Under the EU AI Act, high-risk AI systems are subject to a minimum retention period of ten years for AI logging. Responsibility lies with both providers and deployers, depending on their role in the chain. In this article, we answer the most frequently asked questions about retention requirements, responsibilities, and the relationship with the GDPR, so that you know exactly where your organization stands. If you’d like to learn more about how AI-driven intelligence can be used responsibly, read more about AI-driven intelligence.
What legal rules apply to the retention of AI logs?
The primary legal basis for retaining AI logs is the EU AI Act (Regulation (EU) 2024/1689). For high-risk AI systems, the regulation requires that logs be automatically generated and retained so that the system’s performance can be demonstrated retrospectively. In addition, the GDPR and sector-specific regulations serve as supplementary frameworks.
The EU AI Act took effect on August 1, 2024, but the requirements will be phased in. For high-risk AI systems covered by Annex III, most compliance requirements will become enforceable as of August 2, 2026. This means that organizations already using such systems must actively prepare for compliance.
High-risk AI includes systems in domains such as biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration, and the administration of justice. If you use AI within one of these domains, the strictest logging requirements apply. For low-risk AI, the obligations are less stringent, but transparency requirements still apply.
How long, specifically, should you retain AI logs?
For high-risk AI systems, the EU AI Act mandates a retention period of ten years. Importers of high-risk systems are required to retain the technical documentation and declaration of conformity for ten years after the system is placed on the market. The same timeframe applies to the system’s automatically generated logs, unless sector-specific rules require a longer retention period.
In practical terms, this means the following:
- High-risk AI (Annex III): Retain for at least ten years, starting from the date the system was put into operation or the decision was made.
- GPAI models: Technical documentation in accordance with Annex XI and Annex XII must be kept up to date for as long as the model is available, plus the period specified by national regulatory authorities.
- AI with limited or minimal risk: There is no explicit retention period in the AI Act, but the GDPR and other legislation may still impose retention periods.
Please note that the GDPR may require shorter retention periods for personal data contained in logs. This creates a conflict: the AI Act requires long-term retention for audit purposes, while the GDPR requires minimal data processing. The solution is typically to pseudonymize or aggregate personal data in the logs, so that both obligations are met.
Who is responsible for AI logging: the provider or the user?
Both the provider and the deployer (user) are responsible for AI logging, but in different areas. The provider is responsible for building a system that automatically generates the required logs. The deployer is responsible for storing, managing, and making those logs available to regulators.
The AI Act makes an important distinction between roles in the chain:
- Provider: Develops or commissions the development of an AI system and brings it to market. Responsible for incorporating logging functionality and preparing technical documentation.
- Deployer: Deploys an existing AI system for its own purposes. Responsible for storing the generated logs and complying with the terms of use.
- Importer and distributor: must verify that the conformity assessment has been conducted and retain documentation for ten years.
A key point to note is Article 25 of the AI Act: a deployer or distributor may inadvertently acquire the status of provider. This happens when you put your own name on a system, make a substantial modification, or change the intended purpose in such a way that the system becomes high-risk. In that case, all the obligations of a provider apply, including the full logging requirement. It is therefore advisable to start keeping a register of all AI systems and the role your organization plays in them right away.
What exactly needs to be recorded in AI logs?
For high-risk AI systems, logs must contain at a minimum: the period during which the system was used, the reference database against which the system verified input, the input data that led to a specific outcome, and the identities of the natural persons involved in verifying the results. The exact content depends on the type of system and the domain of application.
In practice, this involves the following categories of log data:
- Operational logs: when the system was active, which version was used, and what data entries were processed.
- Decision logs: what outcomes the system generated and based on which parameters.
- Human oversight: when and how a human operator reviewed, approved, or overrode the result.
- Incident logs: anomalies, errors, or unexpected system behavior.
- Access logs: who had access to the system and the associated data.
For GPAI models, additional documentation requirements apply in accordance with Annex XI and Annex XII, including a summary of the training data used and information about the model’s capabilities and limitations. Providers of models posing a systemic risk must also report serious incidents to the AI Office without delay.
How does AI logging relate to the GDPR and privacy laws?
AI logging and the GDPR are at odds with one another. The AI Act requires extensive and long-term logging for auditability and oversight, while the GDPR applies the principle of data minimization: you may not process more personal data than is strictly necessary. Organizations must comply with both obligations simultaneously.
The practical solution lies in a combination of technical and organizational measures:
- Pseudonymization: Replace direct identifiers in logs with codes so that the data can no longer be directly traced back to an individual without an additional key.
- Aggregation: Whenever possible, store aggregated data rather than individual decisions.
- Access Restrictions: Limit access to logs to employees with a demonstrable need, and document that access yourself.
- Align retention periods: Set different retention periods for personal data and technical system data.
Also, don’t forget that the GDPR requires a lawful basis for any processing of personal data, including that contained in AI logs. Typically, this is a legitimate interest or a legal obligation. Document this basis in your processing register and link it to the AI system register required by the AI Act.
What are the consequences of insufficient AI logging?
Inadequate AI logging can result in substantial fines, loss of market access, and reputational damage. The AI Act features a three-tiered fine structure: violations of prohibited practices can result in fines of up to 35 million euros or 7% of global annual revenue. Non-compliance with other obligations, including logging requirements, can result in fines of up to 15 million euros or 3%.
In addition to financial penalties, there are also operational and legal risks:
- Regulatory intervention: National market surveillance authorities may suspend or prohibit the use of a system until the logging requirements are met.
- Liability: In the event of an incident or complaint, without adequate logs, you cannot prove that the system functioned correctly, which seriously weakens your legal position.
- Loss of trust: Customers, partners, and contracting authorities expect demonstrable compliance. Missing logs directly undermine that trust.
- GDPR fines: If your logs contain personal data that is not managed properly, you also risk a penalty from the Dutch Data Protection Authority.
In January 2026, Finland became the first EU member state to grant enforcement powers under Article 99 to its supervisory authority. This signals that enforcement is rapidly becoming a reality. Organizations that do not yet have a logging policy are at real risk.
How Pegamento Helps with AI Logging and Compliance
Responsible AI implementation starts with the right infrastructure. At Pegamento, we help organizations set up AI systems that comply with the requirements of the EU AI Act, the GDPR, and sector-specific regulations. Our approach focuses on concrete, manageable steps, without unnecessary complexity.
What we can do for you:
- Setting up an AI system registry: We’ll help you create an overview of all AI systems in use, including the division of roles (provider, deployer, importer) and risk classification.
- Setting up a logging architecture: We ensure that the right data is automatically recorded, while maintaining a balance between AI Act requirements and GDPR compliance.
- Using Agentic AI responsibly: Our Agentic AI for customer service is built with auditability as a core principle, ensuring that every decision is traceable. Agentic AI is the evolution of traditional RPA bots: instead of merely following instructions, these self-thinking assistants take the initiative on their own and act proactively.
- One-stop shop: from consulting and implementation to management and support—all under one roof, without having to manage multiple vendors.
- ISO 27001-certified security: Our processes are certified under ISO 27001 (information security), ISO 9001, and ISO 26000, so you can rely on a solid foundation.
Would you like to know where your organization currently stands in terms of AI logging and compliance? Contact us, and we’d be happy to help you figure it out.
FAQ broken data: JSON decode failed: Syntax error


