Back to Blog

DORA compliance & chat logs: retaining vs redacting

O
Operations Team
July 10, 2025 9 min read
DORA compliance & chat logs: retaining vs redacting

The Digital Operational Resilience Act (DORA) is transforming how financial institutions manage their technology infrastructure, with significant implications for organizations using AI chat systems. One of the most challenging questions under DORA is how to balance log retention requirements with data minimization principles.

DORA's Dual Requirements: Comprehensive Records vs. Data Minimization

The EU's DORA regulation, which comes into full effect in January 2025, creates a complex compliance challenge for financial institutions using AI chat systems. On one hand, DORA requires comprehensive record-keeping of all digital operations for incident investigation and response. On the other hand, it reinforces GDPR principles of data minimization and limited retention.

For AI chat systems processing potentially sensitive client or internal operational data, this creates a critical question: what should be retained in chat logs, what should be redacted, and for how long?

The Risk Landscape for Financial Institutions

Financial institutions face significant consequences for non-compliance with DORA, including potential fines of up to €10M or 2% of global annual turnover. However, the risk extends beyond regulatory penalties:

  • Incident Response Limitations: Inadequate logging can hamper incident investigation and regulatory reporting, potentially prolonging service disruptions.
  • Privacy Violations: Excessive retention of customer data in chat logs may violate GDPR principles.
  • Operational Overhead: Managing complex retention and redaction policies creates significant operational burdens.
  • Security Risks: Comprehensive chat logs containing sensitive data become high-value targets for attackers.

Balancing Retention and Redaction: A Framework

Based on current regulatory guidance and industry best practices, we recommend financial institutions adopt a tiered approach to chat log management:

1. Metadata Retention (5+ years)

Preserve core operational metadata about all AI chat interactions for the full DORA-recommended period:

  • Session timestamps and duration
  • User authentication method and access level
  • System components and APIs accessed
  • Chat topic categorization (without specific content)
  • System prompts and configuration used
  • Error conditions or unexpected system behaviors

2. Redacted Content Retention (2-3 years)

Maintain partially redacted chat content for a medium-term period:

  • Redact personal identifiers, account numbers, and other sensitive data
  • Preserve the semantic structure and nature of interactions
  • Maintain system responses and general query types
  • Apply pseudonymization to user identities where appropriate

3. Full Content Retention (60-90 days)

Keep complete, unredacted chat logs only for the minimum period necessary for immediate operational needs:

  • Complete chat content including user queries and system responses
  • Error messages and anomalies with full context
  • User identification and session details
  • All attached or referenced documents

Technical Implementation Considerations

Implementing a tiered retention and redaction framework requires careful technical planning. Key considerations include:

1. Automated Redaction Capabilities

Effective redaction is critical for balancing retention requirements with data minimization. Technical approaches include:

  • Pattern Matching: Deploy robust pattern recognition for common sensitive data types (account numbers, personal identifiers, etc.)
  • NLP-Based Entity Recognition: Implement advanced natural language processing to identify and redact contextual personal information
  • Progressive Redaction: Design systems that automatically increase redaction levels as content ages through retention tiers
  • Redaction Verification: Implement sampling and auditing processes to verify redaction effectiveness

2. Secure Storage Architecture

Different retention tiers require appropriate security controls:

  • Segregated Storage: Implement separate storage systems for each retention tier with appropriate access controls
  • Encryption Requirements: Apply stronger encryption to longer-term storage containing sensitive data
  • Access Logging: Maintain comprehensive logs of all access to stored chat data, especially for full-content logs
  • Immutable Storage: Consider WORM (Write Once Read Many) storage for metadata to prevent tampering

3. Deletion Verification

Ensuring data is properly deleted at the end of retention periods is as critical as retention itself:

  • Automated Deletion Workflows: Implement systems to automate the secure deletion of data at the end of its retention period
  • Deletion Certificates: Generate and retain cryptographic proof of deletion for compliance documentation
  • Backup Synchronization: Ensure deletion policies extend to all backups and replicated data
  • Third-Party Processor Management: Verify that AI providers and other third parties comply with deletion requirements

Governance Framework Recommendations

Technical implementations must be supported by robust governance frameworks:

  • Cross-Functional Ownership: Establish clear responsibilities across IT, compliance, legal, and business functions for chat log management
  • Regular Policy Reviews: Conduct quarterly assessments of retention policies against evolving regulatory guidance and operational needs
  • Risk-Based Exceptions: Develop a formalized exception process for extending retention periods when specific operational risks warrant it
  • Regular Effectiveness Testing: Conduct simulated incident response exercises to verify that redacted logs remain useful for investigation purposes

Conclusion: The Path Forward

As financial institutions integrate AI chat systems more deeply into their operations, balancing DORA's dual requirements for comprehensive operational records and data minimization will remain challenging. The framework outlined above provides a starting point, but each institution will need to calibrate its approach based on its specific risk profile, operational complexity, and the sensitivity of data processed through its chat systems.

By implementing a tiered retention strategy with appropriate technical safeguards, financial institutions can meet their DORA obligations while respecting privacy principles and minimizing security risks. As regulatory guidance evolves and industry best practices mature, flexible governance frameworks will be essential to adapting these approaches over time.

Data stays in EU

Confirmed hosting

GDPR-ready

DPA available

Schrems II compliant

EU court ruling compliant

View more articles

Keep your AI communications EU-compliant

VeraChat provides secure, audit-ready AI chat solutions that are fully EU-hosted.

Buy Private Plan

Related Articles

Schrems II & AI: practical checklist for SMEs

A comprehensive guide to help SMEs ensure their AI implementations comply with Schrems II requirements while maintaining operational efficiency.

UK GDPR divergence: what SaaS vendors must know

Understanding the key differences between EU GDPR and the evolving UK GDPR framework, with practical steps for SaaS vendors.