"How long should we keep our logs?" has no single answer — it depends on which regulations apply to you and the risks you are managing. Some regimes give you a hard number (PCI DSS, HIPAA, SOX); others (the GDPR, ISO 27001, NIS2, DORA) make it risk-based and leave the figure to you. This guide lays out the requirements side by side and shows how to set a defensible retention policy.
Not legal advice
The figures below are widely-used baselines, not a substitute for legal review. Retention can be affected by your sector, jurisdiction, national law, and contractual obligations — confirm the specifics for your organisation.
The short answer
There is no universal log-retention period. The practical rule is to take the strictest requirement that applies to you and keep logs at least that long — while not keeping personal data longer than you can justify under the GDPR. Most organisations end up with a tiered policy: a hot tier (fast to search, for active investigation and monitoring) and a cheaper archive tier (for long-term forensic and compliance needs).
Log retention by regulation
How the major regimes treat log and audit-record retention:
| Regulation | Retention | Notes |
|---|---|---|
| PCI DSS v4.0 | ≥ 12 months, with ≥ 3 months immediately available | Requirement 10. A hard minimum for cardholder-data environments. |
| HIPAA | 6 years | Documentation/record retention for covered entities and business associates. |
| SOX | 7 years | Records relevant to financial reporting (SEC 17 CFR 210.2-06). |
| GDPR | No fixed figure — storage-limitation principle | Justify retention by purpose; commonly 1–3 years for security logs. Don’t keep personal data longer than needed. |
| ISO 27001:2022 (A.8.15) | No fixed figure — risk-based | The Logging control; set retention in your ISMS. 12 months is a common baseline. |
| NIS2 | No fixed figure — risk-based | Set by national transposition; commonly 6–18 months. Keep long enough to detect and investigate. |
| DORA | No fixed figure — policy-defined | The ICT risk-management RTS requires you to define the retention period in a logging policy. |
When several regimes apply
Take the longest binding requirement. For example, an entity under both HIPAA (6 years) and SOX (7 years) should retain for 7 years, which also covers PCI DSS and most GDPR security-log use cases — provided you can still justify holding any personal data for that long.
Hot vs. archive: retention is a cost decision
Retention length and search speed pull in opposite directions on cost. Keeping everything instantly searchable for years is expensive; keeping nothing fails compliance and forensics. The usual answer is two tiers:
- Hot tier — recent logs (often 30–90 days, sometimes longer) kept fast to query for live monitoring, alerting and active investigation.
- Archive / cold tier — older logs kept in cheaper storage to satisfy the long-tail compliance window and reconstruct incidents that surface months later.
The economics of the hot tier are driven by your storage engine. A columnar store with strong compression keeps long retention affordable — see log management built on ClickHouse for why this matters.
How to set a defensible retention policy
- List every regulation, contract and sector rule that applies to you.
- Identify the strictest binding retention requirement among them.
- Add a risk-based buffer for incident detection and forensics (attacker dwell time is often months).
- Decide your hot vs. archive split based on search and cost needs.
- Apply GDPR storage-limitation: don’t keep personal data longer than the justified purpose; redact where possible.
- Write it down — document the period chosen and the risk/legal basis for it.
- Protect the logs: tamper-evident storage, access control, and audited access.
- Review the policy periodically and when regulations or your estate change.
How LogPulse supports log retention
LogPulse retains your logs for the window your plan provides on a cost-efficient ClickHouse engine, with search fast enough to investigate recent data and the depth to reconstruct older incidents. Pipelines can redact PII before storage to support GDPR storage-limitation, and data stays in the EU. For the specifics of plan retention windows, see ClickHouse log management, and the NIS2 and DORA guides for the EU regimes that drive retention. LogPulse supports your compliance programme and produces evidence; it is not itself a certification.