The retention floor, in one line.
EU AI Act Article 12 logs must be kept for at least six months. The floor is set by Article 19(1) of Regulation (EU) 2024/1689 for the provider and by Article 26(6) for the deployer, each at a period appropriate to the intended purpose of the system, of at least six months, unless Union or national law requires longer. Article 12(1) creates the duty to record automatically over the lifetime of the system. It carries no end date. The number sits in Articles 19 and 26.
The sections below separate the recording duty from the retention duration, place the provider floor next to the deployer floor, mark where the clock starts, and name what resets it. Run them against a production agent and any record that cannot survive to the floor is the gap an inspection finds first.
Where the duration actually comes from.
Article 12(1) is a capability duty, not a retention duty. It binds the high-risk system to record events automatically across its working life. Read on its own, it sets no number — the recording horizon is the lifetime of the system, which is wider than any retention floor, and that breadth is the point of confusion. The duration lives one article away.
Article 19(1) is the operative retention clause for the provider. It takes the Article 12 logs that are under the provider's control and fixes a keep-period: appropriate to the intended purpose, of at least six months. Article 26(6) does the same on the deployer side. Quoting Article 12 for the duration produces the right obligation and the wrong number.
Provider and deployer · two floors, same length.
Both sides keep records, and both floors run to at least six months. The provider is responsible for the high-risk system being able to generate the logs at all, under Article 12(1), and keeps the logs that fall under its control under Article 19(1). The deployer keeps the logs that come under its control under Article 26(6), the deployer-side mirror of the provider clause. The two are not alternatives. In a managed-service deployment the export feed and the parallel retention duty land on different parties, so neither carries the whole record alone. The full deployer-side read is in the Article 26 deployer obligations, line by line.
When six months is the wrong answer.
The floor is the minimum a regulator accepts, not the figure most regulated firms will land on. Sectoral law pushes the actual horizon out wherever it touches the same record. MiFID II Article 16(7) runs five years for orders and decisions to deal. The Medical Device Regulation Article 10(8) runs ten years, fifteen for implantable devices. Where one of these reaches the same log, it controls, and the six-month line stops mattering.
A six-month rolling window destroyed twelve months ago is not an answer to a regulator's request twelve months and one day after the event. A retention design that overwrites on the minimum boundary tends to fail the first time it is tested.
The clause carries its own upper-bound pressure too. The phrase in particular in Union law on the protection of personal data is the GDPR hook: where a log holds personal data, storage-limitation under Regulation (EU) 2016/679 caps how long it may be kept, and the deployer settles on a per-use-case figure that satisfies the AI Act floor and the GDPR ceiling at once.
Adjacent regimes · their own retention clocks.
An AI agent in a regulated US firm answers to retention rules that are not the AI Act's. Two matter most. NYDFS 23 NYCRR 500.6(a)(2) requires an audit trail designed to detect and respond to cybersecurity events, and § 500.6(b) sets its keep-period: three years for the audit-trail records, and five years for the reconstruction records under § 500.6(a)(1). The 16 October 2024 NYDFS Industry Letter applies Part 500 to AI without writing a new rule. The full read is in why standard logs do not satisfy § 500.6.
US bank model risk guidance sets a documentation expectation rather than a fixed retention number. SR 26-2, issued 17 April 2026 (OCC Bulletin 2026-13) by the Federal Reserve, OCC and FDIC, supersedes SR 11-7 and SR 21-8 and carries the documentation pillar into a principles-based, risk-tailored restatement with explicit AI and machine-learning scope. It asks for documentation that allows informed parties to understand the model, kept current across the examination cycle. The line-by-line read is in SR 26-2 / SR 11-7, line by line.
| Regime · record | What is kept | Floor |
|---|---|---|
| EU · provider | Article 12 automatic event logs under provider control. | ≥ 6 mo · Art. 19(1) |
| EU · deployer | Article 12 logs under deployer control. | ≥ 6 mo · Art. 26(6) |
| NY · audit trail | 23 NYCRR 500.6(a)(2) audit trail of cybersecurity events. | 3 yr · 500.6(b) |
| NY · reconstruction | 23 NYCRR 500.6(a)(1) records to reconstruct transactions. | 5 yr · 500.6(b) |
| US · documentation | SR 26-2 model documentation that informed parties can understand. | Exam-cycle current |
When the clock starts · and what resets it.
The retention duty is live only once the obligation applies. For Annex III standalone high-risk systems, Article 12 and Article 26 apply on 2 December 2027 — deferred from 2 August 2026 by the Digital Omnibus (adopted: European Parliament 16 June 2026, Council 29 June 2026). Article 50 transparency is a separate track: it was never deferred and applies on 2 August 2026. Do not read the Annex III deferral onto the Article 50 dates. The deferral read in full is in the Omnibus, read against the record.
A substantial modification restarts the count. Article 25(1)(c) treats any person who makes a substantial modification under Article 3(23) as the provider of the modified system, with the full Article 16 stack. A fresh Article 12 recording perimeter opens and a fresh Article 19 retention clock starts from the date of the change. The earlier six months does not carry forward. The obligation read end to end is in Article 12, line by line, and the record set across regimes is in the records an AI agent must keep.
Questions a compliance officer asks first.
Read the source directly.
- Regulation (EU) 2024/1689 · EUR-Lex CELEX:32024R1689
- Article 12 record-keeping · annotated text
- Article 19 automatically generated logs · retention
- Article 26 obligations of deployers of high-risk AI systems
- 23 NYCRR Part 500 · Second Amendment (1 November 2023, PDF)
- Federal Reserve / OCC / FDIC SR 26-2 · Revised Guidance on Model Risk Management (17 April 2026) · current; supersedes SR 11-7
- Article 12, line by line · the record obligation read in full
- The records an AI agent must keep · the full record set
- Audit-ready evidence for an AI agent · the per-action record
- Article 26 deployer obligations · the deployer-side floor
Authored by Warrant Compliance, the regulatory-analysis function at Warrant. [email protected]. Editorial commentary on regulatory text. Not legal advice. The verbatim quotations of Article 19(1) and Article 12(1) reflect the official English-language text of Regulation (EU) 2024/1689 as published in the Official Journal of the European Union on 12 July 2024. The 23 NYCRR § 500.6 text reflects the Second Amendment effective 1 November 2023. The SR 26-2 reference reflects the 17 April 2026 guidance (OCC Bulletin 2026-13), which supersedes SR 11-7 and SR 21-8 with a principles-based, risk-tailored restatement and explicit AI and machine-learning scope.