Logging Obligation (Article 12 EU AI Act)
Mandatory logs for high-risk AI
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
The logging obligation for high-risk AI serves traceability, incident investigation, and performance monitoring. The provider must generate logs; the deployer must retain them.
What is the Logging Obligation under Article 12 EU AI Act?
Mandatory logs (Article 12(2)):
- Activation timestamp
- Reference to the input data base
- Identification of the natural persons reviewing the results
- System configuration at the relevant time
Retention: at least 6 months (Article 19), often longer for audit purposes.
Practical example
HR AI assessment: the log records the candidate ID (pseudonymised), the score, the reviewer ID, the system version, and the timestamp.
Frequently asked questions
Who retains the logs?
The provider generates them; the deployer retains them for at least 6 months.
Conflict with the GDPR?
Article 12 and Article 5(1)(e) GDPR must be reconciled — pseudonymisation is recommended.