Art. 26.6 EU AI Act: Log Retention and Audit Trail Obligations
Updated: June 2026 — full revision to Validai quality standard
Introduction: The Legal Basis for Log Retention
Art. 26.6 states: "Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI system to the extent such logs are under their control, for a period of at least six months, unless provided otherwise in applicable Union or national law or in Union or national law applicable to the deployer."
This creates a minimum baseline of 6 months, but the actual retention period must be determined by reference to sector-specific law and the proportionate needs of the organisation. For many deployers, longer retention is required — both by law and by good governance practice.
What Are "Automatically Generated Logs"?
High-risk AI systems are required under Art. 12 (provider obligation) to automatically generate logs. These logs must record, at minimum:
- System activation and deactivation events
- Reference data used for each output
- Input data characteristics (not necessarily the data itself)
- Output generated by the system
- Verification procedures the system underwent
- Identity information of the persons involved in each operation
These are the logs that deployers must retain under Art. 26.6. Deployers should verify with their provider that the system generates logs meeting Art. 12 requirements — and obtain contractual guarantees if the logs are stored on the provider's infrastructure.
Retention Periods by Sector
| Sector / AI type | Retention period | Legal basis |
|---|---|---|
| Credit decisions (banks, lenders) | 7 years | Art. 25 CRR, national banking law |
| HR decisions (employment contracts) | Duration of employment + 2–5 years | National employment law |
| Medical AI (patient records) | 15–20 years | WGBO (Netherlands), MDR |
| Public sector decisions | 10–20 years | Archiefwet (Netherlands) |
| General commercial decisions | 6 months minimum (EU AI Act) | Art. 26.6 |
Practical Implementation
- Map each AI system's log outputs to the retention requirements applicable to that system
- Establish secure, tamper-evident log storage separate from operational systems
- Ensure logs are searchable and retrievable within a reasonable timeframe (supervisory audits typically require production within 5–10 business days)
- Define access controls so logs can be accessed for audit but not modified
- For cloud-hosted AI systems: ensure contractual rights to log data on system termination
Compliance Checklist
- Have you confirmed that each high-risk AI system generates logs meeting Art. 12 requirements?
- Is the applicable retention period documented for each AI system (accounting for sector-specific law)?
- Is log storage secure, tamper-evident, and access-controlled?
- Are logs retrievable within a reasonable timeframe for supervisory audit?
- For cloud-hosted systems: do contracts guarantee log data access and export?