Article 72 of Regulation (EU) 2024/1689 — Post-market monitoring by providers and post-market monitoring plan for high-risk AI systems. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 72 of Regulation (EU) 2024/1689 establishes a mandatory post-market monitoring obligation for providers of high-risk AI systems. Providers are required to proactively collect, document, and analyse relevant data about the performance of their high-risk AI systems throughout the entire operational lifetime of those systems after they have been placed on the market or put into service.
The article mandates that providers draw up and implement a post-market monitoring plan, which must be proportionate to the nature of the high-risk AI technology and its associated risks. This plan must be part of the technical documentation established under Article 11 and set out in accordance with Annex IV. It must define the methods and procedures for systematically gathering performance data, including data sourced from deployers where relevant.
Where the monitoring reveals that a high-risk AI system no longer complies with the requirements set out in Chapter III, Section 2, the provider must take appropriate corrective measures without delay. This includes updating the system, withdrawing it from the market, or recalling it where necessary.
Article 72 also acknowledges the role of deployers: providers must instruct deployers to supply relevant operational data that cannot be collected directly. The monitoring obligation is continuous rather than point-in-time, reflecting the dynamic nature of AI system performance and the evolving contexts in which these systems are deployed.
What This Means in Practice
For organisations that develop or supply high-risk AI systems, Article 72 introduces a structured, ongoing compliance obligation that extends well beyond the moment of market placement. Providers cannot treat conformity assessment as a one-time exercise. Instead, they must design and operationalise a monitoring infrastructure before their system goes live.
In practical terms, this means defining in advance what data will be collected from deployed instances of the system, how that data will be analysed, and what performance thresholds will trigger a review or corrective action. For example, a provider of an AI-assisted medical device diagnostic tool must specify which indicators — such as false-negative rates, demographic performance disparities, or model drift metrics — will be tracked, at what frequency, and by whom.
Providers of AI systems embedded in third-party products face an additional challenge: they depend on deployers to relay operational data that the provider cannot access directly. This requires contractual arrangements with deployers that clearly define data-sharing obligations, as envisaged by the combined reading of Article 72 and Article 25.
Organisations with existing quality management systems (QMS) — such as those already compliant with ISO 13485 in medical devices or ISO 9001 more broadly — will find natural alignment with Article 72's requirements. The post-market monitoring plan should be integrated into the broader QMS documented under Article 17, rather than treated as a standalone document.
Smaller providers and startups will need to resource this function appropriately: Article 72 does not provide a de minimis exemption based on company size, though proportionality of the plan to the risk level of the system is explicitly acknowledged.
Key Obligations
- Establish a post-market monitoring plan that is proportionate to the risk level and nature of the high-risk AI system, documented as part of the technical documentation under Article 11 and Annex IV.
- Actively collect and analyse post-market data on system performance throughout the operational lifecycle, including data from deployers where direct collection is not possible.
- Define performance indicators and corrective action thresholds in advance, specifying what level of degradation or non-conformity triggers a formal review or remedial response.
- Take corrective action without delay when monitoring reveals that the system no longer satisfies the high-risk requirements of Chapter III, Section 2, which may include updating, recalling, or withdrawing the system.
- Integrate monitoring outcomes into the quality management system established under Article 17, ensuring findings loop back into product improvement, documentation updates, and re-assessment processes.
- Instruct deployers to provide operationally relevant data and cooperate with the post-market monitoring process, supported by appropriate contractual or technical arrangements.
Relationship to Other Articles
Article 72 sits at the centre of a cluster of interrelated obligations. It directly feeds into Article 73, which governs the reporting of serious incidents and malfunctions to national competent authorities: the monitoring system established under Article 72 is the detection mechanism for the events that Article 73 requires to be reported.
Article 17 (quality management systems) provides the organisational framework within which the post-market monitoring plan must be embedded. Article 11 and Annex IV define the technical documentation requirements that the monitoring plan must form part of.
Article 25 allocates responsibilities between providers and deployers, and is essential for understanding how providers can obtain operational data from downstream users. Article 26 complements this by detailing deployer obligations, including the duty to monitor system use and report anomalies back to the provider.
For high-risk AI systems that are safety components in products covered by Union harmonisation legislation listed in Annex I, Article 72 must be read alongside the post-market surveillance obligations in the applicable sectoral regulation, such as the Medical Devices Regulation (EU) 2017/745 or the Machinery Regulation (EU) 2023/1230, ensuring coherent and non-duplicative compliance.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, following its publication in the Official Journal of the European Union. The Regulation applies in a phased manner across different categories of obligation.
Article 72, as part of Title IX governing post-market monitoring and market surveillance, applies to providers of high-risk AI systems listed in Annex III (general-purpose high-risk categories such as biometrics, employment, education, and access to essential services) from 2 August 2027. High-risk AI systems covered by Annex I — those that are safety components of products already regulated under existing Union harmonisation legislation — are also subject to the full obligations, including Article 72, from 2 August 2027 in most cases, aligned with the general high-risk application date.
Providers should note that the earlier deadlines — February 2025 for prohibited AI practices and August 2025 for general-purpose AI model obligations — do not directly govern Article 72, but the groundwork for monitoring infrastructure should be laid well in advance of the 2027 deadline. Organisations that develop high-risk AI systems today are advised to begin designing their post-market monitoring plans as part of the conformity preparation process, rather than retrofitting them at the point of application.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 72 requires providers of high-risk AI systems to actively collect and review data about their systems' performance once placed on the market or put into service. The goal is to ensure that systems continue to meet requirements throughout their operational lifecycle, allowing providers to detect and address problems that may not have been apparent during pre-market conformity assessment.
Providers of high-risk AI systems as defined under Annex III of Regulation (EU) 2024/1689, or systems covered under Annex I, are required to establish and maintain a post-market monitoring plan. Deployers may be obligated to assist by reporting relevant information to the provider under Article 72(4).
The plan must include methods and procedures for actively collecting and analysing post-market data, setting performance indicators and thresholds, identifying corrective action triggers, and ensuring that relevant findings are fed back into the quality management system. It must be documented as part of the technical documentation required under Article 11 and Annex IV.
Article 72 works in conjunction with Articles 73 and 74. When post-market monitoring reveals a serious incident or a breach of obligations, providers must immediately report to the relevant national competent authority. The monitoring system serves as the detection mechanism that triggers the reporting obligations set out in subsequent articles.
Article 72 applies to high-risk AI systems covered by Annex III from 2 August 2027, and to high-risk AI systems covered by Annex I (safety components in regulated products) from 2 August 2027 in most cases. Some Annex III categories, specifically those in the areas of biometrics, critical infrastructure, and education already regulated under earlier sectoral rules, follow the December 2026 application date.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.