AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Guide

Record-keeping and logging: what does Article 12 of the AI Act require?

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime. Logging enables risk monitoring, traceability and after-the-fact investigation. This guide explains what the logs must contain at minimum and how long to keep them.

Short answer: Article 12 of the AI Act requires providers to build high-risk AI systems so that they automatically record events (logs) over their lifetime. Those logs must make it possible to identify risky situations, monitor the system after it is placed on the market, and reconstruct its operation after the fact. Logging is not an optional audit feature but a design obligation.

Why logging is mandatory

A high-risk system may perform differently in practice than in testing. Logs provide the objective trail to see that: they make it possible to detect situations that may lead to a risk or a substantial modification, to monitor the system (post-market monitoring), and to investigate exactly what happened in an incident. Without logs, after-the-fact human oversight is blind.

What the logs must contain at minimum

Logging capabilities must be appropriate to the intended purpose of the system. For certain systems โ€” such as remote biometric identification โ€” Article 12 names specifically:

  • the period of each use (start and end time, date);
  • the reference database against which input data were checked;
  • the input data for which the search produced a match;
  • the identification of the persons involved in verifying the results (see the four-eyes principle in Article 14).

For other high-risk systems the general standard applies: record what is needed to support risk identification, monitoring and traceability.

Keeping, protecting and using

The provider builds in the logging function; the deployer then keeps the generated logs, insofar as they are under its control. The AI Act indicates a benchmark of at least six months, unless other rules (for example data protection) require otherwise. Note: logs may contain personal data, so the GDPR applies in full โ€” minimise what you record, secure storage and govern access.

What to do

  • Decide which events to log based on the intended purpose and risks of the system.
  • Capture timestamps, input and relevant decision points so that a use can be reconstructed.
  • Set a retention period (at least six months, or longer where the law requires) and automate clean-up afterwards.
  • Secure the logs against tampering and unauthorised access; treat them as sensitive data.
  • Describe the logging function in the instructions for use so the deployer knows what to retain.
  • Embed logging in your AI governance framework and follow the timeline of obligations.

Logging is a fixed requirement in the overview of high-risk obligations and is checked in the conformity assessment and CE marking. What you do not record, you cannot later prove.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act), Article 12: record-keeping (automatic logging) by high-risk AI systems.
  2. https://artificialintelligenceact.eu/article/12/
    Consolidated text and commentary on Article 12 (record-keeping).

Share on LinkedIn

Read next

U

Right to explanation of an AI decision: what Article 86 of the AI Act gives you

If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision โ€” from the deployer, on top of your GDPR rights.

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

A

AI for strategic workforce planning: usually not high-risk, as long as it does not become individual

AI for strategic workforce planning and skills forecasting at organisation level is usually not high-risk under the AI Act. But once it steers individual decisions, it can tip over. Data quality, governance and transparency remain crucial.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.