MortarIQStart for free

Compliance · June 12, 2026

EU AI Act Article 10: the data governance deadline is August 2, 2026.

By the MortarIQ Founder · 7 minute read · Not legal advice

There are about seven weeks left. On August 2, 2026, the bulk of the EU AI Act's obligations for high-risk AI systems become enforceable, and one of them is aimed squarely at your data team, not your legal team. Article 10, titled “Data and data governance,” requires that the data used to train, validate, and test a high-risk AI system be governed, examined, and documented. Not vaguely. Specifically.

Most compliance conversations I hear treat the AI Act as a paperwork exercise that lawyers will handle in a sprint at the end. Article 10 breaks that plan, because you cannot document data practices that do not exist, and you cannot retrofit provenance, labelling discipline, or bias examination onto a dataset the week before an audit. The evidence has to come from the data estate itself.

EU AI Act timeline: entered into force August 2024, prohibited practices banned February 2025, general-purpose AI obligations August 2025, high-risk obligations including Article 10 data governance apply August 2, 2026

What Article 10 actually requires

Stripped of the legal scaffolding, Article 10 says three things about the data behind a high-risk AI system:

1. The data practices must be documented. Design choices, where the data came from and how it was collected, how it was prepared (labelling, cleaning, enrichment), and whether it is available, sufficient, and suitable for the purpose. If personal data is involved, the original collection purpose matters too.

2. The data must be examined.Specifically for possible biases that could affect health, safety, or fundamental rights, and for gaps or shortcomings, with measures taken to address what you find. “We never looked” is precisely the answer the regulation exists to eliminate.

3. The data must be fit for purpose. Relevant, sufficiently representative, to the best extent possible free of errors, and complete in view of the intended purpose, including, where relevant, for the specific geographic, behavioural, or functional setting the system will be used in.

Who does this apply to? High-risk systems under Annex III: AI used in employment and worker management, credit scoring and essential services, education, critical infrastructure, law enforcement, migration, and justice, among others. The penalties for non-compliance with high-risk obligations reach 15 million euros or 3 percent of worldwide annual turnover, whichever is higher. And the Act reaches beyond Europe: if your system's output is used in the EU, where your company sits does not shield you.

Even if none of your AI lands in Annex III, Article 10 is becoming the de facto bar for “we take AI data governance seriously” in enterprise procurement. The questionnaire your next big customer sends will look a lot like it.

Why this is a data problem, not a paperwork problem

Here is the uncomfortable part. The obligations above sound like documents, but every one of them resolves to a property of your actual data estate. You cannot claim documented data-management practices when 80 percent of your columns have no description. You cannot claim examination for biases and gaps when nobody knows which tables contain personal data, or whether it is masked. You cannot claim the data is complete and current when half the training tables have not been updated in a year and nobody noticed.

When we scan real estates, the same Article 10 fault lines show up over and over: unmasked PII sitting in tables that feed pipelines (in one demo estate, five of six PII columns including emails, names, and IP addresses), documentation coverage below 20 percent, no declared relationships, no classification tags anywhere. Each of those is a finding a regulator or an enterprise buyer can ask about, and each is measurable today.

Mapping EU AI Act Article 10 obligations to measurable evidence: documented data practices map to documentation coverage, bias examination maps to classification and PII inventory, fit-for-purpose data maps to freshness, typing, identifiers, and lineage

What to do in the next seven weeks

Week one: find out where you stand. Inventory which AI systems touch which schemas, then measure those schemas. A readiness scan takes about a minute per schema with read-only credentials and scores the things Article 10 cares about: documentation coverage, classification, PII masking, freshness, identifiers. You will know your worst gaps by Friday.

Weeks two to six: close the gaps that matter.Mask the PII. Document the columns that feed models, starting with the tables your AI actually reads. Add classification tags. Assign owners and track the work, because “we fixed it once in July” is not a governance practice; a running program is.

Ongoing: keep the evidence current. Data drifts. New columns appear, masking policies get dropped in migrations, documentation rots. Re-scan on a schedule and watch the deltas, so the evidence you show in August is still true in November.

And to be precise about the boundary, because precision is the whole point here: a scan produces readiness to produce evidence, never a certification. Parts of Article 10 are about process and judgment, and some properties of data cannot be measured from metadata at all. A tool that claims to make you “EU AI Act compliant” in one click is describing a tool that should worry you. What a scan does is turn the data-shaped parts of the obligation into numbers you can act on and show.

Seven weeks is enough, if you start with the facts.

Score your estate against the EU AI Act Article 10 lens in about a minute.

Get your readiness score

Frequently asked questions

When does the EU AI Act apply to high-risk AI systems?

The EU AI Act entered into force on August 1, 2024 and applies in phases. Prohibited practices were banned from February 2, 2025, general-purpose AI obligations applied from August 2, 2025, and the bulk of the obligations for high-risk AI systems, including the Article 10 data governance requirements, apply from August 2, 2026. High-risk AI embedded in regulated products under Annex I has until August 2, 2027.

What does Article 10 of the EU AI Act require?

Article 10 requires that training, validation, and testing data for high-risk AI systems be subject to documented data governance practices: design choices, data origin and collection, preparation operations like labelling and cleaning, an assessment of availability and suitability, and examination for possible biases and data gaps. The data must be relevant, sufficiently representative, as error-free as possible, and complete in view of the intended purpose.

Does the EU AI Act apply to companies outside the EU?

Yes, it has extraterritorial reach. It applies to providers placing AI systems on the EU market or putting them into service in the EU regardless of where the provider is established, and to providers and deployers outside the EU when the system's output is used in the EU.

What are the penalties for breaching the EU AI Act's high-risk obligations?

Non-compliance with most obligations, including the high-risk requirements such as Article 10, carries administrative fines of up to 15 million euros or 3 percent of worldwide annual turnover, whichever is higher. Prohibited practices carry up to 35 million euros or 7 percent.

This article is general information about Regulation (EU) 2024/1689, not legal advice. Whether a specific system is high-risk, and what compliance requires for it, is a question for qualified counsel.

© MortarIQ
AboutBlogDocsFAQSecurityPrivacyTermsDPA

All product names, logos, and brands are property of their respective owners and are used for identification purposes only.