arXiv: NLLog: Lightweight, Explainable SOC Anomaly Detection via Log-to-Language Rewriting

A new research paper, NLLog, has been published on arXiv proposing a method for anomaly detection in Security Operations Centers (SOCs) that converts raw system logs into natural language descriptions before analysis. This approach aims to make detection more explainable and lightweight, reducing the need for complex machine learning models. While not a regulatory change itself, this publication signals a growing trend toward interpretable AI in cybersecurity monitoring, which may influence future regulatory expectations under frameworks like the EU AI Act and NIS2.

Organizations operating SOCs, particularly those in critical infrastructure, finance, healthcare, and cloud services within the EU, should take note. Any AI-driven security tool that processes logs or user data must now be assessed for transparency and explainability requirements. The NLLog method could help compliance teams meet these obligations by providing human-readable outputs, but it also introduces new data processing steps that may require updated Data Protection Impact Assessments (DPIAs) under GDPR.

Compliance teams should first review their current SOC tooling to determine if any systems use opaque anomaly detection models. If so, evaluate whether adopting explainable alternatives like NLLog could reduce regulatory risk. Next, update internal AI governance documentation to reflect the use of natural language processing in security monitoring, ensuring alignment with the EU AI Act’s transparency obligations. Finally, engage with legal and IT security teams to assess whether the log-to-language rewriting process creates new personal data processing activities that require notification to supervisory authorities.