EU AI Act · Article 10 · Data governance
The EU AI Act says your data must be examined for bias. Rosa is how you do it, and prove it.
For high-risk AI systems, Article 10 of the European Union Artificial Intelligence Act requires training, validation, and testing datasets to be examined for possible biases, with appropriate measures to detect, prevent, and mitigate them. Rosa diagnoses dataset bias, removes it at source, and emits the immutable evidence an auditor or regulator can verify.
What Article 10 actually requires
Article 10 is the Act's data and data-governance article. It requires high-risk AI systems to be developed on training, validation, and testing datasets that meet quality criteria and are subject to documented governance practices. Two points carry the bias obligation directly:
- Article 10(2)(f): datasets must undergo "examination in view of possible biases that are likely to affect the health and safety of persons, have a negative impact on fundamental rights or lead to discrimination prohibited under Union law".
- Article 10(2)(g): providers must take "appropriate measures to detect, prevent and mitigate possible biases" identified under point (f).
In plain English: you must look for bias in the data behind a high-risk system, and you must do something about what you find, with records to show for it. "High-risk" is defined by the Act and includes systems used for recruitment, credit scoring, access to essential public and private services, and law enforcement, among others.
The penalty reality
One line of context: these are maximums, scaled in practice to the gravity of the breach, and the Act provides lower caps for small and medium-sized enterprises. The exposure is real either way; the cost of examining and debiasing a dataset is a job run.
How Rosa maps to Article 10
| Article 10 requirement | Rosa output |
|---|---|
| Examine datasets for possible biases | Diagnose: a measured bias score plus per-feature association and debiasing-adjustment scores, delivered as a PDF Dataset Intake Report |
| Detect bias affecting health, safety, or fundamental rights | Diagnose identifies bias encoded on the protected attribute, directly or through proxy features |
| Take measures to prevent and mitigate bias | Remove: a Fair Adversarial Network (FAN) transformation that strips recoverable bias while preserving every column's statistics |
| Maintain data governance and documentation | The immutable Run Manifest: input hash, config hash, container digest, timestamps, and per-run evidence, written once per job |
| Demonstrate compliance to auditors and authorities | Verifiable artefacts: anyone holding the original file can recompute the SHA-256 input hash and confirm exactly what was processed |
The evidence artefact
Evidence generated by doing the work.
Every Rosa run emits a Run Manifest: an immutable, hash-verifiable record of exactly what Rosa did to your data. It is written once, retained indefinitely, and emitted for every job, including failures. The input hash is the SHA-256 of your original file's bytes, so an auditor can independently confirm what was processed without trusting anyone's word, including ours.
This is the artefact governance platforms gesture at and cannot show: audit evidence as a byproduct of the remediation itself.
- job_id
- 550e8400-e29b-41d4-a716-446655440000
- mode
- remove_bias_training
- job_status
- complete
- timestamp_submitted
- 2026-06-10T09:14:02Z
- timestamp_completed
- 2026-06-10T09:31:47Z
- row_count
- 2,000
- bias_columns
- ["race"]
- input_hash
- sha256:9f1c…e7a2
- schema_hash
- sha256:4b08…21cd
- config_hash
- sha256:d3aa…90f4
- container_digest
- sha256:71be…0c55
- bias (pre)
- 0.21
- residual_bias
- 0.001
- artifacts
- remove_bias_report.pdf, compas_preconditioned_fair.csv
Why Rosa, specifically, for the Act
- Removes the bias, not just flags it. Article 10 asks for mitigation, not a dashboard. Rosa's output is the mitigated dataset itself.
- A clear data-residency story. Trial data is processed in the UK under the EU-UK adequacy decision; a dedicated instance runs in your own region.
- No model rewrite. Rosa outputs a clean CSV that drops into any model or stack.
- No fairness/accuracy trade-off. Your high-risk system still has to perform; Rosa's validation shows it can stay that way.
- The people who assess you can use it too. Diagnose is free for regulators on the shared trial instance, with no end date, and auditors use the same artefacts.
Where do you sit?
I supervise firms
Run a free, independent, reproducible diagnosis on the data of the firms you supervise.
Regulator access AuditorsI audit firms
Generate standard, defensible Article 10 bias-audit evidence from the data, in one run.
Audit channel EnterprisesI must comply
Remove dataset bias before the deadline, keep your model's performance, keep the evidence.
Comply with proofQuestions buyers actually ask
Is Rosa a compliance certification?
No. Rosa is an evidence-producing data-governance instrument. It examines your datasets for bias, removes what it can statistically detect, and emits an immutable record of every run. That evidence supports your Article 10 obligations; it does not discharge them, and nothing on this site is legal advice.
Where does my data go?
The shared free trial is processed in the UK (AWS eu-west-2, London), covered by the EU-UK adequacy decision. For production data, a dedicated Rosa instance runs in your own region, so your data never crosses a boundary you have not chosen.
Does Article 10 apply to me?
Article 10 applies to providers of high-risk AI systems as classified by the Act. High-risk uses include recruitment and worker management, credit scoring, access to essential services, law enforcement, and several others listed in Annex III. If you operate in one of those areas, the data-governance requirements almost certainly concern you. Check the Act's classification rules or take advice; Rosa's Diagnose run is a fast, low-cost way to see your data's bias position either way.
When is the deadline, and is it phased?
The Act entered into force on 1 August 2024 and applies in phases: prohibitions from 2 February 2025, general-purpose AI obligations from 2 August 2025, and the bulk of the high-risk obligations, including Article 10, from 2 August 2026. High-risk systems that are components of certain regulated products have until 2 August 2027. For most organisations with high-risk systems, 2 August 2026 is the date that matters.
What if my system is not high-risk?
The obligations do not bind you, but the problem does not go away: biased data produces biased decisions whether or not a regulator is watching. Running Rosa is good practice that reduces discrimination risk, and the evidence trail is useful under GDPR and sector rules even outside the Act's high-risk scope.
Article 10 is months away. Start with the data.
Start free, or talk to us about an audit-ready diagnosis. Processed in the UK; dedicated instances in your own region.