply them are neither.
  • What maturity looks like: Sensitive data is classified, access is role-based and inherited, and a single policy change propagates everywhere it applies without anyone rewriting a pipeline. Governance is the resting state, not a quarterly cleanup.

3. Quality as a continuous signal

  • What it is: Validation, profiling, and monitoring run constantly against the data feeding AI, so issues surface before they reach a model or a decision, not after a stakeholder notices the numbers look wrong.
  • Why it matters: Article 10 calls for data that is relevant, representative, and examined for error and bias. None of that can be asserted once and filed away. A model in production needs quality measured in hours, not in quarterly reviews.
  • What maturity looks like: Quality rules live with the data, run automatically, and raise an alert the moment something drifts. Bias and coverage gaps are detectable because distribution is visible, not assumed. A missing-value spike in a clinical model's inputs is caught the day it appears, not the week a report comes out wrong.

4. Evidence that generates itself

  • What it is: Documentation and logs are a byproduct of how the data is built and run, produced automatically and kept current, rather than written from scratch for each review.
  • Why it matters: Articles 11 and 12 require technical documentation and event logs maintained over the life of the system. Hand-written documentation is out of date the day after it is finished, and it does not scale as the number of high-risk use cases grows.
  • What maturity looks like: Documentation reflects the live state of the data environment because it is generated from it. Change history, execution logs, and lineage are exportable on request, so an audit becomes a retrieval rather than a reconstruction.

These four are not separate projects. They are properties of one data foundation, and they hold or fail together. A foundation strong on lineage but weak on quality still fails the review. One that documents everything but cannot prove who had access still fails.

Where most organizations fall short

Almost no one fails the Act on purpose. They fail by inheriting habits that made sense when data fed dashboards, not regulated AI. Six patterns account for most of the exposure:

1. Treating it as a legal exercise, not a data one

  • The pitfall: The Act arrives as a regulation, so it goes to legal and compliance, who write policies. The data layer that has to produce the evidence those policies promise is never touched.
  • Why it happens: Regulations go to the people who read regulations. The translation from "policy" to "what the data environment must actually do" falls in the gap between legal and the data team.
  • Consequences: On paper, the organization is prepared. In practice, no one can produce the lineage, the logs, or the current documentation when an auditor asks. The policy describes controls the data foundation cannot demonstrate.

2. Answering fragmentation with more tools

  • The pitfall: Faced with the Act, teams buy a catalog here, a lineage tool there, a quality tool beside it, and wire them into an already crowded stack.
  • Why it happens: Vendors package point solutions as compliance, and a purchase order feels like progress. Each tool solves a slice.
  • Consequences: Every tool added is another handoff where lineage breaks and another integration to maintain. The fragmentation that created the gap gets wider, not narrower. Evidence now has to be assembled across more systems, not fewer.

3. Governance bolted on, enforced by people

  • The pitfall: Access and handling rules live in each tool's own settings and in the discipline of individual engineers, not in one place applied consistently.
  • Why it happens: Every system has its own controls. Consolidating them into a single policy layer is a project no one funds until they have to.
  • Consequences: Controls drift apart, "who can see this data" takes days to answer, and none of it is provable. The Act assumes consistent, demonstrable governance. Goodwill is neither.

4. Checking quality on a calendar, not as a signal

  • The pitfall: Data quality is validated at reporting milestones and the occasional cleanup, rather than continuously against the data feeding AI.
  • Why it happens: Traditional data management runs on reporting cadences, and continuous monitoring is tooling most lean teams never stood up.
  • Consequences: Errors, drift, and gaps reach models before anyone notices. Bias goes undetected because no one is watching distribution in real time. The Act's bar for relevant, representative data cannot be met by a check that ran last quarter.

5. Writing documentation for the audit instead of generating it

  • The pitfall: Documentation and logs are produced by hand, for each review, and then go stale.
  • Why it happens: Documentation has always been a deliverable you write, not a system that runs. Under delivery pressure, it is the first thing deferred.
  • Consequences: Records describe a data environment that has since changed. They cannot keep pace as high-risk use cases multiply, and each audit becomes a reconstruction from memory.

6. Sending data out to get the work done

  • The pitfall: To move quickly, sensitive data is copied into external and cloud tools for processing.
  • Why it happens: It is the fastest path to a result, and the data team is measured on delivery.
  • Consequences: Residency and access can no longer be answered cleanly. The same shortcut that speeds a project up widens exposure under both GDPR and the AI Act at once.

What these failures have in common

None of them is incompetence. Every one is a reasonable response to short-term pressure, and every one treats the data foundation as something to work around rather than build right from the beginning.

It also produces the checklist worth carrying into any solution conversation. A foundation that can carry high-risk AI is unified rather than stitched, governs by policy rather than effort, treats quality as a continuous signal, generates its own evidence, and keeps data inside the organization's own environment.

A maturity model for EU AI Act data-readiness

"Ready" and "not ready" are not the only two states. Readiness is a gradient, and knowing where you sit on it is the difference between a plan and a panic.

TimeXtender uses a structured diagnostic to locate that position: the AI-Readiness Architecture Review, or AR². It scores eight dimensions of the data foundation, from data landscape and active metadata through governance, data quality, and AI enablement, and rolls them into a single readiness score.

Every organization lands in one of four bands:

Foundational (0–34)

Data is scattered and moved by hand. Governance is informal. Lineage lives in people's heads.

  • Characteristics: Sources integrated through manual exports and spreadsheets. No working catalog. Access is broad and sensitive data is unclassified.
  • Key challenges: There is no way to show where data came from or who can see it. A high-risk system built on this foundation cannot be documented, let alone defended.
  • Next steps: Consolidate sources into one governed environment. Begin classifying sensitive data and capturing lineage as a byproduct of how data is built, not as a separate task.

Emerging (35–54)

Pipelines exist and the platform runs, but metadata, governance, and AI enablement lag behind. This is where most organizations actually sit.

  • Characteristics: Some automated pipelines, still a lot of point-to-point glue. A catalog exists but is incomplete or out of date. Controls are in place but enforced manually.
  • Key challenges: Evidence can be produced, but only by hand and only inconsistently. An audit would be a scramble across systems. Quality is checked occasionally, not continuously.
  • Next steps: Move governance into the metadata layer so it is enforced once and everywhere. Stand up continuous quality on the tables feeding priority use cases. Close the metadata and lineage gaps first; they unlock the rest.

Maturing (55–74)

A centralized foundation with lineage and quality for the assets that matter most. The gaps are now specific, not systemic.

  • Characteristics: Centralized warehouse or lakehouse with most sources connected. Catalog with lineage for critical assets. Policies and access controls for most sensitive data, quality rules on critical tables.
  • Key challenges: Coverage is good but not complete. Continuous quality and governed AI enablement are the remaining distance between "most of the evidence" and "evidence on demand."
  • Next steps: Extend lineage and quality to full coverage. Bring AI enablement under the same governance, so the data exposed to models carries the same controls as everything else.

AI-ready (75–100)

A unified, automated foundation where metadata drives policy, lineage, and quality, and governed AI runs in production.

  • Characteristics: Unified, automated, deployment-agnostic foundation. Active metadata drives policy enforcement and is fully auditable. Automated quality with alerts. Production AI with evaluation, guardrails, and audit.
  • Key challenges: The work shifts from building readiness to sustaining it as the data environment and the regulation evolve.
  • Next steps: Treat readiness as an operating standard, not a milestone. New use cases inherit the foundation instead of rebuilding it.

Where most organizations actually sit

Most organizations that run AR² land in Foundational or Emerging. The encouraging part is what that means: the gap is rarely the model. It is the data layer, and the data layer is fixable on a known timeline, roughly 90 days of focused work from Emerging to AI-ready, and around 120 from Foundational.

Set that against the Act's deferred deadlines and the message is plain. The extra time the Digital Omnibus bought is almost exactly the time the work takes. Spent now, it is enough. Spent later, it is not.

The fastest way to find your band is the AR² Quick Check: eight questions, a readiness score, and the three biggest gaps standing between you and production AI.

Our approach: change the model, not just the tools

Most organizations try to meet the Act the way they have met every data problem before it, by adding another tool to the stack. That instinct is exactly what produced the gaps in the first place. The answer is not a better lineage tool or a better catalog bolted onto the same fragile foundation. It is a different operating model for the data layer, one where governance, lineage, and documentation are not tasks you perform but properties the system already has.

TimeXtender is built on three principles that make that possible:

1. Metadata-Driven

  • What it is: Business logic is separated from storage and captured as metadata. The platform records the structure, transformations, lineage, dependencies, access rules, and definitions of every data asset, and uses that metadata to run the environment.
  • What it enables: Because everything is described in metadata, lineage and documentation are generated automatically, not manually written. A policy defined once is enforced everywhere it applies. And because logic is independent of any single storage technology, the same solution moves across Microsoft Azure, Microsoft Fabric, Microsoft SQL Server, Snowflake, and AWS with no rebuild and no lock-in.
  • Why it matters for the Act: This is most of Articles 10, 11, and 13 answered at the architectural level. Where data came from and what was done to it is a query, not a reconstruction. Technical documentation reflects the live state of the environment because it is produced from it. Governance is consistent and provable because it lives in one place.

2. Automation-First

  • What it is: The platform generates production-ready code from that metadata using deterministic, rule-based automation. The same inputs produce the same output, every time. This is not a large language model guessing at a pipeline.
  • What it enables: Builds are faster, roughly ten times faster, because logic captured as metadata is compiled rather than hand-written. More importantly for the Act, what the platform produces is explainable and repeatable. You can show how a pipeline was generated and reproduce it exactly.
  • Why it matters for the Act: Regulators reward traceability and reproducibility, and they are wary of systems no one can explain. Deterministic code generation means the data preparation feeding a high-risk model is itself documented and auditable, not an opaque step. It also removes the manual effort that turns documentation and quality into the work teams skip under pressure.

3. Zero-Retention

  • What it is: TimeXtender operates on metadata in the control layer. It never stores or holds your data. Processing happens inside your own environment, and your data stays in the source and target systems you control.
  • What it enables: Sensitive data never leaves your infrastructure to be governed. Residency, access, and confidentiality have clean answers, because there is no copy of your data sitting on a vendor's servers.
  • Why it matters for the Act: It removes an entire category of exposure. The shortcut that creates risk, copying data into outside tools, is designed out. Lineage, access, and execution stay fully traceable inside your environment, which is exactly what an auditor needs to see, and it keeps your AI Act work aligned with your GDPR obligations rather than in tension with them.

Why this approach works for AI-Act readiness

Put the three together and the difference is structural, not cosmetic. A stitched together stack of point solutions makes readiness a permanent effort: every audit a reconstruction, every policy a manual enforcement, every new use case a fresh start.

A metadata-driven, automation-first, zero-retention foundation makes readiness the default: lineage and documentation generated, governance enforced once, quality monitored continuously, data never leaving your control.

The first approach asks people to stay disciplined forever. The second builds the discipline into the system, automatically.

How the TimeXtender Data Platform supports the EU AI Act

Our approach is operationalized through the TimeXtender Data Platform (TDP), one unified platform that runs the full data lifecycle on the metadata foundation described above. Inside it sit four solutions: Data Integration, Data Enrichment, Data Quality, and Orchestration.

They can be adopted one at a time or together, and they share the same metadata, which is what lets governance, lineage, and quality hold across all of them instead of stopping at each tool's edge.

  • Data Integration: The core engine for building AI-ready data infrastructure. This module automates the Ingest, Prepare, and Deliver layers of your data foundation. It allows you to rapidly connect to any data source, transform raw data into a "Single Version of Truth," and create business-friendly Data Products without writing manual code.
  • Data Enrichment: The context engine for your business. This module allows you to manage critical "homeless data" (such as sales targets, regional hierarchies, or product categories) that doesn't exist in source systems. By replacing spreadsheets with governed “golden records”, it provides the essential business context AI needs to understand your data.
  • Data Quality: The trust layer for AI and analytics. This module runs automated profiling, rule-based validation, and continuous monitoring to prevent "AI Hallucinations" and reporting errors. It ensures that only clean, validated data feeds your AI and decision-making models.
  • Orchestration: The automation engine for your technology stack. This module coordinates workflows, dependencies, and execution order. It streamlines complex workflows to ensure timely delivery of insights, without manual intervention.

Mapped to the Act: Articles 10 to 13

The platform lines up with the data-related obligations for high-risk systems. It supports them. It does not, on its own, deliver whole-system compliance, and the honest scope matters.

  • Article 10, data governance and quality: Automated lineage makes datasets traceable and testable. Continuous quality controls cover relevance, error, and anomalies. Metadata-driven access control governs who can use what. Together these support the bias-analysis and data-governance work the article requires, by making provenance, coverage, and quality visible and reviewable.
  • Article 11, technical documentation: Documentation is generated from metadata, sources, transformations, dependencies, and configuration, kept current as the environment changes, and versioned so you can show what changed, when, and what it affected.
  • Article 12, record-keeping and logging: Orchestration and pipeline execution produce logs for runs, steps, and failures, with monitoring and alerts. This covers the data pipeline's traceability. It does not replace the logging the AI system itself must perform at the application level.
  • Article 13, transparency to deployers: Generated documentation and lineage explain what input data a system was trained and run on, and AI-ready naming reduces ambiguity in the handoff to downstream teams. It supports the data portion of transparency. It does not replace model documentation, human-oversight design, or system-level transparency.

Why it matters for the Act

The point is that the EU AI Act obligations cluster at the data layer, and a single platform that integrates, enriches, validates, and orchestrates on one metadata foundation produces the evidence for all four articles from the same place.

A stitched together stack of point solutions can reach the same outcomes, eventually, across four or five vendors and the gaps between them. One foundation reaches them by default.

What this looks like in practice

None of this is theoretical. Organizations in exactly the regulated, mid-market position the Act targets have already built the foundation it now asks for, usually because trustworthy data was good business long before it became law.

Baker Tilly: documented data, ready for analysis and AI

  • Industry: Financial and professional services
  • Challenge: A large number of disconnected data sources, with no consistent way to connect, catalog, and document them for analysis and, increasingly, for AI.
  • Solution: A governed data foundation on TimeXtender, where every source is connected, modeled, and documented as part of the build rather than afterward.
  • Outcome: Every data source connected, cataloged, modeled, transferred, and documented for analysis and AI. The documentation Articles 11 and 13 call for is produced as a property of the environment, not assembled for a review.
"It enables every data source to be connected, catalogued, modelled, transferred and documented for analysis and AI." — Manager, Baker Tilly

Vodafone Iceland: data quality that holds up

  • Industry: Telecommunications, finance and revenue assurance
  • Challenge: Billing-data errors and slow, manual end-of-month reconciliation eroded trust in financial reporting.
  • Solution: Standardized and automated data pipelines with TimeXtender, validating quality continuously rather than after the fact.
  • Outcome: A 74% reduction in billing-data errors within twelve months, and end-of-month accounting cut from four days to three hours, a 97% reduction. The relevant, accurate data Article 10 expects, produced as a standing capability. These results are Vodafone Iceland's own.

Municipality of Venray: a secure, audit-ready foundation

  • Industry: Public sector
  • Challenge: Manual, error-prone data processes and inconsistent access across departments, in an environment bound by GDPR and strict transparency rules.
  • Solution: Centralized data management on TimeXtender, with automated role-based access controls on a single governed foundation.
  • Outcome: A secure, automated data foundation that removed manual data entry, enforced consistent access control, and improved audit readiness. The governance and access discipline at the center of Article 10, running by default.
"We now have a well-configured, optimally secure and automated data foundation that eliminates countless hours of manual data entry and processing." — Maurice Staals, BI Specialist, Municipality of Venray

Marel: data quality at a regulated scale

  • Industry: Food and beverage manufacturing, food safety
  • Challenge: Maintaining reliable data quality at scale, in an industry where data accuracy carries a regulatory and safety bar.
  • Solution: TimeXtender Data Quality, automating validation and monitoring across critical data.
  • Outcome: More than 200 critical data quality checks stood up in a short timeframe, catching issues before they reach a decision. The continuous-quality standard Article 10 describes, in production.

Final thoughts

The deadlines moved. They did not disappear. The prohibitions and the general-purpose AI rules already apply, the high-risk obligations land in December 2027 and August 2028, and the part that takes the longest, the data foundation underneath it all, is the part most organizations have not started.

Here is the encouraging part: this is not a modeling problem or a legal-drafting problem. It is a data problem, and data problems are solvable on a known timeline. Most organizations sit in the Foundational or Emerging band today, and the distance to AI-ready is roughly 90 to 120 days of focused work.

Be clear about what readiness is and is not. No platform makes you compliant, and anyone who claims otherwise is selling. Compliance depends on the whole AI system: its design, its documentation, and the human controls around it.

But, the obligations that decide whether a high-risk system can ship at all cluster at the data layer, and that layer is buildable today, unified, governed, documented, and kept inside your own environment.

Get the foundation right and the evidence is there on the day someone asks for it.

Start by knowing where you stand

The first step is not a procurement decision. It is a diagnosis.

  • Find your readiness band. The AR² Quick Check takes eight questions and returns a readiness score, plus the three biggest gaps between you and production AI.
  • Go deeper on the obligations. How TimeXtender supports Articles 10 to 13 lays out the data obligations and where the platform fits, with the scope clearly drawn.
  • Start building. Book a demo to see it on your own data, or bring in a certified partner where you need domain or regional depth.
View full post