Article 73 — Reporting of serious incidents (EU AI Act)

Article 73 of Regulation (EU) 2024/1689 — Reporting of serious incidents. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 73 of Regulation (EU) 2024/1689 (the EU AI Act) establishes a mandatory serious incident reporting obligation for providers of high-risk AI systems made available on the Union market. Under this provision, providers must report any serious incident to the market surveillance authority of the Member State in which the incident occurred, without undue delay and within the timeframes specified by the article.

The article defines the information that must be included in a report: a description of the incident, the high-risk AI system involved, the nature of the harm caused or risked, the corrective measures taken or planned, and any relevant technical documentation. Where a provider is not established in the Union, the authorised representative assumes the reporting duty.

Article 73 further provides that, where a serious incident simultaneously falls within the scope of other Union legislative instruments — such as Regulation (EU) 2017/745 on medical devices or Directive 2016/680 on law enforcement data processing — the provider may submit a single notification through the most appropriate reporting channel, provided that all information requirements under each applicable instrument are fulfilled. Market surveillance authorities must share incident data with the European AI Office and with authorities in other Member States where the same system is deployed, ensuring Union-wide situational awareness.

What This Means in Practice

For any organisation that places a high-risk AI system on the EU market — whether as original developer, importer, or authorised representative — Article 73 creates a live operational obligation that activates the moment a serious incident is detected.

In practical terms, compliance requires three parallel workstreams. First, internal detection: organisations must have monitoring systems, logging infrastructure, and incident triage processes capable of identifying events that meet the serious-incident threshold defined in Article 3(49). An anomaly in a credit-scoring AI that causes a discriminatory lending decision at scale, or a malfunction in an AI-based medical diagnostic tool that contributes to a misdiagnosis, would both likely qualify.

Second, notification: once an incident is identified, the clock starts. A 72-hour window applies where life or safety is at immediate risk; a 15-day window applies in other cases. Organisations need pre-drafted notification templates, designated reporting contacts within their quality management systems (QMS), and clarity on which national market surveillance authority has jurisdiction — typically determined by where the affected deployer or user is located.

Third, follow-up: the initial notification is rarely the end. Authorities will request supplementary information, technical logs, and root-cause analysis. Providers should maintain an incident register and document all corrective actions taken.

A medical imaging company deploying an AI diagnostic tool in Germany and France must be prepared to notify the Bundesnetzagentur (or the designated competent authority in Germany) and the corresponding French authority simultaneously if incidents occur in both jurisdictions. The European AI Office receives consolidated data to track cross-border patterns.

Key Obligations

• Immediate notification: Report serious incidents to the competent market surveillance authority of the affected Member State without undue delay — within 72 hours where life or safety is at risk, and no later than 15 days in other cases.
• Substantive content of the report: Include a description of the incident, identification of the AI system, nature and extent of harm, corrective measures taken or planned, and references to relevant technical documentation maintained under Article 11.
• Authorised representative duty: Where the provider is established outside the EU, the authorised representative designated under Article 22 is responsible for submitting the incident report on the provider's behalf.
• Cross-instrument coordination: Where an incident also triggers reporting obligations under other Union law (e.g., MDR, NIS2, DORA), the provider may consolidate notifications, provided all regulatory information requirements are met in full.
• Information sharing by authorities: Market surveillance authorities that receive a report must share it with the European AI Office and notify authorities in other Member States where the same system is in use, enabling coordinated Union-level response.
• Incident register maintenance: Providers must maintain records of all serious incidents and near-misses as part of their post-market monitoring obligations under Article 72, ensuring traceability and audit readiness.

Relationship to Other Articles

Article 73 cannot be read in isolation. It is the notification mechanism that operationalises the broader post-market monitoring framework established in Article 72, which requires providers to maintain continuous monitoring systems and incident logging as part of their quality management system. The QMS itself is governed by Article 17, which sets out documentation and process requirements that underpin any credible incident report.

The definition of "serious incident" in Article 3(49) is the threshold trigger for Article 73 obligations, and the scope of "high-risk AI system" in Article 6 and Annex III determines which systems fall within the article's reach. Article 22 governs authorised representatives and is directly cross-referenced for non-EU providers.

At the market surveillance level, Article 73 feeds into the broader supervisory architecture of Articles 74–77 (market surveillance powers, access to information, and corrective measures). Article 78 governs confidentiality of information shared between authorities. For general-purpose AI models with systemic risk, Article 55 imposes parallel incident-reporting obligations that interact with Article 73 when such models are integrated into high-risk applications.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal of the European Union. However, its provisions apply on a phased schedule:

• 2 February 2025: Prohibitions on unacceptable-risk AI practices (Title II) became applicable.
• 2 August 2025: Obligations for general-purpose AI models (Title VIII, including Article 55 systemic-risk reporting) became applicable. The European AI Office and governance structures became operational.
• 2 August 2026: Rules applicable to high-risk AI systems listed in Annex III that are not safety components of products regulated by existing Union harmonisation legislation become applicable — Article 73 incident reporting enters full force for these systems on this date.
• 2 August 2027: Rules for high-risk AI systems that are safety components of products already covered by Union harmonisation legislation (e.g., medical devices, machinery) become applicable, completing the phased rollout.

Organisations deploying high-risk AI systems in scope of the December 2026 / August 2027 dates should treat 2025–2026 as the compliance build period: implementing post-market monitoring infrastructure, drafting incident response procedures, and stress-testing notification workflows well before the Article 73 obligations activate.