← All EU AI Act guides

Data and Data Governance Duties For High-Risk AI

Data and data governance duties for high-risk AI

EU AI Act

TL;DR — EU AI Act data governance requirements is governed by the EU AI Act (Regulation (EU) 2024/1689). This guide explains what the obligation is, who it applies to, and the practical steps to comply, with citations to the primary text.

What the EU AI Act requires

The EU AI Act sets tiered obligations by risk level. Identify where your system sits, then map the duties that attach to your role (provider, deployer, importer, or distributor) under the Regulation.

Who this applies to

Obligations differ by actor. Providers carry the heaviest documentation and conformity duties; deployers carry use-time transparency and oversight duties. Confirm your role before acting.

Practical steps

  1. Classify the system's risk tier against Annexes I–III.
  2. Map the obligations for your actor role.
  3. Document evidence (technical documentation, risk management, human oversight).
  4. Keep records current as the system or its use changes.

Frequently asked questions

Does this apply to my organisation?

If you place an AI system on the EU market or put it into service in the EU — or your output is used in the EU — the Regulation can apply regardless of where you are established.

When do the obligations take effect?

The Regulation phases in through 2026–2027; high-risk obligations and most provider duties apply from 2 August 2026.

Sources

This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.