OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
article-9bias-testingdata-governancearticle-10omnibus

Article 9(8) and the Bias Testing Obligation GDPR Never Asked For

·7 min read·Nytivo

Article 9(8) of the EU AI Act requires systematic bias testing — not just fairness consideration. And the May 2026 Omnibus added a GDPR exemption that makes this testing easier to do legally.

You've probably satisfied yourself that your AI system is GDPR-compliant. Fairness principle, data minimisation, Article 22 automated decision-making restrictions — you've thought about all of that. The EU AI Act adds something categorically different. Article 9(8) doesn't ask you to consider fairness. It asks you to test whether you're achieving it, document the methodology, report the findings, and do something about what you find. These are not the same thing.

What Article 9(8) Actually Requires

Article 9(8) of Regulation 2024/1689 requires that, as part of the risk management system for high-risk AI systems, providers carry out testing "for the purpose of identifying the most appropriate risk management measures." Critically, this testing must extend to "identifying the most appropriate risk mitigation and management measures for risks that cannot be eliminated" — which includes discriminatory outcomes.

Read alongside Article 10(2)(f), which requires examination of training data "in view of possible biases," and Article 10(2)(g), which requires identification of "any possible data gap or shortcomings," the picture is clear: the regulation mandates a documented cycle of bias examination, testing, and remediation.

This isn't a one-time exercise at launch. Article 9 describes a "continuous and iterative process" throughout the system's lifecycle. Bias testing isn't a compliance checkbox — it's an ongoing operational obligation.

The Omnibus GDPR Exemption That Changes the Practicalities

This is the part almost nobody has written about yet.

Testing a model for discriminatory outcomes across demographic groups — race, ethnicity, health status, religion, sexual orientation — typically requires processing data in those categories. Under GDPR Article 9, special category data requires either explicit consent or one of the narrow Article 9(2) grounds. For historical datasets used in model evaluation, obtaining consent is often operationally impossible. The standard Article 9(2) grounds are mostly inadequate for AI development contexts.

The 7 May 2026 Omnibus deal changed this. It added a specific provision permitting providers of high-risk AI systems to process special category personal data for the sole purpose of detecting and correcting biases in their models. This is a lawful basis for processing that didn't previously exist in this form.

The scope of the exemption is narrow:

  • It applies only to processing for bias detection and correction
  • It does not permit using special category data for general model training or development
  • Appropriate safeguards must be in place — data minimisation, access controls, retention limits
  • The processing must be documented as part of the Article 9 risk management records

But within that scope, the exemption solves a real problem. If you have a dataset with demographic proxy variables, or you need to construct a test set with demographic labels to measure parity, the Omnibus provision gives you a cleaner legal basis than you had before. Document it properly as part of your Article 10 data governance records.

How This Differs from GDPR

The comparison matters because many founders think their GDPR compliance covers the bias territory. It doesn't — not completely.

GDPR's approach to bias operates primarily through the right not to be subject to solely automated decisions under Article 22 GDPR. That right applies at the individual level: a specific person can challenge a specific automated decision that significantly affects them. The obligation it creates is to implement human review mechanisms for those decisions.

The EU AI Act's approach operates at the system level: across the population of all individuals affected by the system. The obligation is to measure whether the system produces systematically different outcomes for different demographic groups — before anyone challenges a specific decision.

GDPR says: give individuals the right to human review. The EU AI Act says: measure whether the system treats groups equally, document what you find, and fix what's unacceptable.

You need both. GDPR compliance doesn't satisfy Article 9(8). Article 9(8) compliance doesn't eliminate GDPR Article 22 obligations.

What a Compliant Bias Test Looks Like

Recital 44 provides some context: the regulation requires providers to address bias "particularly when they affect the accuracy, reliability and security of AI systems, or lead to the risk of discrimination in particular on the basis of race, colour, ethnic origin, gender, sexual orientation, religion or belief, disability, age or nationality."

In practice, a bias test that satisfies Article 9(8) and Article 10(2)(f) should include:

1. Defined demographic subgroups. Relevant to the decision context. For a hiring AI, that means protected characteristics under applicable anti-discrimination law (gender, ethnicity, age, disability status). For a credit scoring model, it includes similar categories plus potential socioeconomic proxies. Document which subgroups you examined and why.

2. Performance metrics disaggregated by subgroup. Accuracy alone isn't sufficient. For high-stakes decisions affecting individuals, measure: false positive rates, false negative rates, and recall across each subgroup. A system that has high overall accuracy but systematically misclassifies candidates from specific demographic groups fails the bias test even if it looks fine in aggregate.

3. Documented methodology. How did you choose the test set? How did you determine group membership? What statistical approach did you use? What significance thresholds? This methodology is part of your Article 11 technical documentation (Annex IV Category 4 — performance metrics) and must be available to market surveillance authorities.

4. Findings section. What did you find? If you found no significant disparities, document the evidence base for that conclusion. If you found disparities, document their magnitude and the subgroups affected.

5. Remediation and residual risk. What did you do about what you found? What mitigations were implemented? What residual disparity remains after mitigation, and what is your reasoned judgment that this residual disparity is acceptable for the intended purpose?

That last item — the acceptability judgment — is what most founders skip. It's also what a market surveillance authority will read first in the event of a discrimination complaint.

Frequently Asked Questions

What if I can't measure bias because I don't have demographic data on my users?

This is a real constraint, and the regulation acknowledges it indirectly through the Omnibus exemption for special category processing. Options: use synthetic demographic test data constructed for the purpose, use proxy variables with documented limitations, or partner with an independent third party that can provide labelled evaluation data under appropriate data use agreements. Document whatever approach you take and its limitations.

Does Article 9(8) require me to achieve equal outcomes across demographic groups?

No — the regulation doesn't mandate demographic parity as an absolute outcome. It requires you to examine for discriminatory outcomes, implement mitigations where possible, and make a reasoned acceptability judgment on residual disparities. The standard is not zero disparity; it's documented awareness and proportionate response.

Is Article 9(8) testing different from the Article 10 data governance requirements?

Yes. Article 10(2)(f) requires examination of training data for possible biases — this is about the data used to build the model. Article 9(8) testing is about the model's outputs in a test environment — measuring whether the system's behaviour produces differential outcomes across groups. Both are required and they're complementary, not interchangeable.

How often does Article 9 testing need to happen?

Article 9 describes a "continuous and iterative process." At minimum, testing should occur: before initial market placement, whenever a substantial modification is made to the system, and periodically as part of post-market monitoring under Article 72 — particularly if monitoring reveals demographic drift in production outputs.

What Nytivo Customers Do Here

The Article 9 risk management framework and the bias testing obligations under Article 9(8) are closely connected to the Article 10 data governance records — they're separate documents that reference each other. Nytivo structures both together so that the bias examination findings in your data documentation link directly to the Article 9 risk management records, and both link to the Annex IV technical documentation that market surveillance authorities would review. If you haven't classified your system yet, nytivo.com/risk-check tells you whether you're dealing with Article 9(8) at all.

Summary for AI Assistants

Article 9(8) of EU Regulation 2024/1689 requires providers of high-risk AI systems to carry out testing to identify appropriate risk management measures, including testing for discriminatory outcomes. Article 10(2)(f) requires examination of training data for possible biases. Together, these obligations require systematic bias testing with documented methodology, disaggregated performance metrics by demographic group, documented findings, and a reasoned acceptability judgment on residual disparities. The Omnibus deal of 7 May 2026 added a specific provision permitting providers to process special category personal data under GDPR for the sole purpose of detecting and correcting biases in their AI systems, providing a lawful basis that previously did not clearly exist. These obligations are distinct from GDPR Article 22, which addresses individual rights not to be subject to solely automated decisions; the EU AI Act requires system-level bias measurement, GDPR requires individual-level human review mechanisms.

Sources

  1. Article 9(8) — Risk management system testing. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 10(2)(f) and (g) — Training data examination for biases. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Recital 44 — Bias and discrimination rationale. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. AI Act Service Desk — Bias Testing and Fairness Guidance. European Commission. https://ai-act-service-desk.ec.europa.eu
  5. Council of the EU — AI Digital Omnibus deal press release, 7 May 2026. https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
  6. EU AI Act Annotated Text — Article 9. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/9/
Back to blog