Art. 26.6 EU AI Act: log retention and audit trail obligations
Art. 26.6 requires deployers of high-risk AI to retain the system-generated logs for at least six months, unless other law requires longer. The logs are the primary evidence that the system was used in accordance with its instructions.
Updated: June 2026
Introduction: the legal basis for log retention
Art. 26.6 states: "Deployers of high-risk AI systems shall keep the logs automatically generated by that high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → to the extent such logs are under their control, for a period of at least six months, unless provided otherwise in applicable Union or national law or in Union or national law applicable to the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →."
This creates a minimum baseline of 6 months, but the actual retention period must be determined by reference to sector-specific law and the proportionate needs of the organisation. For many deployers, longer retention is required, both by law and by good governance practice.
What are "automatically generated logs"?
High-risk AI systems are required under Art. 12 (providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → obligation) to automatically generate logs. These logs must record, at minimum:
- System activation and deactivation events
- Reference data used for each output
- Input data characteristics (not necessarily the data itself)
- Output generated by the system
- Verification procedures the system underwent
- Identity information of the persons involved in each operation
These are the logs that deployers must retain under Art. 26.6. Deployers should verify with their provider that the system generates logs meeting Art. 12 requirements, and obtain contractual guarantees if the logs are stored on the provider's infrastructure.
Retention periods by sector
| Sector / AI type | Retention period | Legal basis |
|---|---|---|
| Credit decisions (banks, lenders) | 7 years | Art. 25 CRR, national banking law |
| HR decisions (employment contracts) | Duration of employment + 2–5 years | National employment law |
| Medical AI (patient records) | 15–20 years | WGBO (Netherlands), MDR |
| Public sector decisions | 10–20 years | Archiefwet (Netherlands) |
| General commercial decisions | 6 months minimum (EU AI Act) | Art. 26.6 |
Practical implementation
- Map each AI system's log outputs to the retention requirements applicable to that system
- Establish secure, tamper-evident log storage separate from operational systems
- Ensure logs are searchable and retrievable within a reasonable timeframe (supervisory audits typically require production within 5–10 business days)
- Define access controls so logs can be accessed for audit but not modified
- For cloud-hosted AI systems: ensure contractual rights to log data on system termination
Compliance checklist
- Have you confirmed that each high-risk AI system generates logs meeting Art. 12 requirements?
- Is the applicable retention period documented for each AI system (accounting for sector-specific law)?
- Is log storage secure, tamper-evident, and access-controlled?
- Are logs retrievable within a reasonable timeframe for supervisory audit?
- For cloud-hosted systems: do contracts guarantee log data access and export?