EU AI Act Article 12 logging for AI agents.
Article 12 requires high-risk AI systems to automatically record events over their lifetime, with a retention floor of roughly six months — enforceable by 2 August 2026, with penalties up to €15M or 3% of global turnover. a2a cloud's Ed25519-signed receipts are a literal answer: recorded automatically on every run, retained past the floor, and tamper-evident by construction.
automatic · retained ≥180d · tamper-evident
Automatic, retained, tamper-evident logs — or a fine.
Article 12 doesn't ask for logs in general. It asks for events recorded automatically over the system's lifetime, retained long enough for post-market monitoring, and traceable enough to identify risk. Bolt-on application logging fails all three quietly: an agent path that skips logging, rotation that ages records out before six months, and free text that never ties an action to a caller and an authority. By 2 August 2026 that gap carries a penalty up to €15M or 3% of worldwide turnover.
Receipts are the record-keeping obligation, satisfied.
A receipt is emitted by the runtime on every run, retained past the floor, and signed so any change is detectable. The /compliance layer turns those same receipts into decision records for the transparency and oversight duties in Articles 13 and 14.
Automatic, not opt-in
Article 12 requires logs to be recorded automatically over the system's lifetime. Receipts are emitted by the runtime on every run — there is no code path where an agent executes without producing one.
Six-month floor, enforced
The Article guidance points at a minimum retention period. a2a cloud enforces a 180-day retention floor on receipts, grants, and audit records — the six-month floor is a platform default, not a policy you have to remember.
Traceable events
Article 12 wants events relevant to identifying risk and post-market monitoring. Each receipt records inputs, outputs, tool calls, caller identity, and the authorizing grant — the who, what, and under-what-authority of every decision.
Decision records for Article 13/14
The /compliance layer projects receipts, grants, and audit into human-readable decision records — the transparency and human-oversight surface Articles 13 and 14 expect, built from the same signed source.
Tamper-evident by design
Logs used for oversight are only useful if they can't be quietly rewritten. Ed25519 signatures and hash-chaining make any alteration or deletion detectable — governed agent execution a market-surveillance authority can verify.
Portable evidence
When a notified body or authority requests records, you export signed receipts they verify independently — not a database dump they have to take your word on.
Bolt-on logging vs. signed receipts.
Frequently asked.
What does EU AI Act Article 12 require for logging?
Article 12 requires that high-risk AI systems automatically record events (logs) over their lifetime, sufficient to identify risks and support post-market monitoring. The associated retention expectation is at least six months. On a2a cloud, every agent run emits an Ed25519-signed receipt automatically, and a 180-day retention floor is enforced — a literal answer to the automatic-recording and retention obligations.
When does EU AI Act agent logging become enforceable?
Obligations for high-risk systems phase in through 2026, with key logging and record-keeping duties landing by 2 August 2026. Non-compliance carries penalties up to €15 million or 3% of global annual turnover, whichever is higher, so having automatic, retained, tamper-evident logs in place before the deadline matters.
Are signed receipts sufficient for Article 12 record-keeping?
Receipts directly satisfy the technical core of Article 12: automatic recording, traceability of events, retention, and integrity. Full compliance still involves risk management, documentation, and human oversight duties across Articles 9–15. What receipts remove is the hardest technical part — producing complete, tamper-evident, retained event logs that a market-surveillance authority can verify independently.
How does this connect to human oversight under Articles 13 and 14?
The a2a cloud compliance layer projects receipts, scoped grants, and audit into human-readable decision records. That gives operators the transparency and traceability Articles 13 and 14 expect for human oversight — every decision, its inputs, and the authority behind it — built from the same signed source as the raw logs. See the /compliance page.
What penalties apply for missing agent logging under the EU AI Act?
For breaches of the high-risk obligations that include Article 12 logging, the AI Act allows administrative fines up to €15 million or 3% of total worldwide annual turnover for the preceding year, whichever is higher. Automatic, retained, signed receipts are a concrete way to evidence the logging duty rather than argue about mutable logs after the fact.
Related guides.
All guides live in the guides index.
Log automatically. Prove it cryptographically.
a2a cloud deploys any agent — LangGraph, OpenAI Agents SDK, CrewAI, or custom — with a managed Postgres database, an MCP server, an API, a frontend, and an Ed25519-signed receipt for every run. Automatic recording, a 180-day retention floor, and a decision-records layer at /compliance. Article 12, answered by the platform rather than a checklist.