EU AI Act readiness: what to demand from your data vendor

The EU AI Act (Regulation 2024/1689) places real obligations on providers of high-risk AI systems. Your data vendor cannot make you compliant, but the wrong vendor can make compliance much harder.

What to require

• Article 10 (data governance): documented provenance, consent records, and quality controls for every batch of training or evaluation data.
• Annex IV (technical documentation): evaluation methodology, evaluator credentials, inter-rater agreement, and an error taxonomy, in a form you can drop into your technical file.
• Article 14 (human oversight): evidence that real domain experts, not just automated scoring, were the source of ground truth.
• A signed Data Processing Agreement and a clear position on international transfers (UK IDTA, EU SCCs).

What to avoid

• Black-box evaluation where you never learn who reviewed your model or how qualified they were.
• US-only data residency when your training data contains EU personal data.
• Vendors that cannot articulate their position on prohibited practices under Article 5.

Nxted publishes an EU AI Act position statement and ships every Expert report with the credentials and metrics Annex IV expects.