ENTRY № 43 · STATUTORY READING · EU AI ACT · ART. 12 · RETENTION
PUBLISHED 2026-06-19 · ~11-MIN READ · WARRANT COMPLIANCE

How long must EU AI Act Article 12 logs be kept?

At least six months. Article 12(1) of Regulation (EU) 2024/1689 creates the duty to record events automatically over the lifetime of a high-risk AI system, but it sets no number. The retention duration is one article away: Article 19(1) fixes the provider floor at a period appropriate to the intended purpose, of at least six months; Article 26(6) fixes the matching deployer floor at at least six months. Six months is a minimum, not a target — sectoral law pushes the actual horizon longer wherever it touches the same record. A reader who quotes Article 12 for a retention number is quoting the wrong article.

Warrant is regulator-grade evidence infrastructure for AI agents in regulated industries: drop an agent's execution trace, get a record mapped to a specific EU AI Act obligation, independently verifiable without contacting Warrant.

RETENTION FLOOR
≥ 6months
Article 19(1) provider floor and Article 26(6) deployer floor. Sectoral law often runs longer.
SET BY
19(1)· 26(6)
Article 12(1) is the recording duty. The duration lives in Articles 19 and 26.
APPLICATION
2027-12-02
Annex III standalone high-risk, deferred from 2026-08-02 by the Digital Omnibus (adopted June 2026).
01 · THE RETENTION FLOOR

The retention floor, in one line.

EU AI Act Article 12 logs must be kept for at least six months. The floor is set by Article 19(1) of Regulation (EU) 2024/1689 for the provider and by Article 26(6) for the deployer, each at a period appropriate to the intended purpose of the system, of at least six months, unless Union or national law requires longer. Article 12(1) creates the duty to record automatically over the lifetime of the system. It carries no end date. The number sits in Articles 19 and 26.

The providers of high-risk AI systems shall keep the logs referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law, in particular in Union law on the protection of personal data. Regulation (EU) 2024/1689 · Article 19(1) · 13 June 2024

The sections below separate the recording duty from the retention duration, place the provider floor next to the deployer floor, mark where the clock starts, and name what resets it. Run them against a production agent and any record that cannot survive to the floor is the gap an inspection finds first.

"Article 12 says record it. Article 19 says keep it. The number you owe a regulator is the second one."Warrant Compliance · 2026-06-19
02 · WHERE THE DURATION COMES FROM

Where the duration actually comes from.

High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system. Regulation (EU) 2024/1689 · Article 12(1) · 13 June 2024

Article 12(1) is a capability duty, not a retention duty. It binds the high-risk system to record events automatically across its working life. Read on its own, it sets no number — the recording horizon is the lifetime of the system, which is wider than any retention floor, and that breadth is the point of confusion. The duration lives one article away.

Article 19(1) is the operative retention clause for the provider. It takes the Article 12 logs that are under the provider's control and fixes a keep-period: appropriate to the intended purpose, of at least six months. Article 26(6) does the same on the deployer side. Quoting Article 12 for the duration produces the right obligation and the wrong number.

12(1)
Automatic recording of events over the lifetime of the high-risk system. THE DUTY · capability and horizon, no retention number.
19(1)
Provider keeps the Article 12 logs under its control, of at least six months. THE DURATION · provider retention floor.
26(6)
Deployer keeps the Article 12 logs under its control, of at least six months. THE DURATION · deployer retention floor, the mirror of 19(1).
03 · PROVIDER AND DEPLOYER

Provider and deployer · two floors, same length.

Both sides keep records, and both floors run to at least six months. The provider is responsible for the high-risk system being able to generate the logs at all, under Article 12(1), and keeps the logs that fall under its control under Article 19(1). The deployer keeps the logs that come under its control under Article 26(6), the deployer-side mirror of the provider clause. The two are not alternatives. In a managed-service deployment the export feed and the parallel retention duty land on different parties, so neither carries the whole record alone. The full deployer-side read is in the Article 26 deployer obligations, line by line.

19(1)
PROVIDER FLOOR
Provider keeps the Article 12 logs under its control for at least six months, appropriate to the intended purpose.
26(6)
DEPLOYER FLOOR
Deployer keeps the logs under its control for at least six months, the deployer-side mirror of Article 19(1).
04 · WHEN SIX MONTHS RUNS LONGER

When six months is the wrong answer.

The floor is the minimum a regulator accepts, not the figure most regulated firms will land on. Sectoral law pushes the actual horizon out wherever it touches the same record. MiFID II Article 16(7) runs five years for orders and decisions to deal. The Medical Device Regulation Article 10(8) runs ten years, fifteen for implantable devices. Where one of these reaches the same log, it controls, and the six-month line stops mattering.

A six-month rolling window destroyed twelve months ago is not an answer to a regulator's request twelve months and one day after the event. A retention design that overwrites on the minimum boundary tends to fail the first time it is tested.

The clause carries its own upper-bound pressure too. The phrase in particular in Union law on the protection of personal data is the GDPR hook: where a log holds personal data, storage-limitation under Regulation (EU) 2016/679 caps how long it may be kept, and the deployer settles on a per-use-case figure that satisfies the AI Act floor and the GDPR ceiling at once.

05 · ADJACENT REGIMES

Adjacent regimes · their own retention clocks.

An AI agent in a regulated US firm answers to retention rules that are not the AI Act's. Two matter most. NYDFS 23 NYCRR 500.6(a)(2) requires an audit trail designed to detect and respond to cybersecurity events, and § 500.6(b) sets its keep-period: three years for the audit-trail records, and five years for the reconstruction records under § 500.6(a)(1). The 16 October 2024 NYDFS Industry Letter applies Part 500 to AI without writing a new rule. The full read is in why standard logs do not satisfy § 500.6.

US bank model risk guidance sets a documentation expectation rather than a fixed retention number. SR 26-2, issued 17 April 2026 (OCC Bulletin 2026-13) by the Federal Reserve, OCC and FDIC, supersedes SR 11-7 and SR 21-8 and carries the documentation pillar into a principles-based, risk-tailored restatement with explicit AI and machine-learning scope. It asks for documentation that allows informed parties to understand the model, kept current across the examination cycle. The line-by-line read is in SR 26-2 / SR 11-7, line by line.

Regime · record What is kept Floor
EU · provider Article 12 automatic event logs under provider control. ≥ 6 mo · Art. 19(1)
EU · deployer Article 12 logs under deployer control. ≥ 6 mo · Art. 26(6)
NY · audit trail 23 NYCRR 500.6(a)(2) audit trail of cybersecurity events. 3 yr · 500.6(b)
NY · reconstruction 23 NYCRR 500.6(a)(1) records to reconstruct transactions. 5 yr · 500.6(b)
US · documentation SR 26-2 model documentation that informed parties can understand. Exam-cycle current
W
Sample EU evidence package · Warrant registerINDEPENDENTLY VERIFIABLE WITHOUT CONTACTING WARRANT
→ /v/7de85ceaeac42a47
06 · WHEN THE CLOCK STARTS

When the clock starts · and what resets it.

The retention duty is live only once the obligation applies. For Annex III standalone high-risk systems, Article 12 and Article 26 apply on 2 December 2027 — deferred from 2 August 2026 by the Digital Omnibus (adopted: European Parliament 16 June 2026, Council 29 June 2026). Article 50 transparency is a separate track: it was never deferred and applies on 2 August 2026. Do not read the Annex III deferral onto the Article 50 dates. The deferral read in full is in the Omnibus, read against the record.

A substantial modification restarts the count. Article 25(1)(c) treats any person who makes a substantial modification under Article 3(23) as the provider of the modified system, with the full Article 16 stack. A fresh Article 12 recording perimeter opens and a fresh Article 19 retention clock starts from the date of the change. The earlier six months does not carry forward. The obligation read end to end is in Article 12, line by line, and the record set across regimes is in the records an AI agent must keep.

07 · FAQ

Questions a compliance officer asks first.

How long must EU AI Act Article 12 logs be kept?

At least six months. Article 12(1) creates the duty to record events automatically over the lifetime of a high-risk AI system, but it does not set a retention number. The duration is set by Article 19(1) for the provider and Article 26(6) for the deployer, each at a period appropriate to the intended purpose of at least six months, unless Union or national law requires longer.

What is the retention period for AI agent audit logs under the EU AI Act?

At least six months is the floor. Article 19(1) sets the provider floor and Article 26(6) the deployer floor, both at a period appropriate to the intended purpose of at least six months. Six months is a minimum, not a target. Sectoral law often pushes the actual horizon out: MiFID II Article 16(7) runs five years, and the Medical Device Regulation Article 10(8) runs ten years, fifteen for implantable devices. Where a log holds personal data, storage-limitation under the GDPR caps the upper bound.

Does the deployer or the provider keep the Article 12 records?

Both, on parallel floors. The provider is responsible for the high-risk system being able to generate the logs automatically under Article 12(1), and keeps the logs under its control under Article 19(1). The deployer keeps the logs that come under its control under Article 26(6), the deployer-side mirror of the provider clause. In a managed-service deployment the export feed and the parallel retention duty sit on different parties, so neither side carries the whole record alone.

When does the Article 12 retention clock start?

When the obligation applies. For Annex III standalone high-risk systems, Article 12 and Article 26 apply on 2 December 2027, deferred from 2 August 2026 by the Digital Omnibus (adopted: European Parliament 16 June 2026, Council 29 June 2026). Article 50 transparency is a separate track that was never deferred and applies on 2 August 2026. A substantial modification under Article 25(1)(c) opens a fresh Article 19 retention clock from the date of the change.

Does a rolling six-month application log satisfy Article 12 retention?

Not reliably. A rolling window that overwrites at exactly six months leaves nothing to produce on the day a regulator asks about an event that is six months and one day old. Article 19(1) sets a floor appropriate to the intended purpose, and sectoral law frequently requires longer. A retention design that destroys records on the minimum boundary tends to fail the moment it is tested.

How long do NYDFS and SR 26-2 require AI records to be kept?

NYDFS 23 NYCRR 500.6(b) runs three years for the audit-trail records under 500.6(a)(2) and five years for the reconstruction records under 500.6(a)(1). SR 26-2, issued 17 April 2026 and superseding SR 11-7, sets a documentation expectation rather than a fixed number: documentation that allows informed parties to understand the model, kept current across the examination cycle.

How do i produce an Article 12 retention record today?

Drop the high-risk AI system's execution trace at warrant.build/demo. Warrant produces a record mapped to Article 12, tamper-evident, and independently verifiable without contacting Warrant, which a deployer can keep past the six-month floor under Article 19(1) and Article 26(6).

08 · READ THE SOURCE

Read the source directly.

Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotations of Article 19(1) and Article 12(1) reflect the official English-language text of Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024. The 23 NYCRR § 500.6 text reflects the Second Amendment effective 1 November 2023. The SR 26-2 reference reflects the 17 April 2026 guidance (OCC Bulletin 2026-13), which supersedes SR 11-7 and SR 21-8 with a principles-based, risk-tailored restatement and explicit AI and machine-learning scope.