The EU AI Act's high-risk AI obligations are coming. The fines are real: up to €35 million or 7% of global turnover. But the organisations most at risk are not the ones without AI policies. They are the ones that have AI in production and have not yet confronted Article 10.
Article 10 is not about the model. It is about the data underneath it.
Article 10 of the EU AI Act applies to high-risk AI systems, a category that includes credit scoring, fraud detection, HR screening, clinical decision support, and AI used in critical infrastructure, all explicitly listed in Annex III.
For every system in that category, Article 10 requires that training, validation, and testing datasets are subject to documented data governance practices. "Documented" is the operative word. "We reviewed the data" is not sufficient. You need an auditable trail: where the data came from, how it was prepared, what quality checks ran, what biases were examined, and what was done about them.
Most organisations have pipelines. Article 10 requires governance. Those are not the same thing.
The gap Article 10 exposes is not new. It already exists in most organisations' AI stacks, quietly undermining model reliability long before it becomes a regulatory problem:
If your metric definitions live in tribal knowledge, your AI outputs cannot be audited.
If your transformation logic is scattered across notebooks, BI tool filters, and ad-hoc SQL scripts, you cannot produce the lineage Article 10 requires.
If quality checks are one-time cleanups rather than continuous pipeline monitoring, you cannot prove the dataset was complete and free of errors at the time the model trained.
This is what we have called the context gap; the place where AI projects fail not because the model is wrong, but because the meaning of the data underneath it was never consistent or traceable. Article 10 turns an analytics problem into a legal one. The underlying issue is the same. The stakes are higher.
This is not a checklist to hand to a vendor. It is a standard to hold your own data infrastructure to. Five requirements separate a dataset that satisfies Article 10 from one that does not:
Financial services: Credit scoring and fraud detection AI systems are explicitly named in Annex III. If your organisation uses AI for credit decisions, anti-money laundering, or customer risk scoring, Article 10 applies to you. The data governance standard required is higher than most existing MLOps practices, and it needs to be auditable rather than operational.
Healthcare: AI systems used in clinical decision support, patient triage, or medical imaging fall within scope. The data governance requirements overlap with existing clinical data obligations, but being GDPR-compliant does not satisfy Article 10's documentation standard. They are parallel obligations, not interchangeable ones.
Manufacturing: AI used in safety-critical applications, including predictive maintenance on critical infrastructure and quality control systems that affect product safety, falls under Annex III. The supply chain and operational data these models train on needs to meet the same governance standard as any other high-risk AI dataset.
The high-risk deadline is not tomorrow, but the foundation it requires takes months to build, not days. Organisations that wait for a confirmed date risk building under pressure. Organisations that treat it as a data infrastructure project, which is what it is, can be ready on any timeline.
Already know your direction and want to see where your data foundation stands? The AR² AI-readiness check takes eight questions and returns your readiness band and the three biggest gaps to close.
[Take the AR² AI-readiness check →]
This post is for informational purposes and does not constitute legal advice. Organisations should seek qualified legal counsel for jurisdiction-specific compliance guidance.