Source: OJ L, 2024/1689, 12.7.2024Current language: EN
- Artificial intelligence act
Basic legislative acts
- AI act regulation
Article 12 Record-keeping
Summary What does Article 12 of the AI act regulation say?
This article sets out the logging and automatic event-recording requirements for high-risk AI systems.
The core obligation is that such systems must be technically capable of automatically recording events throughout their lifetime, with those logs serving the purposes of traceability, post-market monitoring, and operational oversight.
The article connects directly to several other provisions in the regulation, notably Article 72 on post-market monitoring, Article 79 on risk identification, and Article 26(5) on deployer monitoring obligations.
A more specific set of minimum logging requirements is imposed on a particular subset of high-risk AI systems — those falling under point 1(a) of Annex III, which relates to biometric identification systems — requiring granular records such as session times, reference databases used, matched input data, and the identity of persons involved in verifying results.
Important points:
- Ensure high-risk AI systems are technically built to automatically record events across their entire lifetime.
- Logging capabilities must cover three purposes: identifying potential risks or substantial modifications, supporting post-market monitoring, and enabling operational oversight by deployers.
- For high-risk AI systems used for biometric identification (Annex III, point 1(a)), a specific minimum set of log data is required, including session timestamps, reference databases, matched inputs, and the identities of result-verifying personnel.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
High-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.
In order to ensure a level of traceability of the functioning of a high-risk AI system that is appropriate to the intended purpose of the system, logging capabilities shall enable the recording of events relevant for:
identifying situations that may result in the high-risk AI system presenting a risk within the meaning of Article 79(1) or in a substantial modification;
facilitating the post-market monitoring referred to in Article 72; and
monitoring the operation of high-risk AI systems referred to in Article 26(5).
For high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum:
recording of the period of each use of the system (start date and time and end date and time of each use);
the reference database against which input data has been checked by the system;
the input data for which the search has led to a match;
the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5).
Relevant recitals
Recital 66 Coverage of mandatory requirements
Requirements should apply to high-risk AI systems as regards risk management, the quality and relevance of data sets used, technical documentation and record-keeping, transparency and the provision of information to deployers, human oversight, and robustness, accuracy and cybersecurity. Those requirements are necessary to effectively mitigate the risks for health, safety and fundamental rights. As no other less trade restrictive measures are reasonably available those requirements are not unjustified restrictions to trade.
Recital 71 Record-keeping and technical documentation
Having comprehensible information on how high-risk AI systems have been developed and how they perform throughout their lifetime is essential to enable traceability of those systems, verify compliance with the requirements under this Regulation, as well as monitoring of their operations and post market monitoring. This requires keeping records and the availability of technical documentation, containing information which is necessary to assess the compliance of the AI system with the relevant requirements and facilitate post market monitoring. Such information should include the general characteristics, capabilities and limitations of the system, algorithms, data, training, testing and validation processes used as well as documentation on the relevant risk-management system and drawn in a clear and comprehensive form. The technical documentation should be kept up to date, appropriately throughout the lifetime of the AI system. Furthermore, high-risk AI systems should technically allow for the automatic recording of events, by means of logs, over the duration of the lifetime of the system.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
conformity assessment
Definition
instructions for use
Definition
provider
Definition
input data
Definition
substantial modification
Definition
deployer
Definition
intended purpose
Definition
placing on the market
Definition
AI system
Definition
risk
Definition
putting into service
Definition
general-purpose AI model