Source: OJ L, 2024/1689, 12.7.2024

Current language: EN

Article 19 Automatically generated logs


Summary What does Article 19 of the AI act regulation say?

This article establishes the log retention obligations for providers of high-risk AI systems, building directly on Article 12, which requires those systems to be capable of automatically generating logs in the first place.

Here, the focus shifts to how long those logs must be kept.

The retention obligation only applies to logs that are actually under the provider's control, and a minimum retention period of six months is set, subject to any overriding Union or national law, including data protection rules.

A carve-out is also provided for providers that are financial institutions, who may fold their log retention into their existing documentation obligations under Union financial services law.

Important points:

  • Retain the automatically generated logs of your high-risk AI systems for a minimum of six months, to the extent those logs are under your control.
  • The six-month minimum can be overridden by applicable Union or national law, including Union data protection law.
  • Providers that are financial institutions subject to Union financial services law can satisfy this obligation by maintaining the logs as part of their documentation under that law.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. Providers of high-risk AI systems shall keep the logs referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law, in particular in Union law on the protection of personal data.

    1. Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation kept under the relevant financial services law.

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod