AI data documentation: Compliance with Article 10 of the EU AI Law
To ensure the safe development of AI systems, the European Union has introduced the EU AI Law, a comprehensive legal framework governing artificial intelligence. One of the requirements is Article 10, which sets out obligations regarding data and data management used for training, validating, and testing high-risk AI systems.
Organizations developing AI solutions that are subject to regulation must demonstrate that their datasets are relevant, representative, free of undue bias, and managed through data governance processes. Companies must maintain detailed technical documentation, prepare for a compliance assessment, and determine whether their application falls under Annex III, which defines many categories of high-risk AI systems.
This article explains the documentation requirements of Article 10, how they apply to AI development workflows, and what organizations should include in their compliance strategy.
Quick Take
- Article 10 sets out the requirements for data management in risky AI systems.
- Annex III identifies AI applications subject to regulatory obligations.
- Good technical documentation is essential for transparency, traceability, and compliance.
- Conformity assessment determines whether AI systems comply with the requirements of the EU Artificial Intelligence Law before deployment.
- Integrating documentation into the AI lifecycle simplifies compliance and strengthens long-term governance.

What is Article 10 of the EU AI Law?
Article 10 regulates the quality, governance, and management of datasets used to train, validate, and test high-risk AI systems. The aim is to ensure that AI models are developed using data that is relevant, complete, and free from errors or bias.
The EU AI Law requires organizations to document how datasets are created, maintained, and controlled throughout the development lifecycle.
Article 10 applies to the entire data pipeline, including:
- Data collection.
- Dataset preparation.
- Annotation.
- Verification.
- Testing.
- Data maintenance.
- Ongoing monitoring.
Organizations must demonstrate that these processes comply with documented procedures and appropriate management controls.
Which AI systems are covered by Annex III?
Not every application of AI is subject to the same regulatory requirements. Annex III of the EU AI Law defines the categories of AI systems that are considered risky due to their impact on security or fundamental rights.
Use of AI for:
- Critical infrastructure.
- Medical equipment.
- Employment and recruitment.
- Education.
- Law enforcement.
- Migration management.
- Credit assessment.
- Essential public services.
Many industrial applications of AI, such as autonomous driving, robotics, and advanced manufacturing, are also subject to high-risk obligations depending on their intended use.
Organizations developing solutions in Annex III categories must implement stricter documentation procedures and comply with requirements to a greater extent than providers of lower-risk AI systems.
Understanding data governance
One of the concepts introduced by Article 10 is data governance. The regulation requires organizations to establish structured processes that govern the collection, management, updating, validation, and monitoring of data throughout the AI lifecycle.
Data governance includes policies that define:
- Data sources.
- Collection procedures.
- Annotation guidelines.
- Quality assurance workflows.
- Version control.
- Access management.
- Data retention.
- Reducing bias.
- Risk management.
Governance practices help organizations maintain consistent dataset quality, transparency, and regulatory compliance.
Dataset quality requirements
Article 10 focuses on the quality of datasets. Training, validation, and testing data must be relevant to the intended application, representative of real-world conditions, complete, and accurate. Organizations should assess whether their datasets reflect the environment in which the AI system will operate, including geographical diversity, environmental conditions, user groups, and edge cases. The regulation also encourages developers to identify potential sources of bias and document the measures taken to mitigate their impact throughout the data lifecycle.
Documentation of data collection and annotation
Compliance with Article 10 includes documenting how data was acquired and processed. Organizations should maintain records describing data sources, collection methods, sensor configurations, collection environments, sampling strategies, and any privacy protections applied during acquisition. Annotation activities should be documented, including guidelines for labeling, quality assurance procedures, reviewer qualifications, validation methods, consensus processes, and bug-fixing workflows.
Maintaining comprehensive documentation improves dataset traceability and provides clear evidence that structured quality controls were applied during development.
Technical documentation for risky AI systems
Comprehensive technical documentation is a core requirement for risky AI systems. These documents describe how the AI system was developed, trained, validated, tested, and monitored throughout its lifecycle. The technical documentation produced includes a description of the system's intended purpose, dataset characteristics, risk assessments, validation procedures, performance evaluations, bias analysis, monitoring plans, and version history.
In addition to demonstrating compliance with regulatory requirements, technical documentation supports external audits, facilitates incident investigation, and simplifies future system maintenance as models continue to evolve.
Compliance assessment
Vendors must undergo an assessment of their compliance with the requirements of the EU AI Law. It assesses whether appropriate processes for data governance, risk management, documentation, human oversight, reliability, accuracy, cybersecurity, and post-market monitoring have been implemented. Depending on the type of AI system and the applicable compliance pathway, the assessment may be conducted internally or with the involvement of an independent notified body. Organizations that integrate compliance activities into their development workflows from the outset are better prepared for the assessment process and can reduce delays before deployment.
Managing bias and representativeness
Article 10 recognizes that it is rarely possible to eliminate bias from AI datasets. Instead, organizations are expected to identify potential sources of bias, assess their potential impact, document their findings, and implement reasonable mitigation strategies. This includes analyzing demographic and geographic representation, identifying missing scenarios, reviewing edge cases, and continuously improving dataset diversity. Proper documentation demonstrates a proactive approach to responsible AI development and supports regulatory transparency.
Traceability throughout the data lifecycle
Organizations should demonstrate where datasets come from, how they were annotated, what validation procedures were performed, and how datasets have changed over time. Maintaining version history, annotation records, quality metrics, audit logs, and modification history enables developers to reproduce training experiments, investigate performance issues, and support post-market monitoring. Traceability simplifies future updates as AI systems continue to evolve.
Human oversight in data management
While automation plays an increasingly important role in modern AI development, human expertise remains essential.
Reviewers oversee:
- Dataset validation.
- Annotation quality.
- Bias assessment.
- Error investigation.
- Documentation review.
Human oversight improves technical quality and regulatory certainty.
Practices for compliance with Article 10
- Establish sound data governance. Define standardized policies covering data collection, annotation, validation, storage, and maintenance.
- Maintain comprehensive technical documentation. Continuously create documentation throughout development rather than reconstructing records before audits.
- Prepare for compliance assessments early. Integrate compliance activities into development workflows to reduce delays before deployment.
- Continuously monitor datasets. Regular reviews of datasets help identify quality issues, bias, and changing operational requirements.
- Build traceability into every step. Maintain version control, audit trails, and complete documentation throughout the AI lifecycle.
FAQ
What is Article 10 of the EU AI Act?
Article 10 defines the data and data governance requirements for high-risk AI systems, covering dataset quality, documentation, validation, and traceability.
What is Annex III?
Annex III lists categories of AI systems considered high risk under the EU AI Act, such as healthcare, employment, education, and critical infrastructure.
What is data governance?
Data governance is the framework of policies and processes for managing data collection, annotation, quality, security, documentation, and lifecycle management.
What are technical docs?
Technical docs are records that describe how an AI system was designed, trained, validated, tested, and monitored to demonstrate regulatory compliance.
What is a conformity assessment?
A conformity assessment is the process of verifying that a high-risk AI system satisfies the EU AI Act's regulatory requirements before it is placed on the market.
