What does EU AI Act Article 12 require?

Article 12 requires that high-risk AI systems automatically log events during operation to enable traceability of AI outputs. Logs must cover timestamps, inputs, outputs, operator identifiers, and human override actions.

How long must Article 12 logs be retained?

Logs must be retained for at least six months after first use, unless EU or national law specifies a longer period. Providers should design retention policies that exceed this minimum for practical audit purposes.

Does Article 12 require cryptographic log protection?

Article 12 does not mandate cryptography explicitly, but tamper-evident architecture is required in spirit. Append-only log stores with cryptographic chaining are the recommended implementation pattern to prevent retrospective log modification.

Who must have access to Article 12 logs?

Logs must be accessible to the provider and, where applicable, to notified bodies and market surveillance authorities. Access architecture must support authorized auditor access without compromising log integrity.

Synthetic Data NewsThe voice of the synthetic data revolution

Tools Subscribe

EU AI Act Article 12 — Logging Requirements

What EU AI Act Article 12 requires for automatic logging of high-risk AI systems: log content, retention periods, tamper-evident architecture, and compliance implementation.

EU AI Act Article 12 requires that high-risk AI systems be capable of automatically recording (logging) events during their operation. These logs must enable traceability of AI outputs throughout the operational lifetime of the system.

Article 12 is one of the most operationally demanding requirements of the EU AI Act for AI engineering teams — it requires logging infrastructure to be built into high-risk AI systems by design, not retrofitted.

What Must Be Logged?

Article 12 specifies that logs must cover events that enable traceability of AI outputs. This includes: timestamps of operation, input data (or references to input data), AI system outputs and decisions, identifiers of the operating entity, and any human review or override actions. The specific log schema depends on the application domain.

Log Retention Requirements

Logs must be retained for at least six months after the first use of the AI system, unless otherwise specified by applicable EU or national law. Providers should design log retention and archiving policies that exceed this minimum for practical audit purposes.

Tamper-Evident Logging Architecture

While Article 12 does not specify cryptographic requirements, regulatory-grade compliance requires tamper-evident log architecture. Logs that can be retrospectively modified — to conceal adverse decisions or errors — do not satisfy the spirit of Article 12 traceability requirements. Append-only log stores with cryptographic chaining are the recommended implementation pattern.

CertifiedData.io provides cryptographic certification infrastructure for synthetic datasets and AI artifacts, producing tamper-evident records for audit and EU AI Act compliance.

Access Requirements

Logs must be accessible to the provider and, where applicable, to notified bodies and market surveillance authorities. Log access architecture must therefore support authorized auditor access without compromising the integrity of the log store.