Article 12: Record-keeping

Paragraph 1: High-risk systems must technically allow for automatic recording of events (logs) across the entire lifetime.

Paragraph 2: Logging capabilities must enable recording of events relevant to:

• (a) Identifying situations that may lead to a risk under Article 79(1) or a substantial modification
• (b) Supporting Article 72 post-market monitoring
• (c) Monitoring under Article 26(5)

The depth and granularity must be proportionate to the intended purpose—always verify lists and definitions on EUR-Lex Article 12.

Paragraph 3: Additional minimum logging rules apply to systems referred to in Annex III point 1(a) (remote biometric identification in law-enforcement contexts in the annex wording—confirm category on EUR-Lex).

• Article 11 — Logging design and retention should be reflected in Annex IV and change control.
• Article 13 — Article 13(3)(f) requires information enabling deployers to collect, store, and interpret logs per Article 12.
• Article 14(5) — Two-person verification context for Annex III point 1(a) ties to log fields in Article 12(3)(d).
• Article 72 — Logs feed post-market evidence.
• Article 73 — Serious-incident workflows may rely on log exports (where applicable).
• Annex III — Determines whether Article 12(3) minimums apply.
• Article 113 — Application dates.

• Define an event schema (who/what/when/outcome/model version) aligned with Article 12(2)(a)–(c).
• Implement tamper-evident storage, access control, and retention aligned with GDPR and sector law where personal data is logged.
• For Annex III point 1(a), implement Article 12(3) fields and test end-to-end with Article 14(5) procedures.
• Document how deployers will access and interpret logs in the Article 13 IFU.
• Run tabletop exercises: can you reconstruct an incident timeline from logs alone?

Editorial note: The following reproduces Article 12(1) through (3) from the English consolidated text of Regulation (EU) 2024/1689. If numbering or annex cross-references differ in your EUR-Lex view, the authentic HTML prevails. Always re-open EUR-Lex before compliance decisions.

1. High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.

2. In order to ensure a level of traceability of the functioning of a high-risk AI system that is appropriate to the intended purpose of the system, logging capabilities shall enable the recording of events relevant for:

(a) identifying situations that may result in the high-risk AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification;

(b) facilitating the post-market monitoring referred to in Article 72; and

(c) monitoring the operation of high-risk AI systems referred to in Article 26(5).

3. For high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum:

(a) recording of the period of each use of the system (start date and time and end date and time of each use);

(b) the reference database against which input data has been checked by the system;

(c) the input data for which the search has led to a match;

(d) the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5).

Further paragraphs or subpoints (if any in the consolidated act) — confirm on EUR-Lex Article 12.

The recitals in the same consolidated AI Act on EUR-Lex contextualise traceability, market surveillance, and biometric identification safeguards linked to logging. Use the official preamble on EUR-Lex—do not rely on unofficial recital lists without checking sequence and wording against the authentic text.