Does Provenrail make my AI system EU AI Act compliant?

No. It provides the technical record-keeping evidence Article 12 calls for: an automatic, tamper-evident, independently verifiable, timestamped log. Compliance is a broader, system-level determination that rests with you and your advisors.

When does EU AI Act Article 12 start to apply?

The high-risk AI obligations, including the Article 12 record-keeping requirement, apply from 2 August 2026. The AI Act entered into force on 1 August 2024.

Does the EU AI Act require cryptographic logging specifically?

No. Article 12 requires automatic, traceable logging over the system lifetime and does not prescribe a method. But a log that can be altered without detection has little evidentiary weight, so tamper-evidence and trusted time are the prudent way to make it defensible. The harmonised technical standards are still in draft.

How does an auditor verify a Provenrail record?

They run the open-source verifier (pr verify bundle.json) or open the record in a browser at provenrail.com/verify. It recomputes every hash, signature, and RFC 3161 timestamp locally, trusting neither the agent nor the vendor, and reports any tampering.

How long must EU AI Act logs be kept?

Article 19 requires providers to retain the logs for an appropriate period, at least six months unless other Union or national law requires longer. Provenrail bundles are portable and self-contained, and Provenrail hosts no agent records.

EU AI Act compliance

EU AI Act Article 12: the logging requirement, and how to prove you meet it.

From 2 August 2026, providers of high-risk AI systems must keep automatic, traceable logs of what their systems did. Article 12 says the log must exist and be usable for incident reconstruction and post-market monitoring. It does not prescribe the cryptography, but a log that can be edited without a trace carries little weight in an audit. This page explains what the article requires and how to produce technical evidence an auditor can verify independently.

What Article 12 requires Timeline Who it applies to What good evidence looks like How Provenrail maps to it FAQ

Honest framing. Provenrail is technical evidence tooling, not legal advice and not a compliance certification. It produces tamper-evident, independently verifiable records of the kind Article 12 calls for. Whether your overall system is compliant is a determination for you and your qualified advisors. We give you the evidence; you provide the attestation.

What Article 12 actually requires

Article 12 ("Record-keeping") of Regulation (EU) 2024/1689 requires that high-risk AI systems technically allow for the automatic recording of events (logs) over the lifetime of the system. The logging must, at minimum, enable:

identifying situations that may cause the system to present a risk, or to undergo a substantial modification;
facilitating post-market monitoring of the system in operation; and
monitoring the operation of high-risk systems by deployers.

In plain terms: the system must keep an automatic, traceable record of what it did, over its whole operating life, detailed enough that someone can later reconstruct what happened and spot when something went wrong. Article 19 then requires providers to keep those logs for an appropriate period (at least six months unless other law requires longer), and Article 26 places parallel logging-retention duties on deployers.

The timeline that matters

1 August 2024: the AI Act entered into force.
2 August 2026: the obligations for high-risk AI systems, including the Article 12 record-keeping requirement, become applicable.
No finalised technical standard yet: the harmonised standards that will detail "how" are still in draft. That uncertainty is exactly why a defensible, externally anchored evidence approach is the safe path: it survives whatever the standard lands on.

Who this applies to

Article 12 applies to high-risk AI systems as defined in the Act (largely the Annex III categories): AI used in areas such as employment and worker management, access to credit and essential services, biometrics, critical infrastructure, education and exam scoring, healthcare, law enforcement, and migration. If you build or deploy an AI agent that operates in one of those areas, the logging obligation is likely to reach you. If you build general developer tools or low-risk applications, Article 12 may not apply, but the same tamper-evident record is still what settles a client dispute or an incident post-mortem.

What "good" logging evidence looks like

A log satisfies the spirit of Article 12 only if it can be trusted after the fact. Three properties separate a defensible record from a text file anyone could edit:

Tamper-evident. Any alteration, deletion, reordering, or insertion after the fact is detectable. A plain database row or log line is not: whoever controls the store can change it silently.
Independently verifiable. An auditor can confirm the record is intact without trusting you, ideally with open tools and no account. "Trust our dashboard" is not evidence.
Reliably timed. When something happened is provable against an independent time authority, so the timing cannot be back-dated, even by the operator.

How Provenrail provides the technical evidence

Provenrail records every model call, tool call, decision, and human-oversight action your agent takes into an off-box, hash-chained, append-only sink. On Builder and higher, each anchor carries an RFC 3161 trusted timestamp and is included in a witnessed public transparency log. Anyone can verify the result with the open-source pr verify tool, trusting neither the agent nor the vendor. The Team plan turns a run into a one-click evidence pack mapped to the article.

Article 12 expectation	What Provenrail records as evidence
Automatic recording of events over the lifetime	Every model/tool call, decision, and oversight event captured automatically, with a genesis and seal per session.
Identifying risk situations (Art. 12(2)(a))	Model calls, tool calls, data-access and decision events recorded in order, so a risk situation can be reconstructed.
Deployer monitoring (Art. 12(2)(c) / Art. 26(5))	Per-event actor, action, target, and outcome, exportable for the deployer.
Record integrity and reliable time	Dual hash chain (tamper-evident on every plan) plus RFC 3161 trusted timestamps (Builder and higher) so timing is independently provable.
Human oversight (Art. 14) where applicable	Human-oversight approvals recorded as first-class, signed events.
Retention (Art. 19 / 26)	Portable, self-contained bundles you retain for as long as the law requires; we host no agent records.

Generate the mapped report yourself, free and on your own machine:

pr report --regime eu-ai-act my-run.json --md

It produces a plain-English attestation: what was recorded, whether integrity verified, the events breakdown, and how each maps to Article 12, with an honest note wherever trusted time is absent.

Produce your first record Verify a record in your browser See plans

What this is not. Producing an Article 12-mapped evidence record does not, by itself, make you compliant with the AI Act. Compliance is a system-level determination involving risk management, data governance, transparency, human oversight, and more. Provenrail addresses the record-keeping evidence layer. Recorded time is independently reliable only where an RFC 3161 trusted-time anchor is present.

FAQ

Does Provenrail make my AI system EU AI Act compliant?: No. It provides the technical record-keeping evidence Article 12 calls for: an automatic, tamper-evident, independently verifiable, timestamped log. Compliance is a broader, system-level determination that rests with you and your advisors.
When does Article 12 start to apply?: The high-risk obligations, including Article 12, apply from 2 August 2026. The Act itself entered into force on 1 August 2024.
Does the AI Act require cryptographic logging specifically?: No. The article requires automatic, traceable logging and does not prescribe a method. But a log that can be altered without detection has little evidentiary weight, so tamper-evidence and trusted time are the prudent way to make the log defensible. The harmonised technical standards are still in draft.
How does an auditor check a Provenrail record?: They run the open-source verifier (pr verify bundle.json) or open it in a browser at provenrail.com/verify. It recomputes every hash, signature, and timestamp locally, trusting neither the agent nor the vendor, and reports any tampering.
How long do I keep the logs?: Article 19 requires providers to retain the logs for an appropriate period, at least six months unless other Union or national law requires longer. Provenrail bundles are portable and self-contained, so you keep them wherever you retain records; we host no agent records.

Sources: Regulation (EU) 2024/1689 (the AI Act), Articles 12, 14, 19, 26 and Annex III. This page summarises the regulation for engineering audiences and is not legal advice; consult the official text and qualified counsel.

← Back to home