The AI Act's Hardest Requirement Is About Data, Not Algorithms
The EU Artificial Intelligence Act entered application for high-risk AI systems in August 2026. Most enterprise compliance teams are focused on the risk classification system, the conformity assessments, and the transparency obligations.
Fewer have grappled with what Article 10 actually requires.
Article 10 of the EU AI Act mandates that training, validation, and testing datasets for high-risk AI systems must be subject to 'appropriate data governance and management practices.' This includes relevance, representativeness, freedom from errors, and completeness - but the key requirement that most enterprises are underestimating is the obligation to have documented, auditable practices for data quality assurance.
In practice, this means being able to demonstrate - to a regulator - that your training data was accurate, unmodified, and appropriate at the time it was used. Not just at the time of a compliance audit. At the time the model was trained.
What 'High-Risk AI' Means for Your Data
The EU AI Act classifies AI systems as high-risk if they are used in sectors or applications listed in Annex III. These include:
- Critical infrastructure - energy, water, transport
- Education and vocational training - systems that determine access or outcomes
- Employment and HR - recruitment, performance evaluation, task allocation
- Essential private and public services - credit scoring, insurance risk assessment
- Law enforcement - risk assessment tools, evidence verification
- Migration and border control - risk assessment, document verification
- Administration of justice - legal research, case outcome prediction
- Healthcare - medical device software, clinical decision support
If your organization operates an AI system in any of these categories, Article 10's data governance requirements apply to you. And the documentation requirements are not theoretical - national market surveillance authorities will have the power to request audits.
The Documentation Gap Most Enterprises Will Fail On
The most common compliance failure enterprises will face under Article 10 is not a technical failure - it is a documentation failure.
Regulators will not ask 'is your model accurate?' They will ask 'can you prove that your training data was accurate and unmodified at the time you used it?' This requires:
- A timestamped record of every dataset used in training or fine-tuning
- Evidence that each dataset was verified for quality and completeness before use
- A tamper-evident audit trail showing that the datasets were not modified after that verification
- Documentation of any data transformations applied and when
This is not something that can be reconstructed retroactively. By the time a regulator asks the question, the training run is months or years in the past. Without cryptographic integrity verification applied at the time, there is no way to prove the data's state.
This is where ROOTKey's approach to facilitated compliance audits becomes directly applicable to AI governance: building the evidence while the process happens, not assembling it afterwards.
Building an Article 10 Compliant Data Pipeline
Meeting Article 10's requirements in practice means building data governance into the AI pipeline from the start, not adding it as a compliance layer at the end.
The key technical components:
Data anchoring at ingestion. Every dataset used in training must have a cryptographic fingerprint computed and anchored to an independent, time-stamped record before any training begins. This creates the baseline proof of what data was used.
Transformation logging. Any preprocessing, cleaning, or transformation of training data must be logged in a tamper-evident audit trail. Regulators need to understand what was done to the data, not just what the data was.
Continuous monitoring of live data sources. For AI systems that use continuously updated data (market feeds, medical records, sensor data), integrity verification must be ongoing - not a one-time check.
Provenance chain. The system must be able to trace any specific training example or retrieved document back to its original source, including when it was ingested and whether it has changed.
ROOTKey's enterprise hub provides the infrastructure for all of these requirements. Book a compliance review to assess your current AI data governance posture against Article 10.
- Map all AI systems in your organization against the EU AI Act's Annex III high-risk categories.
- For each high-risk system, audit your training and validation datasets - do you have a timestamped, verifiable record of their state at training time?
- Review your data transformation pipeline for completeness - is every preprocessing step logged in a tamper-evident way?
- For RAG and continuously updated systems, implement continuous data integrity monitoring, not just point-in-time checks.
- Align your AI data governance documentation with your existing NIS2 compliance evidence - there is significant overlap in the underlying requirements.
Recebe insights de ciber-resiliência no teu email
Orientação prática e pronta para auditoria sobre integridade de dados, conformidade e continuidade - à medida que publicamos.





