Article 19 — Automatically generated logs (EU AI Act)

Article 19 of Regulation (EU) 2024/1689 — Automatically generated logs. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 19 of Regulation (EU) 2024/1689 establishes a logging obligation that operates across two layers: a design-time obligation on providers and an operational obligation on deployers.

On the provider side, Article 19(1) requires that high-risk AI systems be technically capable of automatically generating logs of their operation throughout their lifetime. Providers must build this capability into the system to the extent technically feasible, ensuring that events can be recorded without manual intervention. This connects directly to the broader transparency and traceability framework of Title III.

On the deployer side, Article 19(2) requires that deployers retain the logs automatically generated by high-risk AI systems they operate. The minimum retention period is six months, unless Union law or applicable Member State law prescribes a longer period. Sector-specific regulation — for example in finance, healthcare, or critical infrastructure — will frequently supersede this default minimum.

The logs contemplated by Article 19 serve multiple compliance purposes: they support post-market monitoring under Article 72, facilitate incident reporting under Article 73, and provide the evidentiary basis needed by national competent authorities when conducting market surveillance under Chapter VI. The article does not itself prescribe the precise technical format or granularity of logs, leaving those details to be addressed through harmonised standards and the technical documentation requirements of Article 11 and Annex IV.

What This Means in Practice

For organisations deploying high-risk AI systems, Article 19 introduces a concrete data-retention obligation that must be built into operational processes from day one of deployment.

Deployers must first verify that the AI system they are using is technically capable of generating logs automatically. If a provider delivers a system that lacks this capability where it is technically feasible, the provider is in breach of their own obligations — but the deployer still bears responsibility for conducting adequate due diligence before deployment, as required by Article 26.

In practice, this means deployers should request from providers clear documentation confirming that logging functionality is present, describing what events are logged, and specifying the log format. This documentation should form part of the contractual arrangements between provider and deployer.

Once in operation, deployers must implement a log retention policy covering at least six months. For organisations operating in regulated sectors, this baseline is almost always extended: a hospital deploying an AI-assisted diagnostic tool will need to align log retention with medical records legislation; a bank deploying an AI credit-scoring system must account for financial services record-keeping rules, which often require several years of retention.

Concrete operational steps include: designating responsibility for log storage and access controls, ensuring logs are tamper-evident and securely stored, establishing processes for retrieving logs promptly in response to a regulatory request or incident investigation, and documenting the retention policy within the organisation's broader AI governance framework.

Logs should capture sufficient information to reconstruct the inputs provided to the system, the outputs generated, the version of the model in use, and the timing of operations — enabling meaningful post-hoc review.

Key Obligations

• Providers must design and build high-risk AI systems so that they are technically capable of automatically generating logs of their operation, to the extent technically feasible, for the duration of the system's operational lifetime.
• Deployers must retain the automatically generated logs produced by high-risk AI systems they operate for a minimum of six months from the date of generation, or longer if required by applicable Union or Member State law.
• Deployers must ensure that retained logs are accessible, secure, and capable of being provided to national competent authorities on request during market surveillance or incident investigations.
• Providers must document the logging capability of their system — including what is logged, the log format, and any known technical limitations — as part of the technical documentation required under Article 11 and Annex IV.
• Where sector-specific regulation imposes stricter or longer retention requirements, deployers must apply those requirements in addition to, and in place of, the six-month baseline.
• Deployers must ensure that logging infrastructure is maintained throughout the period of use of the high-risk AI system, and that log integrity is protected against tampering or inadvertent deletion.

Relationship to Other Articles

Article 19 sits within Chapter 3 of Title III and must be read as part of an integrated traceability framework rather than an isolated obligation.

It connects directly to Article 12 (Record-keeping), which requires that high-risk AI systems be designed to enable record-keeping of their operation, and to Article 11 and Annex IV, which specify what technical documentation providers must maintain, including descriptions of the logging capability.

Article 19 feeds into Article 72 (Post-market monitoring), which requires providers to actively monitor system performance in the field — logs are the primary data source for this monitoring. It also underpins Article 73 (Reporting of serious incidents), where logs provide the evidentiary basis for understanding what occurred during an incident.

The logs retained under Article 19 are among the records that national competent authorities may request when exercising their market surveillance powers under Articles 74 and 75. Finally, the allocation of responsibilities between providers and deployers articulated in Article 19 reflects the broader framework established by Article 25 (Responsibilities along the value chain) and Article 26 (Obligations of deployers).

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, initiating a phased application schedule.

Article 19 falls within Title III, Chapter 3, which governs obligations for providers and deployers of high-risk AI systems. The general application date for high-risk AI system obligations — including Article 19 — is 2 August 2026 for systems listed in Annex III (high-risk applications in areas such as education, employment, essential services, and law enforcement). For high-risk AI systems covered by Annex I (safety components of products regulated by existing Union harmonisation legislation), the obligations apply from 2 August 2027, aligned with the renewal or first issuance of relevant product conformity assessments.

Earlier application milestones include the prohibition of unacceptable-risk AI practices (Article 5), which applied from 2 February 2025, and obligations relating to general-purpose AI models (Title VII), which applied from 2 August 2025.

Organisations deploying high-risk AI systems should treat the 2 August 2026 date as the hard compliance deadline for Article 19 obligations, but should begin designing log retention policies, reviewing provider contracts, and aligning with sector-specific retention laws well in advance — the complexity of enterprise data governance makes last-minute compliance structurally difficult.