Article 12 — Record-keeping (EU AI Act)

Article 12 of Regulation (EU) 2024/1689 — Record-keeping. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 12 of Regulation (EU) 2024/1689 establishes mandatory record-keeping requirements for high-risk AI systems. The article sits within Title III, Chapter 2, which sets out the technical and governance requirements that high-risk AI systems must satisfy before being placed on the EU market or put into service.

The core obligation is that high-risk AI systems must be designed and developed with logging capabilities that enable the automatic recording of events — commonly referred to as logs — over the system's operational lifetime. These logs serve a dual purpose: supporting post-market monitoring by the provider under Article 72, and enabling national competent authorities to exercise their supervisory and investigative functions.

Article 12(2) specifies that logging capabilities must, at minimum, record the period of each use of the system (start and end date and time), the reference database against which input data has been checked where applicable, input data that led to a given output or result, and — where biometric identification systems are concerned — the identity of natural persons involved in the verification of the results.

The article places the design obligation squarely on providers. Logging must be built into the system by construction, not added retrospectively. This reflects the Regulation's broader by-design philosophy. Operators who deploy these systems bear complementary obligations under Article 26 to preserve logs generated during their use of the system, to the extent such logs are under their control.

What This Means in Practice

For providers developing or placing high-risk AI systems on the EU market, Article 12 requires engineering-level decisions to be made during the design phase, not after deployment. Logging must be an architectural feature of the product.

Affected parties. Any organisation that develops, places on the market, or puts into service a high-risk AI system as defined under Article 6 and Annex III is subject to Article 12. This includes systems used in employment screening, credit scoring, biometric identification, critical infrastructure management, educational assessment, law enforcement, border control, and administration of justice, among others. Operators — organisations that deploy a provider's high-risk AI system in their own context — have secondary obligations to maintain logs they control.

Concrete actions required. A provider must implement automated logging that captures the required data points without manual intervention. For example, a provider of an AI-assisted CV-screening tool must ensure the system logs each recruitment session, the dataset version used to train or calibrate the model, and the inputs (applicant profiles) that generated each output (ranking or recommendation). An operator deploying that tool must retain those logs and make them available to authorities on request.

Investigative utility. Logs exist primarily to enable retrospective analysis. If a system produces a discriminatory outcome or causes harm, regulators must be able to reconstruct what happened. Logs that are incomplete, overwritten, or inaccessible defeat this purpose and expose both provider and operator to enforcement risk.

Proportionality. The specific scope of what must be logged is calibrated to the type of system. Biometric systems face the most granular requirements. Providers should document their logging design decisions in technical documentation as required by Article 11.

Key Obligations

• Logging by design. High-risk AI systems must be designed and developed with automatic event-logging capabilities built into the system architecture before market placement or deployment.
• Minimum log content. Logs must capture, at minimum: the operational period of each use session, the reference database used for input verification where applicable, the input data that produced each output or decision, and — for biometric identification systems — the identities of natural persons who verified results.
• Operator log retention. Operators must retain logs generated during their use of a high-risk AI system for the period required by applicable law and, at minimum, for the duration necessary to support post-market monitoring and regulatory investigations.
• Accessibility to authorities. Logs must be available to national competent authorities upon request to facilitate supervisory oversight, incident investigation, and market surveillance activities.
• Traceability of outputs. The logging system must enable the reconstruction of a causal chain from a specific input to a specific output, supporting accountability and the right to explanation where it applies.
• Alignment with technical documentation. The logging architecture and its scope must be described in the technical documentation maintained under Article 11, ensuring consistency between the system as designed and the system as monitored.

Relationship to Other Articles

Article 12 cannot be read in isolation. It operates as part of a network of interconnected requirements in Title III, Chapter 2.

Article 9 (Risk management system) establishes the overarching framework within which logging feeds — logs generate the operational data needed to identify and assess risks in real-world deployment.

Article 11 (Technical documentation) requires providers to document the logging architecture and capabilities as part of the broader technical file submitted to notified bodies or retained for regulatory inspection.

Article 17 (Quality management system) requires providers to maintain a quality management system that integrates logging into broader operational controls and corrective action procedures.

Article 26 (Obligations of deployers) assigns to operators the obligation to retain logs under their control and to cooperate with providers and authorities, making Article 12 a shared responsibility across the supply chain.

Article 72 (Post-market monitoring) is the downstream consumer of Article 12 logs — the monitoring system relies on operational logs to detect performance degradation, unexpected outputs, and emerging risks after deployment.

Article 73 (Reporting of serious incidents) uses log data as primary evidence when providers are required to report serious malfunctions or incidents to market surveillance authorities.

Compliance Timeline

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024, twenty days after publication in the Official Journal of the European Union.

Application of the Regulation is phased:

• 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Title II, Article 5) became applicable.
• 2 August 2025 — Rules on general-purpose AI models (Title VIII) and governance obligations (Title III, Chapter 4 on notified bodies; Title VI on governance) became applicable.
• 2 August 2026 — Obligations for high-risk AI systems listed in Annex III begin to apply for most categories. Article 12 falls within this phase. Providers and operators of high-risk AI systems must have compliant logging capabilities in place by this date.
• 2 August 2027 — Extended deadline for high-risk AI systems covered by existing sectoral Union harmonisation legislation listed in Annex I (e.g. machinery, medical devices), giving those sectors additional time to adapt existing conformity assessment frameworks.

Organisations developing high-risk AI systems should treat 2 August 2026 as the hard compliance deadline for Article 12 logging requirements, with design and testing of logging infrastructure completed well in advance to allow for conformity assessment procedures under Article 43.