EU frameworkGDPRNIS 2DORAAI ActWhistleblowing
Article 19

Automatically generated logs

Artificial Intelligence Act · UE 2024/1689

Automatically generated logs

1.   Providers of high-risk AI systems shall keep the logs referred to in Article 12(1), automatically generated by their high-risk AI systems, to the extent such logs are under their control. Without prejudice to applicable Union or national law, the logs shall be kept for a period appropriate to the intended purpose of the high-risk AI system, of at least six months, unless provided otherwise in the applicable Union or national law, in particular in Union law on the protection of personal data.

2.   Providers that are financial institutions subject to requirements regarding their internal governance, arrangements or processes under Union financial services law shall maintain the logs automatically generated by their high-risk AI systems as part of the documentation kept under the relevant financial services law.

Luxembourg specificity
AI Act (UE 2024/1689), articles 12 et 19 ; supervision CSSF au titre de la législation services financiers

In Luxembourg, the AI market surveillance authority has not yet been formally designated to date, but regulated financial-sector providers remain under the supervision of the CSSF, which expects these logs to be embedded in the prudential documentation kept under financial services law. The personal-data dimension of the logs falls to the CNPD, which ensures the retention period stays justified and minimised.

Luxgap practice: for a CSSF-regulated fintech or bank, we configure the log vault to produce a dual export, one for Article 19 AI Act compliance and one attached to your prudential documentation, to avoid any divergence between the two frameworks.