The Deadline Is Closer Than It Looks

The EU AI Act has moved from policy framework to enforcement reality. On August 2, 2026, obligations for high-risk AI systems under Annex III become enforceable across the European Union — covering AI used in employment, credit, essential services, education, and more.

Regulators are no longer asking whether you have a governance framework. They are asking a sharper question: can you produce evidence of how a specific AI decision was made, reviewed, and controlled?

Two provisions sit at the center of that question: Article 12 (record-keeping) and Article 13 (transparency). Together they redefine what it means to operate AI responsibly. They do not merely require documentation — they require structured, accessible, and verifiable records.

1. Article 12 — Record-Keeping and Traceability

Article 12 requires that high-risk AI systems technically allow for the automatic recording of events ("logs") over the lifetime of the system. The logging must enable a level of traceability appropriate to the system's intended purpose.

In practice, that means capturing:

Requirement What it means in practice
Automatic event logging The system records relevant events without manual intervention
Lifetime coverage Records persist across the system's operational life, not just at test time
Traceability of function Logs make it possible to reconstruct what the system did and when
Risk identification Logs help identify situations that may present a risk or trigger substantial modification

The intent is clear: when something goes wrong — or when an auditor asks — the organization must be able to reconstruct the decision trail, not reassemble it from memory.

2. Article 13 — Transparency and Information to Deployers

Article 13 requires that high-risk AI systems be designed so their operation is transparent enough for deployers to interpret the output and use it appropriately. Systems must ship with instructions for use that disclose:

  • The provider's identity and the system's intended purpose
  • The system's capabilities, limitations, and expected level of accuracy
  • Known or foreseeable risks to health, safety, or fundamental rights
  • Human oversight measures, including the technical measures that help deployers interpret output

Article 13 pairs naturally with Article 14 (human oversight): a deployer cannot meaningfully oversee a system whose decisions they cannot interpret or trace. Transparency is not a disclaimer — it is the precondition for accountable use.

3. Why Logging Alone Won't Pass

Here is the trap. Most teams read "record-keeping" and reach for application logs. But standard logs have a fatal weakness for compliance: they are mutable. An administrator can edit, delete, or backfill them after the fact. A log that can be altered proves nothing to an auditor who assumes it might have been.

Article 12 asks for traceability you can stand behind. That raises the bar from "we have logs" to:

  • Integrity — records cannot be altered after the fact without detection
  • Chain continuity — each record depends on the previous one, so tampering breaks the chain
  • Context — who acted, when, on what, and why — not just a timestamp
  • On-demand export — produce the evidence in a standard format the moment it is requested

This is the difference between logging an event and proving a decision. (We explored this distinction in depth in AI Audit Trail vs Decision Proof Unit.)

4. How a Decision Proof Unit Satisfies Article 12

A Decision Proof Unit (DPU) is built for exactly the traceability Article 12 demands. Instead of writing mutable log lines, it seals every AI-related decision and its review into a tamper-evident hash chain:

  • Automatic decision logging — every AI recommendation, analysis, or generation is recorded with its basis
  • Human review preserved — the reviewer's confirmation or override is captured as part of the record
  • Tamper-evidence — records are linked by SHA-256 hashes; altering any entry breaks the chain and is immediately detectable
  • Audit-ready export — the full decision trail exports on demand in a standard, verifiable format

When a regulator asks "why did this system make this decision on this date, and who reviewed it?", the answer is not a promise — it is a record that cannot have been quietly rewritten.

See how Cronozen Proof makes AI decisions audit-readyExplore Cronozen Proof

5. A Practical Article 12 & 13 Checklist

  • Identify whether your AI system falls under Annex III (high-risk)
  • Confirm automatic event logging is enabled across the system's lifetime (Art 12)
  • Ensure logs provide traceability, not just diagnostics
  • Make records tamper-evident, not merely stored
  • Document capabilities, limitations, and accuracy for deployers (Art 13)
  • Define and record human oversight steps (Art 14)
  • Verify you can export a decision trail on demand for audit

FAQ

Q. When exactly do Article 12 and 13 obligations apply? For high-risk AI systems listed in Annex III, the obligations become enforceable on August 2, 2026. (Certain Annex I product-safety systems follow in 2027.)

Q. Do these articles apply to non-EU companies? Yes. The EU AI Act applies based on where the system is placed on the market or used — not where the provider is headquartered. Providers and deployers serving the EU are in scope.

Q. Aren't ordinary application logs enough for Article 12? Logs that can be edited or deleted after the fact carry weak evidentiary value. Article 12 calls for traceability you can defend in an audit, which is why tamper-evident records are the safer standard.

Q. What are the penalties for non-compliance? Non-compliance with high-risk obligations can reach up to €15 million or 3% of global annual turnover, whichever is higher (with higher ceilings for prohibited practices).

The Bottom Line

Article 12 and 13 turn AI governance from a statement into an obligation: not "we have a policy," but "here is the verifiable record of what the system did and how a human controlled it."

The organizations that pass won't be the ones with the most documentation. They'll be the ones who can prove their AI decisions — instantly, and beyond dispute.

Can your AI prove its own decisions?

What is a Decision Proof Unit?The Technical Foundation of AI Accountability

AI Decision TraceabilityFrom Black Box to Verifiable Proof

Logging vs ProofAI Audit Trail vs Decision Proof Unit

Sources

  • Regulation (EU) 2024/1689 (EU AI Act), Articles 12, 13, 14, and 99
  • European Commission, AI Act implementation timeline (high-risk obligations applicable from August 2, 2026)
  • AI Governance Desk, "EU AI Act Articles 12 & 13 Explained: Decision Traceability & Audit Compliance" (2026)