The complete guide to EU AI Act record-keeping obligations for small and medium enterprises: 12 essential records, exact retention periods, a 6-step setup process, and SME proportionality rules — reviewed by a certified Gyoseishoshi who has published 100+ compliance books across 14 countries.
Record-keeping is not optional under the EU AI Act. Articles 11, 12, 18, and 26 establish specific documentation obligations for both AI providers and deployers. Even if your organization only uses ChatGPT for drafting emails, Article 4 requires documented AI literacy measures.
Three reasons why record-keeping matters for SMEs:
1. Legal obligation. The EU AI Act imposes record-keeping requirements that apply regardless of company size. While the obligations scale with risk level, no organization is fully exempt. Deployers of high-risk AI must maintain operational logs for at least 6 months (Article 26(6)). Providers must retain technical documentation for 10 years (Article 18).
2. Audit readiness. National authorities can request your records at any time. If you cannot produce them, you face fines up to EUR 7.5 million or 1% of global turnover for providing incomplete information (Article 99). Having records organized before an audit request arrives is far less expensive than scrambling afterward.
3. Trust building. Organized records demonstrate to clients, partners, and regulators that your AI use is deliberate and governed. For SMEs competing against larger organizations, compliance records can be a differentiator rather than a burden.
| Obligation | Article | Applies to | Status |
|---|---|---|---|
| AI literacy documentation | Art. 4 | All organizations | Aug 2026 |
| Transparency records | Art. 50 | Deployers of GPAI | Enforced |
| Technical documentation | Art. 11 | Providers of high-risk AI | Dec 2027 |
| Operational logs | Art. 26(6) | Deployers of high-risk AI | Dec 2027 |
| Incident reporting | Art. 62 | Providers of high-risk AI | Dec 2027 |
We have organized the essential AI records into four categories. Not every SME will need all 12 — your obligations depend on whether you are a provider or deployer, and the risk level of your AI systems.
1. AI System Register. A complete inventory of every AI system your organization uses or provides. Include vendor name, purpose, data inputs and outputs, risk classification, and deployment date. This is the foundation of all other records. Art. 49
2. Technical Documentation. For providers of high-risk AI: 11 categories of documentation as specified in Annex IV, including system description, design specifications, training data details, testing results, and performance metrics. Must be retained for 10 years from market placing. Art. 11 Art. 18 Annex IV
3. Operational Logs. Automatically generated logs from high-risk AI systems, maintained by deployers for at least 6 months. Include timestamps, inputs, outputs, and any human override decisions. Recommended retention: 3 years for audit trail continuity. Art. 12 Art. 26(6)
4. Incident Reports. Documentation of any serious incident involving a high-risk AI system. Must be reported to national authorities within 15 days of awareness. Include system identification, incident description, corrective measures, and impact assessment. Retain evidence for at least 5 years after investigation completion. Art. 62
5. AI Use Policy. Your organization’s rules for acceptable AI use, prohibited uses, data handling, human oversight requirements, and transparency commitments. Review annually. Recommended retention: 5 years from supersession.
6. Risk Assessments. Documented evaluation of each AI system’s potential impact on safety, rights, and operations. For high-risk AI, this includes a Fundamental Rights Impact Assessment (FRIA) per Article 27. Retain for the operational period plus 3 years. Art. 9 Art. 27
7. Governance Decisions. Records of all decisions to adopt, modify, suspend, or discontinue an AI system. Include decision rationale, risk considerations, approval authority, and effective dates. Recommended retention: 5 years.
8. AI Literacy Training Records. Documentation that staff have received AI literacy training appropriate to their role: who was trained, content covered, dates, and competency assessment results. Required under Article 4. Retain for employment duration plus 2 years. Art. 4
9. Human Oversight Records. For high-risk AI: documentation of who is designated to oversee the AI system, their qualifications, authority to override, and any override actions taken. Art. 14 Art. 26
10. Internal Audit Records. Results of periodic compliance reviews, covering record completeness, policy adherence, and system performance. Document findings, recommendations, and corrective actions. Recommended retention: 5 years.
11. Post-Market Monitoring Data. For providers: ongoing collection of performance data, user feedback, and incident patterns after deployment. Required under Article 72 for high-risk AI. Art. 72
12. Data Governance Records. Documentation of data quality measures, data sources, preprocessing steps, and bias testing applied to training and operational data. Also supports GDPR Article 30 processing records obligations. Art. 10
Follow these steps to build a practical, proportionate record-keeping system. Each step includes specific guidance for SMEs.
Start by listing every AI tool your organization uses. This includes obvious systems like ChatGPT, Microsoft Copilot, or industry-specific AI, but also embedded AI in existing software (email spam filters, CRM lead scoring, accounting anomaly detection).
For each system, document the vendor, primary purpose, which teams use it, what data it processes, and when it was deployed.
Map each AI system to the EU AI Act risk categories. This determines which of the 12 records you must keep for that system.
| Risk Level | Examples | Required Records |
|---|---|---|
| High-risk (Annex III) | HR recruitment screening, credit scoring, safety systems | All 12 records |
| Limited-risk (Art. 50) | Chatbots, AI-generated content, deepfakes | Records 1, 5, 6, 7, 8, 10 |
| Minimal-risk | Spam filters, spell-check, recommendation engines | Records 1, 5, 8 |
Standardized templates ensure consistency and reduce the effort of ongoing record-keeping. Create one template per record type, pre-populated with your organization’s details.
Focus first on the records required for your highest-risk systems. For minimal-risk AI, a simple inventory entry plus training log is sufficient.
Every record category needs an owner — someone responsible for keeping it current, complete, and accessible. For SMEs, one compliance coordinator can own multiple categories.
Set access controls so records are available to: the record owner, the AI governance lead, external auditors (when needed), and regulators upon request.
Apply the legally mandated retention periods from the table below. For records without a specific legal requirement, apply the recommended periods based on audit best practices.
Store records in a secure, backed-up location. Ensure records cannot be tampered with — version control or write-protected storage is recommended for critical documents.
Record-keeping is not a one-time task. Establish review cycles to keep your records current and complete:
Use this template as a starting point for your record-keeping folder structure. Adapt it to your organization’s size and AI risk profile.
| # | Record Type | Minimum Period | Recommended | Legal Basis |
|---|---|---|---|---|
| 1 | Technical documentation (high-risk) | 10 years | 10 years | Art. 18 |
| 2 | Operational logs (high-risk deployer) | 6 months | 3 years | Art. 26(6) |
| 3 | AI literacy training records | Employment + 2 years | Employment + 2 years | Art. 4 |
| 4 | Risk assessments / FRIA | Operational period + 3 years | Operational period + 3 years | Art. 9 Art. 27 |
| 5 | Incident reports and evidence | Investigation + 5 years | Investigation + 5 years | Art. 62 |
| 6 | Governance decisions | — | 5 years | Best practice |
| 7 | AI use policy | — | 5 years from supersession | Best practice |
| 8 | Internal audit records | — | 5 years | Best practice |
| 9 | Post-market monitoring data | Operational period | Operational period + 2 years | Art. 72 |
| 10 | Data governance records | Processing period | Processing period + 3 years | Art. 10 + GDPR Art. 30 |
| 11 | Vendor assessments | — | Contract period + 3 years | Best practice |
| 12 | Human oversight records | Operational period | Operational period + 3 years | Art. 14 |
The EU AI Act explicitly recognizes that SMEs should not bear the same compliance burden as large corporations. Recital 141 establishes the proportionality principle, and several provisions offer practical relief:
Simplified formats. You do not need enterprise compliance software. A well-organized folder structure with standardized templates satisfies the documentation requirements. The AI Office plans to release official SME-friendly templates.
Consolidated roles. In larger organizations, the compliance coordinator, data protection officer, and AI governance lead are separate roles. For SMEs with fewer than 50 employees, one qualified person can hold all three responsibilities. Document this appointment clearly.
Risk-based focus. You are not required to apply the same level of detail to every AI system. Focus your most detailed record-keeping on your highest-risk AI systems. Minimal-risk AI (spam filters, spell-check, basic recommendations) requires only an inventory entry and training records.
Reduced fees. SMEs may benefit from reduced conformity assessment fees when working with notified bodies.
Regulatory sandboxes. Article 62(4)(c) gives SMEs priority access to regulatory sandboxes, where you can test AI systems and develop compliance practices with regulatory guidance before full enforcement.
The EU AI Act establishes tiered penalties based on the severity of the violation. Record-keeping failures typically fall under the second and third tiers:
For SMEs, penalties are assessed against global annual turnover percentages, which means the absolute amounts may be lower — but relative to revenue, they can be devastating. A EUR 7.5 million minimum fine for a company with EUR 10 million revenue would be 75% of annual turnover.
Are you AI Act ready?
Take our free 3-minute assessment to find out where your organization stands.
Take Free AssessmentA NOTE FROM THE AUTHOR
“I spent more than 20 years reviewing regulatory compliance at the Hiroshima Prefectural Government. The biggest mistake I see businesses make is assuming compliance starts with paperwork. It starts with daily habits. Build the habit first, and the paperwork follows.”
— Takayuki Sawai, Gyoseishoshi (行政書士)
This guide shows what records to keep. ClearAI Trust OS keeps them automatically: daily checks, evidence collection, and audit-ready reports — built for SMEs who need compliance without a compliance department.