Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systems and other partiesArticle 19

Article 19: Automatically Generated Logs

Applies from 2 Aug 20264 min readEUR-Lex verified Apr 2026

Article 19 requires providers of high-risk AI systems to keep the automatically generated logs (as provided for in Article 12) for a period appropriate to the intended purpose of the system, and at least 6 months unless otherwise provided by applicable Union or national law (including GDPR). This complements Article 18 (documentation keeping) by specifically addressing operational logs rather than static documentation. The provider must keep logs to the extent the logs are under their control.

Start free assessment All articles

Who does this apply to?

-Providers of high-risk AI systems who retain automatically generated logs
-Deployers who may also retain logs under Article 26(6)
-DPOs and data governance teams managing log retention alongside GDPR

Scenarios

A high-risk employment screening AI generates inference logs for each candidate assessment. The provider retains these logs for 12 months, exceeding the 6-month minimum.

Compliant with Article 19. The retention period is appropriate to the intended purpose and exceeds the minimum.

Ref. Art. 19

A provider deletes all system logs after 30 days due to storage cost concerns.

Non-compliant — Article 19 requires at least 6 months unless a shorter period is justified by other applicable law.

Ref. Art. 19

Log retention requirements (plain terms)

Article 19 establishes a minimum 6-month retention period for automatically generated logs, with two qualifications:

1. Purpose-appropriate: The retention period must be appropriate to the intended purpose — some high-risk systems may require longer retention 2. Legal override: Where Union or national law (including GDPR data minimisation) provides for a different period, that law may apply

The provider must keep logs to the extent they are within the provider's control. Where the deployer operates the system and controls the logs, the deployer's retention obligations arise under Article 26(6).

Article 19 vs Article 12 vs Article 18

| Article | Scope | What it covers | |---|---|---| | Article 12 | Design requirement | System must *technically enable* automatic logging | | Article 19 | Provider retention | Provider must *keep* logs for at least 6 months | | Article 18 | Documentation | Provider keeps *static* compliance docs for 10 years | | Article 26(6) | Deployer retention | Deployer keeps logs *under their control* |

Article 12 creates the capability; Article 19 creates the retention duty.

How Article 19 connects to the rest of the Act

Article 12 — Technical logging capability that Article 19 builds on.
Article 16(e) — Log keeping is a lettered provider obligation.
Article 18 — Static documentation retention (10 years).
Article 26(6) — Deployer log retention.
Article 72 — Logs feed post-market monitoring.
Article 73 — Logs support serious incident investigation.

Compliance checklist

Set log retention to at least 6 months — extend if the intended purpose requires longer.
Coordinate with GDPR data minimisation: document the legal basis for retaining logs containing personal data.
Clarify provider vs deployer log control in the deployment contract.
Implement tamper-evident storage for retained logs.
Align retention periods with post-market monitoring (Article 72) and incident reporting (Article 73) needs.
Review retention when national law specifies a different period.

Read the official text on EUR-Lex

Set up your log retention policy—free assessment.

Start Free Assessment

Article 12: Record-keeping

Article 16: Obligations of Providers of High-Risk AI Systems

Article 18: Documentation Keeping

Article 26: Obligations of Deployers of High-Risk AI Systems

Article 72: Post-Market Monitoring

Article 73: Reporting of Serious Incidents

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Frequently asked questions

Is 6 months always enough?

6 months is the minimum. If the intended purpose or sector law requires longer (e.g., medical device traceability), the provider must retain longer.

What about GDPR — can logs with personal data be kept for 6 months?

Yes, provided there is a legal basis (e.g., legal obligation under the AI Act). Document the GDPR analysis and apply appropriate safeguards.

Who has access to the automatically generated logs under the AI Act?

Providers must retain logs and provide them to market surveillance authorities upon request (Article 19, Article 21). Deployers who control logs must keep them for at least six months and make them available to market surveillance authorities as well.

On this page

Key terms

Automatically generated logs: Machine-generated records of system events created by the logging capability required under Article 12, retained by the provider under Article 19.
Log retention period: Deployers must retain automatically generated logs under their control for at least six months unless stricter periods apply under Union or national law.
Processor obligations: When a deployer uses a processor to manage logs, the processor must ensure the same retention and access requirements apply under contractual arrangements.

At a glance

Article: 19
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now