Timeline update (May 2026) On May 7, 2026, the Council and the European Parliament reached a political agreement on the Digital Omnibus, delaying the application of Annex III high-risk obligations from August 2, 2026 to December 2, 2027, and those for high-risk systems embedded in regulated products (Annex I) to August 2, 2028. The agreement still needs formal adoption, but it's the planning baseline used by the AI Office and the major law firms tracking the process. The substance of Article 10 — what it requires about data quality — hasn't changed; what moved is the enforcement timeline.

What Article 10 regulates

Article 10 of the AI Act, titled "Data and data governance," requires providers of high-risk AI systems to apply governance and quality management practices to their training, validation and test datasets. This isn't a best-practice recommendation — it's a legal obligation with documentary evidence required during conformity assessment.

The four quality criteria it requires

Article 10 requires that datasets be, to the extent the system's purpose allows, relevant, sufficiently representative, free of errors to the best extent possible, and complete. These four criteria connect directly to the data quality dimensions you should already be measuring in any data quality management program — except here they stop being an internal best practice and become an auditable requirement.

AI Act criterionWhat it requires in practice
RelevanceThe data used must correspond to the system's actual purpose, not to whatever was easiest to obtain
RepresentativenessThe dataset must reflect the real geographic, behavioral and functional context of deployment, not a sample skewed toward one segment
Free of errorsMeasurable accuracy thresholds, not a generic claim that "the data is clean"
CompletenessSufficient coverage of the cases and variables needed for the system to work as declared

An important nuance built into Article 10 itself: these criteria are defined in relation to the system's intended purpose and the generally acknowledged state of the art. There's no single standard for "representativeness" — what's sufficient for one system changes depending on its context of use. A credit-scoring model trained mostly on non-EU data, for example, can fail precisely at representing the socioeconomic patterns of the European market where it's deployed.

Governance of the data preparation process

Beyond the characteristics of the final dataset, Article 10 requires documenting the preparation process itself: relevant design choices, data collection processes and origin, processing operations such as annotation, labeling, cleaning, updating, enrichment and aggregation, and the assumptions made along the way. In other words, it's not enough to deliver a dataset that meets the four criteria — you need to be able to reconstruct the path that led to it.

What auditors actually want isn't the final dataset — it's the trail: where each source came from, what changed during preparation, how bias was checked, what was fixed, what was accepted uncorrected, and why. "We reviewed the data" isn't sufficient evidence without that traceability.

Bias detection and mitigation

Article 10 requires examining data for possible biases that could affect people's health or safety, negatively impact fundamental rights, or lead to discrimination — especially when a system's outputs feed into future inputs. Where strictly necessary, and with appropriate safeguards, the regulation allows processing special categories of personal data for the sole purpose of detecting and correcting those biases.

This is exactly where the Digital Omnibus introduces a substantive change: the proposal broadens this legal basis, replacing the current Article 10(5), to also let providers and deployers of non-high-risk systems use special categories of data to detect and correct bias, and it softens the "strictly necessary" threshold to simply "necessary." If your organization has been blocked from fairness testing by restrictions on sensitive data, this is the legal path opening up — it's worth building the governed, minimized testing pipeline now rather than waiting for formal adoption.

What companies need to document

  • Dataset inventory and provenance: source of each dataset, capture date, owner, and legal basis when personal data is involved.
  • Preparation record: which transformations, cleaning and enrichment steps were applied, and who approved them.
  • Representativeness evidence: concrete metrics, not claims, about coverage of segments relevant to the system's purpose.
  • Bias analysis: methodology used to detect bias, results, and mitigation measures applied.
  • Quality thresholds and their justification: why those thresholds are appropriate for the system's purpose and context, not just that they exist.

How this connects to your data quality management program

If you already have a data quality management framework running, with profiling, defined rules and monitored KPIs, most of the Article 10 compliance work is already done. What's usually missing is the traceability layer specific to high-risk systems: linking each training dataset to its bias analysis, its representativeness justification, and its lineage documentation, so an auditor can follow the full thread without depending on someone remembering it.

SGMV Guide — Data Governance from Scratch A Minimum Viable Governance System in 5 steps, with a 25-item audit checklist and direct references to Art. 10. Ideal if you don't have anything structured yet. €69 VAT incl.
Buy →
AI Act Checklist — What Your Company Needs 32 controls across 4 blocks, including the Art. 10 data quality controls, so you know exactly what to have ready. €19 VAT incl.
Buy →

Common mistakes when justifying it

  • Claiming representativeness without metrics to back it up: a statement of intent doesn't survive an audit in 2026.
  • Treating bias analysis as a one-off exercise instead of a repeatable process every time the dataset changes.
  • Assuming the timeline moving to December 2027 means there's no rush: system classification, inventory and provenance documentation don't depend on technical standards being finalized, and starting early avoids rushed work in the final quarter.

The timeline moved, but the substance of Article 10 didn't: training data quality stopped being a purely technical matter and became a legal requirement with evidence you can be asked to produce. The sooner you connect your data quality work to that documentation layer, the less last-minute work you'll have as the final deadline approaches.