EU AI Act Log Retention: The 6-Month Rule (In Practice)

TL;DR

Under the EU AI Act (Regulation (EU) 2024/1689), logs from a high-risk AI system must be kept for at least six months — this applies to providers under Article 19 and to deployers under Article 26(6), each "to the extent the logs are under their control." The system must also be built to generate those logs automatically (Article 12). Six months is the floor: Union or national law — especially data-protection and sector rules — can require longer, and regulated financial institutions follow their financial-services retention period instead.

This is one of the most-searched, least-clearly-answered questions about the AI Act: how long do I have to keep the logs, and who's actually responsible? The statute answers it in three short Articles that most summaries skip over. Here's the operational version — what to log, who keeps it, for how long, and the exceptions that change the number.

Who must keep AI Act logs — provider or deployer?

Both. The Act splits the duty, and the split matters because most companies are deployers, not providers.

Actor	Duty	Article	Retention floor
Provider (builds/markets the high-risk system)	Keep the logs the system generates, to the extent under the provider's control	Article 19	≥ 6 months
Deployer (uses the high-risk system professionally)	Keep the logs the system generates, to the extent under the deployer's control	Article 26(6)	≥ 6 months

The phrase doing the work is "to the extent the logs are under their control." If your SaaS vendor hosts the model and holds the logs, that portion is their control (provider duty). If logs are generated in your environment when you run the system, they're under your control (deployer duty). In practice many deployments produce logs on both sides — so both parties carry a six-month obligation over their own slice.

Not sure which role you hold? That single question changes most of your obligations — run the applicability checker or read do I need to comply with the EU AI Act?.

Is your AI system high-risk?

Find out in 2 minutes — free, no signup required.

Take the free assessment

What must the logs actually contain (Article 12)?

Before retention is even a question, the system has to produce the logs. Article 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over the lifetime of the system, with logging capabilities that enable a level of traceability appropriate to the intended purpose. For the high-risk biometric category, the Act is more specific — logs must capture, among other things, the period of each use, the reference database checked, the input data that led to a match, and the natural persons involved in verifying results.

For most high-risk systems, "appropriate to the intended purpose" means your logs should be enough to:

Identify situations that may cause the system to present a risk or trigger a substantial modification;
Support post-market monitoring (Article 72); and
Enable a deployer's monitoring of operation per the instructions for use.

Logging is a design requirement (Article 12), retention is an operational requirement (Articles 19 and 26(6)). You need both: a system that records the right events, and a process that keeps those records for at least six months.

How long is "at least six months" — and when is it longer?

Six months is the minimum floor, not a fixed period. The exact wording in both Article 19 and Article 26(6) is "for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in applicable Union or national law, in particular Union law on the protection of personal data."

Three things follow from that:

"Appropriate to the intended purpose" can mean more than six months. A system whose decisions have long-lived effects (a credit model, a hiring tool) may need a longer retention period to be defensible. Six months is the legal floor; the right number is risk-driven.
Other laws can override the floor. GDPR storage-limitation and data-minimisation principles, sectoral record-keeping rules, and litigation-hold obligations all interact with AI Act logs. Where logs contain personal data, you must reconcile the six-month minimum with GDPR's "no longer than necessary" — keep them long enough to meet Article 19/26(6) and any sector rule, but not indefinitely without a lawful basis.
Financial institutions follow their own clock. Article 26(6) is explicit: deployers that are financial institutions subject to Union financial-services law on internal governance/record-keeping must keep the logs as part of the documentation kept under that financial-services law — i.e., their existing retention regime applies, not a separate six-month rule.

What this means in practice

A workable compliance posture for the log-retention obligation:

Confirm you're high-risk first. Logging and retention duties under Articles 12, 19, and 26(6) apply to high-risk systems (Annex III or Annex I). If your system isn't high-risk, this specific obligation doesn't bind you — classify it with the free assessment before building infrastructure you may not need.
Make sure the system generates the logs (Article 12). If you're the provider, this is your build requirement. If you're a deployer using a third-party system, confirm the vendor's logging is adequate and that you can access and retain your portion.
Set retention to ≥ 6 months, then adjust upward by purpose. Default to six months; extend where the system's decisions have lasting consequences or where sector/data-protection law requires it.
Reconcile with GDPR. If logs contain personal data, document the lawful basis and retention rationale so you satisfy both the AI Act floor and GDPR's storage-limitation principle.
Map control boundaries. Write down which logs are under your control vs the vendor's, so the six-month duty is clearly owned on each side.

The deadline backdrop: high-risk obligations — including these logging and retention duties — apply to standalone Annex III systems from 2 December 2027 after the Digital Omnibus, and to Annex I embedded systems from 2 August 2028. That's runway to build logging properly, not a reason to defer it — see the deadlines after the Digital Omnibus.

Getting record-keeping wrong is not a footnote: failing to comply with high-risk obligations can draw fines of up to €15M or 3% of worldwide annual turnover under Article 99 (SMEs pay the lower figure). Model your exposure with the penalty calculator.

Frequently asked questions

How long must EU AI Act logs be kept?

At least six months. Both providers (Article 19) and deployers (Article 26(6)) of high-risk AI systems must keep the automatically generated logs, to the extent they are under their control, "for a period appropriate to the intended purpose, of at least six months," unless Union or national law (especially data-protection law) requires otherwise. Six months is the floor, not a cap.

Do deployers have to keep AI Act logs, or only providers?

Both. Many teams assume only the builder (provider) is responsible, but Article 26(6) places an independent six-month log-retention duty on deployers — companies that use a high-risk AI system in their professional activity — for the logs under their control. Providers carry the parallel duty under Article 19.

What logs does the EU AI Act require?

Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime, at a level of traceability appropriate to the intended purpose — enough to identify risk situations, support post-market monitoring (Article 72), and enable deployer oversight. High-risk biometric systems have additional specific logging requirements (usage period, reference database, matching input data, and the persons verifying results).

Can the six-month retention period be longer?

Yes. "At least six months" is a minimum. A period "appropriate to the intended purpose" can be longer for systems with long-lived effects, and other laws can extend it — GDPR, sectoral record-keeping rules, and litigation holds all interact with AI Act logs. Financial institutions keep the logs under their existing financial-services retention regime instead of a separate six-month rule.

When does the log-retention obligation start to apply?

It applies once the high-risk obligations apply. After the Digital Omnibus, standalone high-risk (Annex III) systems are bound from 2 December 2027, and high-risk AI embedded in regulated products (Annex I) from 2 August 2028. Prohibited-practice and AI-literacy duties are already in force (since 2 February 2025), but logging/retention is part of the high-risk regime on the later dates.

Logging and retention are one slice of the high-risk regime. To see your full obligation list — risk class, documentation, oversight, and record-keeping — run the free EU AI Act assessment. It maps your system to the specific Articles in a few minutes.

EU AI Act

Logging

Record-Keeping

Deployer

Article 19

Article 26

2026

EU AI Act Deadlines After the Digital Omnibus (2026)

EU AI Act deadlines just changed: the Digital Omnibus pushed high-risk obligations to 2 Dec 2027. The definitive, dated post-Omnibus timeline for 2026.

Do I Need to Comply With the EU AI Act? (2026)

Do you need to comply with the EU AI Act? Yes if you're a provider, deployer, importer or distributor with an EU nexus — even non-EU firms. Check your scope.

Best Vanta Alternative for EU AI Act Compliance (2026)

Vanta automates SOC 2 and ISO well, but treats the EU AI Act as an add-on. The best Vanta alternatives for AI-Act-native, SME-priced compliance in 2026.