Art. 26.6 EU AI Act: log retention and audit trail obligations
Art. 26.6 requires deployers of high-risk AI to retain the system-generated logs for at least six months, unless other law requires longer. The logs are the primary evidence that the system was used in accordance with its instructions.
Updated: June 2026
Introduction: the legal basis for log retention
Art. 26.6 states: "Deployers of high-riskriskIn the EU AI Act's terms, the combination of the probability that a harm occurs and the severity of it if it does. The link between a principle (via the harm that would breach it) and a control (the measure that reduces it). Naming the harm and assessing its risk is required by Art. 9 before any mitigation measure is chosen. See harm, control, residual risk.Open full entry → AI systems shall keep the logs automatically generated by that high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → to the extent such logs are under their controlcontrolThe concrete, testable measure that reduces a specific risk, and through that risk protects the principle behind it. Also called a risk management measure, risk response, or risk treatment. Always traceable to the risk it addresses: under EU AI Act Art. 9 every control must map back to a specific risk, and controls recorded separately from their risks is a recognized compliance failure. It works in one of three types: preventive, detective, or corrective. See risk, control types, evidence.Open full entry →, for a period of at least six months, unless provided otherwise in applicable Union or national law or in Union or national law applicable to the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →."
This creates a minimum baseline of 6 months, but the actual retention period must be determined by reference to sector-specific law and the proportionate needs of the organization. For many deployers, longer retention is required, both by law and by good governancegovernanceThe system through which an organization steers itself: corporate governance, risk management, compliance, lines of accountability, risk appetite, and the operating model. It exists across everything the organization does, before and beyond AI. AI governance is this same system extended for AI. See AI governance, governance design, execution level.Open full entry → practice.
What are "automatically generated logs"?
High-risk AI systems are required under Art. 12 (providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → obligation) to automatically generate logs. These logs must record, at minimum:
- System activation and deactivation events
- Reference data used for each output
- Input data characteristics (not necessarily the data itself)
- Output generated by the system
- Verification procedures the system underwent
- Identity information of the persons involved in each operation
These are the logs that deployers must retain under Art. 26.6. Deployers should verify with their provider that the system generates logs meeting Art. 12 requirements, and obtain contractual guarantees if the logs are stored on the provider's infrastructure.
Retention periods by sector
| Sector / AI type | Retention period | Legal basis |
|---|---|---|
| Credit decisions (banks, lenders) | 7 years | Art. 25 CRR, national banking law |
| HR decisions (employment contracts) | Duration of employment + 2–5 years | National employment law |
| Medical AI (patient records) | 15–20 years | WGBO (Netherlands), MDR |
| Public sector decisions | 10–20 years | Archiefwet (Netherlands) |
| General commercial decisions | 6 months minimum (EU AI Act) | Art. 26.6 |
Practical implementation
- Map each AI system's log outputs to the retention requirements applicable to that system
- Establish secure, tamper-evident log storage separate from operational systems
- Ensure logs are searchable and retrievable within a reasonable timeframe (supervisory audits typically require production within 5–10 business days)
- Define access controls so logs can be accessed for audit but not modified
- For cloud-hosted AI systems: ensure contractual rights to log data on system termination
Compliance checklist
- Have you confirmed that each high-risk AI system generates logs meeting Art. 12 requirements?
- Is the applicable retention period documented for each AI system (accounting for sector-specific law)?
- Is log storage secure, tamper-evident, and access-controlled?
- Are logs retrievable within a reasonable timeframe for supervisory audit?
- For cloud-hosted systems: do contracts guarantee log data access and export?