The EU AI Act's Data Obligations Took Effect in May 2026 — What Companies Deploying AI Systems Must Do Now

What Changed on May 2, 2026

The EU AI Act's phased enforcement timeline reached its most consequential milestone on May 2, 2026: the requirements for high-risk AI systems became legally enforceable. The prohibited-use provisions (social scoring, real-time biometric surveillance in public spaces) had already been in effect since August 2024. The general-purpose AI model requirements came into force in August 2025. But the high-risk category — AI used in employment, education, credit, law enforcement, border control, and critical infrastructure — is where the bulk of enterprise AI deployment sits, and that is what is now subject to fines of up to 3% of global annual turnover.

The regulation does not ban AI in these categories. It requires a specific set of data governance, transparency, and human oversight measures. Understanding exactly what is required is essential because the law's text is specific in places where most compliance frameworks have been vague, and vague in places where practitioners need specifics.

The Six Core Data Obligations for High-Risk AI

1. Training Data Documentation

Article 10 of the AI Act requires that training, validation, and testing datasets for high-risk AI systems be subject to documented data governance practices. Specifically, operators must document the data collection methodology, the selection criteria used to include or exclude data, the geographical and temporal scope of the data, the preprocessing and cleaning operations performed, and — critically — potential limitations and biases the data may contain and how they were assessed.

This is more demanding than it sounds. Most ML teams can describe their preprocessing pipeline. Far fewer have formal documentation of why specific data sources were excluded, or a written assessment of what demographic or contextual biases their training data may carry. The European Data Protection Board's April 2026 guidance clarifies that this documentation must be updated when the model is retrained, not just at initial deployment.

2. Fundamental Rights Impact Assessment

Deployers (organizations using a high-risk AI system, as distinct from providers who build it) must complete a Fundamental Rights Impact Assessment before deployment. This is analogous to a DPIA (Data Protection Impact Assessment) under GDPR but extends beyond data protection to cover the AI system's potential impact on equality, non-discrimination, access to services, and procedural rights.

The assessment must identify which groups of people interact with the system, what decisions or recommendations it informs, what the consequences of systematic errors would be for specific populations, and what human oversight mechanism is in place. The assessment must be documented, reviewed when the system is significantly updated, and available to national market surveillance authorities on request.

3. Human Oversight Mechanisms

Article 14 requires that high-risk AI systems be designed and deployed with human oversight measures that enable the person responsible to understand the system's capabilities and limitations, monitor operations, and be able to override, interrupt, or disregard the system's output. This is not satisfied by having a human technically in the loop who rubber-stamps AI decisions — the law requires that the human actually be capable of understanding and meaningfully reviewing the output.

In practice, this creates a documentation and training requirement. Organizations must be able to demonstrate that the people reviewing AI-generated recommendations have been given information about the system's error rates, known limitations, and the types of cases where it is less reliable. A hiring manager approving an AI-generated candidate shortlist without knowing the system's demographic false-positive rates by gender or ethnicity does not satisfy Article 14.

4. Accuracy, Robustness, and Cybersecurity

High-risk AI systems must achieve consistent levels of accuracy appropriate for their intended purpose, and providers must disclose the expected accuracy metrics in the instructions for use. This creates an obligation that most enterprise AI deployments are not currently structured to meet: ongoing performance monitoring with defined thresholds that trigger review or suspension of the system. Systems that were accurate at deployment can drift as underlying data distributions change — the law requires detecting and acting on that drift.

5. Technical Documentation and Logs

Providers must maintain technical documentation demonstrating the system's compliance with the Act, and the system must maintain logs of its operation automatically for a period appropriate to the purpose. For employment AI, the guidance suggests logs should cover at minimum the inputs considered, the output produced, and the timestamp for each consequential decision, retained for the duration of any legal challenge period — typically 3-5 years depending on the employment law of the member state.

6. Transparency to Affected Persons

People who are subject to decisions made or significantly influenced by high-risk AI have the right to an explanation. This right is not triggered just by automated decision-making (that is covered by GDPR Article 22) but by any significant influence of a high-risk AI system on a human-made decision. The explanation must cover the main parameters considered by the system and how they influenced the outcome — not a generic description of how the model works, but a decision-specific explanation.

Where Most Organizations Are Failing Right Now

The European AI Office has begun shadow audits of high-risk AI deployments in the financial services and HR technology sectors, and early signals from industry attorneys who have seen the questionnaires indicate three consistent gaps:

Gap 1: The FRIA is not being done or is delegated entirely to the AI vendor. The deployer is responsible for the assessment, not the provider. Vendors can supply documentation to help, but the FRIA must reflect the specific deployment context, not just the model in the abstract. A credit scoring model deployed by Bank A in Germany for consumer lending in 2026 must have a different FRIA from the same model deployed by Bank B for SME lending in France.

Gap 2: Human oversight mechanisms exist on paper but not in practice. Many organizations have documented that a human reviews AI recommendations, but they have not ensured that humans are given the information they would need to meaningfully override the AI. A study by AlgorithmWatch published in April 2026 found that in 78% of surveyed HR AI deployments, the human reviewer had no access to the model's confidence score or known error rates at the time of review.

Gap 3: Training data documentation predates the Act and does not meet Article 10. Systems built before 2024 often have inadequate records of data source selection decisions and bias assessments. Retroactively reconstructing this documentation is difficult and, in many cases, impossible for systems where the original data no longer exists. The pragmatic answer is to treat re-training or significant model update as a compliance trigger for producing compliant documentation going forward.

Practical Steps for Compliance Now

1. Map your AI inventory to the high-risk categories. Article 6 and Annex III list the categories precisely. If you are using AI in employment screening, creditworthiness assessment, benefit eligibility, or law enforcement assistance, you are in scope. Do not assume that using an external vendor means you are not the deployer for purposes of the law.
2. Prioritize FRIA completion for deployed systems. The law does not provide a grace period for systems already in use. If your system was deployed before May 2, 2026, you are in violation if you do not have a compliant FRIA. Complete it now, with an accurate deployment date, and document any remediation actions.
3. Audit your human oversight documentation. Can you demonstrate that human reviewers of AI outputs have been trained on the system's limitations? Do your workflows record that a human actually reviewed the decision, or just that the system produced a recommendation?
4. Implement monitoring for model performance drift. Define your accuracy thresholds, establish monitoring cadence, and document what triggers a review or suspension of the system. This does not require sophisticated tooling — a quarterly accuracy audit against a held-out evaluation dataset is better than nothing.
5. Engage your AI vendors on shared documentation obligations. Providers of high-risk AI systems have their own obligations under the Act. Request their technical documentation and conformity assessments, and verify they have CE marking where applicable. Using an AI system from a provider who cannot supply this documentation is itself a compliance exposure.

The AI Act's enforcement regime has more teeth than GDPR had at launch. The European AI Office is a dedicated body with technical staff, and the fines scale with turnover rather than being capped at a fixed amount. Organizations that treated May 2, 2026 as a checkbox moment rather than a genuine operational change are taking a measurable legal risk.