Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Updated: June 2026

This is an explicit providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → obligation under the EU AI Act. The logging capability must be built in by the provider; deployers carry the matching log-retention duty under Art. 26.6.

Introduction: making the system auditable by construction

Art. 12 is the obligation that turns a high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → from a black boxblack boxInformal name for a system whose internal decision logic cannot be inspected or meaningfully explained.Open full entry → into an auditable one. It requires that the system technically allows for the automatic recording of events, logs, throughout its lifetime. This is a design requirement on the provider: the capability to log must be built into the system, not bolted on by the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → afterward. Without it, none of the downstream accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → obligations can be satisfied, because there is no record to examine.

The purpose of the logging is traceability. The logs must make it possible to reconstruct how the system functioned, at a level of detail appropriate to the intended purpose, so that a deployer, an auditor, or a supervisory authority can understand what the system did and why. Logging is the evidentiary foundation on which oversight, incident investigation, and conformity all rest.

What the logs must capture

Art. 12 requires the logging capability to record events relevant for identifying situations that may result in the system presenting a risk or undergoing a substantial modificationsubstantial modificationA change to a deployed AI system that materially alters its function or purpose — capable of shifting provider obligations onto the modifier.Open full entry →, for facilitating post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry →, and for monitoring the operation of the system. For the high-risk systems where it applies most strictly, the logging must at minimum capture the period of each use, the reference data against which inputs were checked, the input data, and the identification of the people involved in verifying the results.

The guiding principle is that the logs must be sufficient to reconstruct the system's operation to the degree the risk of the use case demands. A system making consequential decisions about people requires logging detailed enough to reconstruct an individual decision; a lower-stakes system requires less.

Why immutability matters

A log is only evidence if it cannot be quietly altered. This is the point that separates real record-keeping from the appearance of it. Database logs that an administrator can edit do not qualify as a tamper-resistant audit trail, because a record that can be changed after the fact proves nothing about what happened. The logging Art. 12 envisages is automatically generated, tamper-evident, and retained, so that the record presented to a supervisor is the record of what occurred, not a version that could have been adjusted.

This is the difference between policy as a document and compliance as an instrumented system. An organisation that can produce immutable, automatically generated logs demonstrates control at the level a supervisor can verify. One that offers editable database tables offers an assertion, not evidence.

The relationship to Art. 19 and Art. 26

Art. 12 is the design obligation; two other articles complete the picture. Art. 19 requires providers to keep the automatically generated logs that are under their control for an appropriate period. Art. 26.6 places the retention duty on deployers: keep the logs the high-risk system generates for at least six months, unless other law requires longer. Together, Art. 12 ensures the logs exist, Art. 19 and Art. 26.6 ensure they are kept, and the combination ensures that when an incident or audit occurs, the evidence is available.

Why it matters

For the deployer, the logs are the primary evidence that the system was used in accordance with its instructions and under proper human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →. When a supervisory authority asks how a particular decision was reached, or whether oversight was real, the logs are the answer. A deployer who cannot produce them cannot demonstrate compliance, regardless of how well the rest of the programme is run.

Governing record-keeping

The controls ensure the logging capability exists, is tamper-resistant, and is retained for long enough to serve its purpose.

At procurement, the deployer confirms that the high-risk system provides the Art. 12 logging capability and that the logs are exportable in a usable format, because a retention duty cannot be met for logs that cannot be extracted. In operation, the deployer ensures the logs are captured, protected against alteration, and retained for the Art. 26.6 minimum or longer where other law applies. The retention design balances the six-month logging floor against the GDPR minimisation principle through pseudonymisationpseudonymisationReplacing identifying fields so data can't be attributed to a person without separate information — a minimisation and security technique that keeps data personal under GDPR.Open full entry → where the logs contain personal data.

Compliance checklist

1. Does each high-risk system provide an automatic logging capability as required by Art. 12?
2. Are the logs detailed enough to reconstruct the system's operation to the level the use case demands?
3. Are the logs tamper-resistant, so that an administrator cannot silently edit them?
4. Are the logs exportable in a usable format so the retention duty can be met?
5. Are the logs retained for at least six months (Art. 26.6), or longer where other law requires?
6. Where logs contain personal data, is the retention reconciled with the GDPR minimisation principle through pseudonymisation?