EU AI Act · Article 10 · Data governance

The EU AI Act says your data must be examined for bias. Rosa is how you do it, and prove it.

For high-risk AI systems, Article 10 of the European Union Artificial Intelligence Act requires training, validation, and testing datasets to be examined for possible biases, with appropriate measures to detect, prevent, and mitigate them. Rosa diagnoses dataset bias, removes it at source, and emits the immutable evidence an auditor or regulator can verify.

DEADLINE · 2 AUGUST 2026

What Article 10 actually requires

Article 10 is the Act's data and data-governance article. It requires high-risk AI systems to be developed on training, validation, and testing datasets that meet quality criteria and are subject to documented governance practices. Two points carry the bias obligation directly:

  • Article 10(2)(f): datasets must undergo "examination in view of possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law".
  • Article 10(2)(g): providers must take "appropriate measures to detect, prevent and mitigate possible biases" identified under point (f).

In plain English: you must look for bias in the data behind a high-risk system, and you must do something about what you find, with records to show for it. "High-risk" is defined by the Act and includes systems used for recruitment, credit scoring, access to essential public and private services, and law enforcement, among others.

Rosa is a data-governance instrument, not legal advice or certification. It produces evidence that supports your Article 10 obligations; whether your system is high-risk, and whether your overall compliance position holds, is a judgement for you and your advisers.

The penalty reality

EUR 35M / 7% of total worldwide annual turnover, whichever is higher: the maximum fine for breaching the Act's prohibited-practice rules (Article 5) EU AI Act, Article 99(3)
EUR 15M / 3% whichever is higher: the maximum fine for non-compliance with most other obligations, including the provider obligations that carry Article 10's data-governance requirements EU AI Act, Article 99(4)

One line of context: these are maximums, scaled in practice to the gravity of the breach, and the Act provides lower caps for small and medium-sized enterprises. The exposure is real either way; the cost of examining and debiasing a dataset is a job run.

How Rosa maps to Article 10

Article 10 requirementRosa output
Examine datasets for possible biases Diagnose: a measured bias score plus per-feature association and debiasing-adjustment scores, delivered as a PDF Dataset Intake Report
Detect bias affecting health, safety, or fundamental rights Diagnose identifies bias encoded on the protected attribute, directly or through proxy features
Take measures to prevent and mitigate bias Remove: a Fair Adversarial Network (FAN) transformation that strips recoverable bias while preserving every column's statistics
Maintain data governance and documentation The immutable Run Manifest: input hash, config hash, container digest, timestamps, and per-run evidence, written once per job
Demonstrate compliance to auditors and authorities Verifiable artefacts: anyone holding the original file can recompute the SHA-256 input hash and confirm exactly what was processed

The evidence artefact

Evidence generated by doing the work.

Every Rosa run emits a Run Manifest: an immutable, hash-verifiable record of exactly what Rosa did to your data. It is written once, retained indefinitely, and emitted for every job, including failures. The input hash is the SHA-256 of your original file's bytes, so an auditor can independently confirm what was processed without trusting anyone's word, including ours.

This is the artefact governance platforms gesture at and cannot show: audit evidence as a byproduct of the remediation itself.

Run Manifest verified
job_id
550e8400-e29b-41d4-a716-446655440000
mode
remove_bias_training
job_status
complete
timestamp_submitted
2026-06-10T09:14:02Z
timestamp_completed
2026-06-10T09:31:47Z
row_count
2,000
bias_columns
["race"]
input_hash
sha256:9f1c…e7a2
schema_hash
sha256:4b08…21cd
config_hash
sha256:d3aa…90f4
container_digest
sha256:71be…0c55
bias (pre)
0.21
residual_bias
0.001
artifacts
remove_bias_report.pdf, compas_preconditioned_fair.csv
Immutable. Written once per job, kept indefinitely. Illustrative values; field set mirrors the live manifest schema.

Why Rosa, specifically, for the Act

  • Removes the bias, not just flags it. Article 10 asks for mitigation, not a dashboard. Rosa's output is the mitigated dataset itself.
  • A clear data-residency story. Trial data is processed in the UK under the EU-UK adequacy decision; a dedicated instance runs in your own region.
  • No model rewrite. Rosa outputs a clean CSV that drops into any model or stack.
  • No fairness/accuracy trade-off. Your high-risk system still has to perform; Rosa's validation shows it can stay that way.
  • The people who assess you can use it too. Diagnose is free for regulators on the shared trial instance, with no end date, and auditors use the same artefacts.

Questions buyers actually ask

Is Rosa a compliance certification?

No. Rosa is an evidence-producing data-governance instrument. It examines your datasets for bias, removes what it can statistically detect, and emits an immutable record of every run. That evidence supports your Article 10 obligations; it does not discharge them, and nothing on this site is legal advice.

Where does my data go?

The shared free trial is processed in the UK (AWS eu-west-2, London), covered by the EU-UK adequacy decision. For production data, a dedicated Rosa instance runs in your own region, so your data never crosses a boundary you have not chosen.

Does Article 10 apply to me?

Article 10 applies to providers of high-risk AI systems as classified by the Act. High-risk uses include recruitment and worker management, credit scoring, access to essential services, law enforcement, and several others listed in Annex III. If you operate in one of those areas, the data-governance requirements almost certainly concern you. Check the Act's classification rules or take advice; Rosa's Diagnose run is a fast, low-cost way to see your data's bias position either way.

When is the deadline, and is it phased?

The Act entered into force on 1 August 2024 and applies in phases: prohibitions from 2 February 2025, general-purpose AI obligations from 2 August 2025, and the bulk of the high-risk obligations, including Article 10, from 2 August 2026. High-risk systems that are components of certain regulated products have until 2 August 2027. For most organisations with high-risk systems, 2 August 2026 is the date that matters.

What if my system is not high-risk?

The obligations do not bind you, but the problem does not go away: biased data produces biased decisions whether or not a regulator is watching. Running Rosa is good practice that reduces discrimination risk, and the evidence trail is useful under GDPR and sector rules even outside the Act's high-risk scope.

Article 10 is months away. Start with the data.

Start free, or talk to us about an audit-ready diagnosis. Processed in the UK; dedicated instances in your own region.