We started building Article 12 logging for our own AI system 14 months ago. The text of the law is only two pages, but the implementation work took us six months of mistakes before we found the shape that holds up under audit.

The deadline is 2 August 2026. That is eleven weeks. Most EU SaaS teams I talk to are still treating it as a Q3 problem.

A few things that are not obvious from reading Article 12 directly:

Cloud-native logging from a single provider usually fails the integrity test. Regulators expect tamper-evidence — hash chain plus signing per batch — even though the law just says "automatic recording".

Retention is not a single number. It is a sliding scale with sectoral overlays. Medical AI under MDR ends up at 10+ years. Critical infrastructure under NIS2 the same. HR systems can be shorter. The matrix matters more than the headline.

Multi-provider setups need per-vote logging. If three models voted and you only logged the final outcome, you cannot reconstruct the decision in an audit six months later. We learned this the hard way.

I published a 40-page bilingual practitioner toolkit (German and English) with the patterns we ended up with, plus five Excel templates, three checklists for pre-audit, vendor onboarding and incident response, and 50+ JSON schemas. Launch price 29 euros with code LAUNCH50.

https://yoendem.gumroad.com/l/eu-ai-act-article-12-toolkit

If you are working on Article 12 implementation, the question I would actually want answered from this community: what cross-mapping with GDPR Article 30 (RoPA) has been most useful for you?