The AI Act imposes specific logging requirements on customer service systems as soon as a system is classified as high-risk. This means you must automatically and verifiably track when an AI system is active, what decisions it makes, and based on what input. For contact centers and customer service departments that use automated routing, AI chatbots, or automated decision support, this is an immediate compliance requirement. In this article, we answer the most frequently asked questions about AI Act logging requirements for customer service systems.
Which AI systems used in customer service are covered by the AI Act?
Not every AI system used in customer service is automatically subject to the strictest provisions of the AI Act. The law uses a risk classification system: only systems classified as high-risk are subject to extensive logging and documentation requirements. Most standard chatbots and FAQ assistants fall into the limited-risk category, with less stringent transparency requirements.
Systems in the high-risk category include AI applications that support decisions regarding access to essential services. Examples include automated systems that determine whether a customer is eligible for benefits, insurance, or an emergency call. Systems that profile natural persons are also always considered high-risk, regardless of the context.
In most commercial customer service environments, AI that summarizes conversations or provides suggestions to agents generally falls outside the high-risk category. However, as soon as an AI system influences decisions with significant consequences for customers—such as prioritizing emergency calls or providing credit-related services—stricter obligations come into effect. It is wise to explicitly document, for each system, why it is or is not high-risk.
What exactly should AI system log files contain?
Log files from high-risk AI systems must contain sufficient information to enable the system’s performance to be assessed and verified retrospectively. Specifically, this involves the automatic recording of activity periods, the input data processed, the output generated, and any decisions or recommendations made by the system.
The AI Act requires that logs record at least the following:
- The times when the system was active
- The reference database or input data used for a specific decision
- The identities of the individuals who operated or authorized the system
- Information about the verification steps that have been performed
- Cases in which the system produced results that fell outside a certain threshold
The purpose of these requirements is traceability. If a customer objects to a decision made (in part) by an AI system, you must be able to demonstrate what the system did and on what basis. Logging is therefore not only a technical requirement but also a tool for accountability toward customers and regulators.
How long should AI logs be retained?
For high-risk AI systems, a retention period of at least ten years applies, starting from the date on which the system was last active or made its last relevant decision. This period also applies to the associated technical documentation and declarations of conformity.
The ten-year period was deliberately chosen to be long. AI decisions may not become relevant in legal or regulatory proceedings until years later, for example, when a customer subsequently demonstrates demonstrable harm. By retaining logs for an extended period, it remains possible to reconstruct and account for historical decisions.
In practical terms, this means that your storage infrastructure and archiving policy must be designed with this in mind. Logs should not simply be deleted when a system is replaced or decommissioned. Also, ensure that archives remain searchable and readable, even if the underlying software has changed in the meantime.
Who is responsible for the logging requirements: the supplier or the user?
Responsibility for logging obligations is shared, but the division of responsibility depends on the role each party plays. The AI Act distinguishes between the provider (the party that develops or markets the system) and the user or deployer (the organization that uses the system in its own business operations). Both parties have their own obligations.
The provider is responsible for incorporating logging functionality into the system itself. The system must be technically capable of automatically recording the required data. The provider also supplies the technical documentation demonstrating that the system has been designed in compliance with the requirements.
The deployer—that is, the organization that deploys the AI system for customer service—is responsible for actually activating and retaining those logs. As a deployer, you cannot simply rely on the supplier to handle this. If you deploy the system, you are responsible for compliance within your environment. This also applies if you modify, rename, or use the system for a purpose other than its original intent. In that case, you yourself become the provider, with all the associated obligations.
How does AI Act logging relate to GDPR obligations?
The AI Act’s logging requirements and the GDPR’s requirements overlap to some extent, but they have different primary objectives. The GDPR focuses on the protection of personal data and limits how long and for what purposes you may retain that data. The AI Act focuses on the traceability and accountability of AI decisions. These two objectives may be at odds with one another.
Specifically: The AI Act requires you to retain logs for ten years, while the GDPR calls for data minimization and limited retention periods for personal data. If your AI logs contain personal data—which is almost always the case with customer service systems—you must comply with both sets of regulations at the same time.
The practical solution is to separate log data. Where possible, store the technical decision-making logic and system activity separately from directly identifiable personal data. Use pseudonymization or anonymization for elements subject to the GDPR, while maintaining the traceability required by the AI Act. Explicitly document in your processing record how you reconcile the two regimes. This requires collaboration between your IT department, privacy officer, and the AI system vendor.
What are the consequences of failing to comply with the logging requirements?
Failure to comply with the logging requirements under the AI Act may result in substantial fines. For non-compliance with the obligations for high-risk AI systems, including the logging requirements, the maximum fine is 15 million euros or 3% of global annual revenue, whichever is higher. For smaller organizations, the lower of the two amounts applies.
In addition to financial penalties, there are also operational risks. Regulators may require you to temporarily take a system offline until you can demonstrate that compliance is in order. In sectors such as government, healthcare, or utilities, this can have direct consequences for the services provided to customers.
Enforcement of the AI Act is organized on a decentralized basis: national market surveillance authorities are responsible for high-risk AI systems. This means that enforcement priorities and intensity may vary by Member State. In January 2026, Finland became the first Member State to activate formal enforcement powers. In the Netherlands, the process of designating the competent authority is still ongoing, but enforcement is expected to take on a more concrete form in the course of 2026. It is therefore wise to take action now rather than wait until enforcement actually begins.
How Pegamento Helps with AI Act Compliance for Customer Service
We understand that AI Act compliance is a complex challenge for customer service organizations, especially if you have multiple systems from different vendors that aren’t well integrated. That’s exactly the kind of fragmented situation we deal with every day. As an ISO 27001-certified IT specialist (with additional ISO 9001 and ISO 26000 certifications), we take information security and compliance seriously—including in the solutions we implement for you.
Our Agentic AI for customer service was developed with traceability as a core principle. Agentic AI represents the evolution from traditional RPA bots to self-thinking assistants that not only follow instructions but also take the initiative and act independently. Here’s what we can specifically do for you regarding AI Act logging requirements:
- Understanding which AI systems within your customer service department fall under the AI Act and which risk classification applies
- Technical implementation of logging functionality that meets the requirements for high-risk systems
- Aligning the AI Act’s logging requirements with your existing GDPR policy and record of processing activities
- Everything under one roof: from consulting and implementation to management and support, without having to coordinate multiple vendors
- Customized solutions using standard building blocks, so you can quickly achieve compliance without costly custom work
Would you like to know how your current customer service systems measure up in terms of AI Act compliance? Contact us for a no-obligation consultation. We’d be happy to work with you to develop an approach that suits your organization and industry.
Frequently Asked Questions
How do I know if my existing AI system already meets the logging requirements of the AI Act?
Start with an internal audit to verify, for each AI system, whether it automatically records activity periods, input data, output, and decisions. Next, check with your vendor to confirm that the logging functionality is technically built into the system and that documentation is available to demonstrate this. If your system does not produce structured logs, or if those logs are not searchable and cannot be retained long-term, additional technical implementation is necessary before you can be considered compliant.
What if my AI vendor doesn’t offer logging functionality—am I still liable?
Yes, as the deployer, you remain responsible for compliance in your environment, even if the vendor falls short. In that case, you have two options: contractually require the vendor to add the required logging functionality, or switch to a system that is compliant. In any case, document in writing the steps you’ve taken to achieve compliance, so that you can demonstrate you’ve taken active measures in the event of an audit.
My customer service AI falls into the 'limited risk' category—does that mean I have no logging obligations at all?
Not entirely. Low-risk systems are exempt from the stringent logging requirements for high-risk systems, but they are still subject to transparency obligations, such as informing users that they are interacting with an AI system. Furthermore, a system’s risk classification may change if you deploy it for a different purpose or expand it with new functionality, at which point stricter obligations will apply. It is therefore wise to periodically reassess the classification of each system.
How do I practically handle the ten-year retention period when I replace or decommission an AI system?
When decommissioning or replacing a system, ensure that all existing logs are archived in a format that remains readable and searchable even after ten years, regardless of the software that generated them. Export logs to an open or standardized file format such as JSON or CSV and store them in a secure, controlled environment. Explicitly define in your archiving policy who is responsible for managing these historical logs and how access is controlled.
What is the best concrete first step I can take to make my organization AI Act-compliant?
The most effective first step is to create an inventory of all AI systems you use in your customer service operations, including those from third-party vendors. For each system, document its purpose, the decisions it influences, and the potential impact on customers, so you can perform a well-founded risk classification. Based on that inventory, you’ll know which systems require priority technical adjustments and where you need to review contractual agreements with vendors.
Can AI logs be used as evidence in a customer’s legal proceeding?
Yes, and that is precisely one of the reasons why the AI Act imposes logging requirements. If a customer objects to a decision made (in part) by an AI system, logs can serve as evidence—in your favor if the system acted correctly, but also to your organization’s detriment if errors or irregularities are revealed. Therefore, ensure that logs are stored with integrity, unaltered, and equipped with reliable timestamps so that they hold up in court.
How can I best involve my privacy officer in the implementation of AI Act logging requirements?
Involve your privacy officer from the design phase, not just afterward. Have them contribute ideas on how logs are structured, so that pseudonymization or anonymization of personal data is technically built in rather than applied retroactively. Ensure that the AI Act logging requirements are explicitly included in the processing register, including the legal basis for the ten-year retention period, so that you can combine GDPR compliance and AI Act compliance into a single documented policy.


