Skip to main content
EU AI Act Logging Requirements: What Engineers Need to Build — G8KEPR Blog
Back to Blog
Compliance9 min readFebruary 25, 2026

EU AI Act Logging Requirements: What Engineers Need to Build

Article 12 of the EU AI Act mandates automatic logging of AI system operations. This is not a check-the-box compliance exercise — it requires substantive engineering. Here is exactly what the regulation requires and what to build.

Most AI compliance guides describe what Article 12 of the EU AI Act requires in legal language. This post translates those requirements into engineering specifications — what data to capture, where to store it, how long to keep it, and what format it should be in.

What Article 12 Actually Requires

Article 12 requires high-risk AI systems to automatically generate logs that enable monitoring for compliance. The logs must capture operations throughout the lifecycle, be protected from unauthorized access, and be retained for an appropriate period. For general high-risk systems, that period is at least 6 months. For biometric and law enforcement systems, longer periods apply.

Engineering Specification: Required Log Events

  • Every inference request: timestamp, model version, input data characteristics (not necessarily full content), output decision, confidence score
  • Human oversight interventions: when a human reviews or overrides the AI system's output, log the intervention with timestamp, operator ID, original output, and modified output
  • System state changes: model version updates, configuration changes, policy updates
  • Errors and anomalies: any deviation from expected behavior, including inputs that triggered safety filters
  • Access events: who accessed the system, when, and what actions they took

Tamper Evidence Requirements

The regulation requires logs to be protected from unauthorized modification. The practical engineering interpretation is tamper-evident logging — logs that can prove they have not been modified. Implementations range from simple cryptographic hash chaining to dedicated audit log services with write-once storage.

python
# Simple hash-chaining approach for tamper-evident logs
import hashlib, json, time

prev_hash = "genesis"

def write_log_entry(event: dict) -> dict:
    entry = {
        "timestamp": time.time(),
        "event": event,
        "prev_hash": prev_hash,
    }
    entry["hash"] = hashlib.sha256(
        json.dumps(entry, sort_keys=True).encode()
    ).hexdigest()
    # Store entry in append-only log
    return entry

Data Minimization Tension

Article 12 requires logging for compliance monitoring, but GDPR requires data minimization. These obligations create tension — you must log enough to demonstrate compliance, but not so much that you create unnecessary retention of personal data. The resolution: log data characteristics and outcomes rather than full input content wherever possible.

G8KEPR's audit logging captures all Article 12 required events with configurable redaction policies that balance compliance completeness with GDPR data minimization requirements.

Related reading

EU AI Act August 2026: Full Engineering Checklist

All EU AI Act high-risk system requirements translated into actionable engineering tasks.

ShareX / TwitterLinkedIn

Related Articles

Compliance

EU AI Act Is Now Enforced: What API Security Teams Must Do

8 min read
Compliance

SOC 2 Type II Prep: The Controls That Actually Matter

9 min read
Compliance

HIPAA Technical Safeguards in 2026: What's Non-Negotiable

7 min read

Ready to secure your AI stack?

14-day free trial — full platform access, no credit card required. Early access members get pricing locked in forever.

Start Free TrialTalk to the Team