EU AI Act: what does this mean for your data?

The EU AI Act has been in force since 2025 and rolls in via staged enforcement through 2027. For data organisations, much changes — but less than many people think, provided your governance is already in shape. This piece summarises what actually changes for data owners and what a pragmatic preparation looks like.

What the Act actually requires (simplified)

The EU AI Act categorises AI systems into four risk levels:

• Prohibited — systems that, for example, score social behaviour or detect emotions in the workplace
• High risk — AI in HR selection, credit scoring, medical triage, critical infrastructure, education admissions, biometric identification
• Limited risk — chatbots, deep fakes (transparency obligation: the user must know it’s AI)
• Minimal risk — spam filters, AI in games

Most of the discussion is about high risk, and that’s where the heaviest data requirements sit.

What that means concretely for your data

For high-risk AI systems, the Act requires that you can demonstrate, among other things:

1. Which data the model used. Not just “we used Snowflake” — concretely which datasets, columns, filters. This requires data lineage from source to training set.

2. How that data was produced. Which transformations, which quality controls, which assumptions. Requires lineage + documentation of your data pipelines.

3. What quality that data has. Bias detection, representativeness, completeness. Requires data quality monitoring with measurable metrics per dataset.

4. Who owns the data. Not just technically (in which system it sits), but organisationally (who decides on changes, quality, access). Requires data stewardship and a governance organisation.

5. How data is protected. Access controls, audit trail, retention. Requires policy management with enforcement.

Four of these five are — not by accident — core areas in the DAMA DMBoK framework. If your organisation is DAMA-oriented, you have a head start; if not, the EU AI Act is a good reason to build this foundation now.

What this does not mean

A common misconception: the Act doesn’t ban AI and doesn’t require all data to be perfect. What the Act requires is that you can demonstrably know what’s happening and proportionately defend the choices you make. That’s achievable for data-mature organisations.

A pragmatic preparation

Based on what cimt clients do:

Step 1 — Inventory. Which AI systems run in your organisation? Classify per category (prohibited / high-risk / limited / minimal). Many organisations discover they have more AI in production than they thought — especially in HR tooling and marketing stacks.

Step 2 — Fill data foundation gaps. For high-risk systems: data catalog, lineage, quality monitoring, stewardship roles. No big bang — we recommend a Governance Quickscan of 1–2 weeks to set priorities.

Step 3 — Document. An AI system without a dossier is an AI system that’s legally indefensible. Dossier = which data, which training, which validation, which monitoring. Tools like erwin Data Intelligence include AI model certification for this.

Step 4 — Embed in process. Compliance is not a project but a process. New AI use cases should pass through a lightweight governance review by default.

When to talk to cimt?

Does any of this sound familiar:

• “We have AI projects running but aren’t sure if we’re compliant”
• “Our legal team asks for demonstrable data lineage and we can’t provide it”
• “We want to scale AI but each new use case stalls on data quality”
• “Our DPO warned us about approaching EU AI Act deadlines”

Then an AI Readiness Assessment or Governance Quickscan is a good starting point. In 2–4 weeks you know where you stand and the fastest route to compliant. Book a conversation.