Article 12 Logging Obligations
Article 12 of the EU AI Act requires that high-risk AI systems automatically generate logs capturing system events throughout their operational lifetime. These logs must be tamper-evident, timestamped, and independently verifiable by national competent authorities.
Text of the Obligation
"High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system. The logging capabilities shall conform to recognised standards or common specifications and shall, as a minimum, ensure a level of traceability of the AI system's functioning throughout its lifetime that is appropriate to the intended purpose."
— EU AI Act, Article 12(1)
What Must Be Logged
Start and stop timestamps for each operational session of the high-risk AI system.
The datasets used as inputs to the AI system — including training datasets and reference data accessed at inference time.
Where technically feasible, a record of the input data that led to a given output or decision.
Events that could affect system performance or lead to deviations from intended purpose.
For provider-level obligations: the origin, generation method, and fingerprint of each training dataset used to build the system.
Technical Requirements for Log Integrity
Logs must be structured so modification is detectable. Hash-chaining or Merkle tree structures satisfy this requirement without requiring a blockchain.
Logs must be produced automatically by the system — not assembled manually after the fact.
Logs must be retained for the duration required by Article 19 — at minimum ten years for high-risk AI system documentation.
Logs must be accessible to national competent authorities upon request. This means they cannot be encrypted with keys held only by the provider.
Each log entry must carry a verifiable timestamp. Ed25519-signed certificates with ISO-8601 timestamps provide this without requiring a trusted timestamp authority.
Any third party must be able to verify log integrity without trusting the AI provider. Public key verification satisfies this requirement.
Training Data Log Entry Format
For the training data layer, Article 12 compliance requires a log record that captures dataset identity, generation provenance, and cryptographic binding. The CertifiedData certification artifact satisfies all of these requirements in a single structured document:
{
"certification_id": "uuid",
"timestamp": "2026-03-19T00:00:00Z", // ISO-8601 per Art. 12
"issuer": "Certified Data LLC", // attributable authority
"dataset_hash": "sha256:a7f3...", // cryptographic binding
"algorithm": "CTGAN", // generation method
"rows": 100000,
"columns": 25,
"schema_version": "certifieddata.cert.v1",
"signature": "ed25519:base64url...", // tamper-evident
"transparency_log_sequence": 4821, // append-only log position
"verify_url": "https://certifieddata.io/verify/uuid"
}The transparency_log_sequence field records the certificate's position in the public hash-chained transparency log. Any gap or reordering of sequence numbers is detectable by any verifier.
Provider vs. Deployer Obligations
- →Document all training datasets with provenance records
- →Retain documentation for 10 years post-market
- →Provide technical documentation enabling deployer logging
- →Ensure the system's technical architecture supports logging
- →Log operating periods and reference database access
- →Retain operational logs for the system's active period
- →Make logs available to national competent authority
- →Notify provider of significant performance deviations