[guillermollopis]

This is a useful piece of the puzzle, audit logging and injection detection are real requirements under Article 12 (record-keeping) and Article 15 (cybersecurity/robustness).

One thing worth flagging: for high-risk systems under Annex III, audit logging is just one of ~25 compliance items. The August 2026 deadline also requires complete technical documentation (Annex IV), a risk management system (Article 9), data governance practices (Article 10), human oversight mechanisms (Article 14), and a post-market monitoring plan (Article 72). The documentation requirement alone covers 7 sections.

The tooling space is evolving fast, EuConform does offline-first risk classification, Holistic AI offers readiness assessments for enterprises, and Annexa (I'm building this) goes from risk classification to generating the full Annex IV technical documentation dossier by analyzing your actual codebase. Different tools cover different slices of compliance.

Worth noting: the Commission missed the Feb 2 deadline for Article 6 high-risk classification guidelines, and the Digital Omnibus proposal could push the Annex III deadline to December 2027. But smart money is still on preparing now, the proposal hasn't passed Parliament yet.