80 Days to Article 12 — and What 14 Months of Building It Taught Us

There is exactly 80 days until 2 August 2026, when Article 12 of the EU AI Act becomes applicable for high-risk AI systems. If you operate one — and many of you reading this do — you have an obligation to maintain automated logs that hold up in regulatory audit. Penalty cap is 15 million euros or 3% of global turnover, whichever is higher.

I have been building and operating Article 12 logging in production for 14 months on Yondem, our multi-provider AI bridge. About 300,000 tasks per day across Anthropic, OpenAI, Google, DeepSeek and self-hosted Llama. We made nearly every implementation mistake possible before we found patterns that hold up.

This is the field manual I wish I had when we started.


The text of the law is short. The implementation work is not.

Article 12 itself is two pages in the Regulation. The interesting work is in the interpretation. After 14 months I have come to think of it through five pillars: identifiability, integrity, completeness, availability, and proportionality. None of those words appear in the statute, but every regulator audit checklist I have seen organises around them.

What surprised me most was how much GDPR cross-compliance ends up driving the implementation. You cannot just turn on cloud-native logging and call it Article 12 compliant — not because the AI Act itself prohibits it, but because the cross-mapping with GDPR Articles 5, 17, 30, 32 and 35 forces specific choices that cloud-native logging does not handle by default.


The mistakes that hurt the most

We logged the final outcome of multi-provider voting decisions without logging individual votes. Six months later we could not reconstruct a decision in an audit-rehearsal. Lesson: every voter, every gate, every threshold, separately logged with explicit links back to the decision_id.

We used mutable log records in our first iteration. Append-only sounds like a small implementation detail until your first integrity audit. Now we use append-only Postgres with hash chains plus Ed25519 signing per batch.

We stored raw PII alongside log records "for convenience". GDPR Article 5(1)(c) data minimisation violation. Now: hash chains stay intact when we purge the raw data tier — hashes do not reveal the data, the chain stays valid, and the erasure event itself becomes a separate log entry.

We treated retention as a single number. The AI Act baseline ends up overlaid by MDR (medical), NIS2 (critical infrastructure), Law Enforcement Directive, sectoral finance law, depending on what your system does. The matrix matters more than the headline number.


The toolkit

I have written all of this up into a 40-page bilingual (German and English) practitioner toolkit, plus five Excel templates you can fill in directly, three checklists organised around pre-audit hardening, vendor onboarding and incident response, and over 50 JSON code snippets for event schemas and multi-provider voting patterns.

I priced it at 29 euros for the launch (code LAUNCH50, valid for the first 100 buyers). Regular price 39 euros afterwards. Comparable consultancy work for the same scope runs 12,000 to 25,000 euros and takes six to eight weeks. The toolkit is meant to give a one-person team the patterns to start applying the same day.

https://yoendem.gumroad.com/l/eu-ai-act-article-12-toolkit

Updates throughout 2026 are included automatically into your Gumroad library. The EU AI Office is still publishing guidance, national authorities are still issuing implementation specifics, and I will keep the toolkit current as those land.


If you read it and have questions

Write to erol@haksystems.com with "Article 12 Toolkit" at the start of the subject line. I read those personally. The kinds of questions I am most useful for: implementation specifics of the hash-chain pattern, retention handling under sectoral overlays, multi-provider voting log schemas.

Stay compliant.

— Erol