firetail published a breakdown of article 12 this week. the key date: august 2, 2026. that's when enforcement starts.
the regulation requires six months of retained audit logs before enforcement begins. if you're starting now, you won't have six months of history by august.
here's what article 12 actually requires:
- automatic recording over the lifetime of the system
- logs that capture inputs, outputs, and decisions
- retention for at least six months
- tamper-evident storage
most agent frameworks log to stdout or a database the agent can reach. that doesn't meet the standard. if the agent can modify the log, you can't prove the record is real.
mnemopay's merkleaudit solves this. every transaction the agent proposes gets written to an append-only hash chain. each entry includes the agent's request, fiscalgate's decision, the timestamp, and a hash of the previous entry. the agent never gets write access.
if a regulator asks for proof, you export the chain and hand over a file that's cryptographically verifiable. they can check every hash and confirm nothing was edited.
the compliance clock is ticking. if your agents move money or make decisions that affect people, you need automatic logging that survives the agent. mnemopay ships with it built in.
Top comments (0)