Record-keeping & logging under Article 12 of the EU AI Act

The core obligation — Article 12(1) and (2)

Article 12(1) requires high-risk AI systems to technically allow for the automatic recording of events (“logs”) over the lifetime of the system. The logging capability must be conformant with recognised standards or common specifications, where such standards or specifications are available.

Article 12(2) states the purpose: the logging capabilities must enable the recording of events relevant for (a) identifying situations that may result in the high-risk AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification, (b) facilitating the post-market monitoring referred to in Article 72, and (c) monitoring the operation of high-risk AI systems referred to in Article 26(5) by the deployers.

The minimum log set for remote biometric identification — Article 12(3)

For high-risk AI systems referred to in point 1(a) of Annex III (remote biometric identification), Article 12(3) sets out a minimum log set. The logging capabilities must provide, at least:

• recording of the period of each use of the system (start date and time and end date and time of each use);
• the reference database against which input data has been checked by the system;
• the input data for which the search has led to a match;
• the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5).

For other Annex III high-risk systems (including the HR / employment systems under point 4), Article 12 does not prescribe a closed list. The provider chooses the set of recorded events that satisfies Article 12(2)(a)–(c), documents it in the Annex IV technical documentation and exposes it through the Article 13 instructions for use.

Provider-side retention — Article 19

Article 19(1) requires providers of high-risk AI systems to keep the logs referred to in Article 12(1) that are automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs must be kept for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law, in particular in Union law on the protection of personal data.

Deployer-side retention — Article 26(6)

Article 26(6) puts a parallel retention duty on deployers of high-risk AI systems. Deployers must keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.

For deployers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial-services law, the logs must be maintained as part of the documentation kept pursuant to the relevant Union financial-services law.

Where the logs are actually used

• Article 72 post-market monitoring. Providers must establish a post-market monitoring system that continuously collects and analyses data on the performance of the system — logs are the primary substrate.
• Article 73 serious-incident reporting. Providers report serious incidents to market-surveillance authorities. Without logs there is no incident reconstruction.
• Article 79 risk-management trigger. “Risk” events identified via logging are the trigger for re-assessment, corrective action and, where relevant, recall or withdrawal under Article 20.
• Article 26(5) suspension duty. Where deployers identify, on the basis of the monitoring of operation, that use in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they must, without undue delay, inform the provider or distributor and the relevant market-surveillance authority and suspend the use.

Common misconceptions

• “The vendor stores the logs — that is enough.” Article 26(6) is an independent deployer duty: you must hold the logs that are under your control, for at least six months.
• “Logs are just for engineers.” They are evidence for post-market monitoring (Art 72), incident reporting (Art 73), market-surveillance investigations (Art 74) and Article 26(11) information requests from affected persons in some scenarios.
• “Six months is the ceiling.” Article 19 and Article 26(6) say at least six months. The actual period must be “appropriate to the intended purpose” and respect GDPR storage-limitation under Article 5(1)(e).
• “Logs are exempt from GDPR.” Where logs contain personal data, GDPR applies in parallel. Article 12 and Article 19 explicitly defer to Union data-protection law.

Related EU guides

• Human oversight — Article 14
• Data governance & bias testing — Article 10
• Enforcement & penalties — who supervises and how
• EU AI Act timeline for deployers
• NIS2 essential vs important entities

Sources

• Regulation (EU) 2024/1689, Articles 12, 14, 19, 20, 26, 72, 73, 74, 79 — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• European Commission — AI Act Service Desk, Article 12: ai-act-service-desk.ec.europa.eu/en/ai-act/article-12