Newsletter Article
GLOBAL UPDATE: LOGGING, TRACEABILITY AND RESPONSE ARE CONVERGING
Snare Insider Newsletter Series Article
Make sure you Subscribe
Cybersecurity and AI regulations differ by jurisdiction, but their operational expectations are increasingly similar. Organisations must be able to monitor activity, preserve evidence, explain decisions, report incidents, and demonstrate that security controls are functioning as intended.
The EU’s NIS2 Directive (Directive (EU) 2022/2555) implementing requirements apply detailed cybersecurity measures to organisations including managed service providers, managed security service providers, cloud computing providers, data centre providers, content delivery networks and trust service providers.
The requirements include monitoring and logging capabilities, with the availability of those logging systems monitored independently from the environments they observe. For MSSPs, this raises the standard beyond simply receiving customer logs, providers must demonstrate the resilience, integrity and availability of the logging service itself.
EU AI Act (Regulation (EU) 2024/1689) transparency obligations for high-risk systems take effect from 2 August 2026. Under the May 2026 political agreement on AI Act simplification, deadlines for certain systems have moved later, but the underlying direction has not changed: AI systems must become more transparent, governable and auditable.
Article 12 is the specific provision to know. It requires high-risk AI systems to “technically allow for the automatic recording of events (logs) over the lifetime of the system,” covering risk identification (referencing Article 79), post-market monitoring (Article 72) and deployer-side operational monitoring (Article 26(5)).
Article 26(6) sets the retention floor: automatically generated logs must be kept for a period appropriate to the system’s intended use, and at least six months, unless another law requires longer.
Non-compliance with record-keeping sits in the second of three penalty tiers under Article 99, up to €15 million or 3% of global annual turnover, whichever is higher.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is now embedded within the European financial services environment. Its supporting technical standards provide detailed requirements for reporting major ICT incidents, assessing third-party dependencies, and maintaining operational resilience. Financial institutions must be able to move quickly from detection to classification, evidence collection, reporting and recovery.

THE SNARE PERSPECTIVE – Snare Insider Issue 12