EU AI Act Serious Incident Reporting (Article 73)
If you provide a high-risk AI system in the EU, one obligation deserves a plan before you need it: serious incident reporting under Article 73 of the EU AI Act. When something goes seriously wrong, the clock starts, and the deadlines are short. This guide covers who has to report, what counts as a serious incident, the reporting windows, and how to be ready.
Who has to report
The duty falls on providers of high-risk AI systems placed on the EU market. When a serious incident occurs, the provider reports it to the market surveillance authority of the Member State where the incident happened. Deployers have a related duty: they must report serious incidents to the provider, and notify the provider and the relevant authority where they identify risks to health, safety, or fundamental rights.
What counts as a serious incident
The Act defines a serious incident as one that directly or indirectly leads to a serious outcome. There are four categories:
- The death of a person, or serious harm to a person's health.
- A serious and irreversible disruption of the management or operation of critical infrastructure.
- An infringement of obligations under EU law intended to protect fundamental rights.
- Serious harm to property or the environment.
Causation can be indirect. An AI system that produces a wrong output that a person then acts on, leading to harm, can qualify. That is why downstream effects belong in your risk thinking, not just the model's direct behaviour.
The reporting deadlines
The windows are tight, and they vary by severity:
- Two days for a widespread infringement, or a serious and irreversible disruption of critical infrastructure.
- Ten days where the death of a person is involved.
- Fifteen days for other serious incidents, reporting without undue delay once you establish a causal link or its reasonable likelihood.
If you cannot assemble a full report in time, the Act lets you file an initial, incomplete report and follow up with the complete version. After a report, the market surveillance authority is expected to take appropriate measures within seven days.
What you must do after reporting
Reporting is the start, not the end. The provider must investigate the incident, carry out a risk assessment, and take corrective action, cooperating with the authorities. Importantly, you must not alter the AI system in a way that could affect a later evaluation of the causes before you have informed the authorities.
When this applies, and why to prepare now
The obligation attaches to high-risk systems, and the main high-risk obligations were deferred to 2 December 2027 under the 2026 Digital Omnibus. The European Commission has been developing guidance and a reporting template to support the regime. None of that is a reason to wait. The deadlines are far too short to design a process during an incident, and non-compliance with reporting obligations can draw penalties of up to 15 million euros or 3 percent of worldwide annual turnover. The move to make now is to stand up a documented AI incident process, integrated with your existing security incident response, so the reporting path is known before you need it.
The EU AI Act High-Risk Provider Pack
The Article 73 runbook with the 2, 10, and 15 day deadlines, plus the risk management system, Annex IV documentation, human oversight, and post-market monitoring a high-risk provider needs. Editable Word and PDF.
Common questions
Providers of high-risk AI systems placed on the EU market. Deployers must report serious incidents to the provider and notify authorities where they identify risks to health, safety, or fundamental rights.
Two days for a widespread infringement or serious critical-infrastructure disruption, ten days where a death is involved, and fifteen days for other serious incidents. An initial incomplete report is allowed, followed by a full one.
An incident that directly or indirectly leads to death or serious harm to health, serious irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, or serious harm to property or the environment.
It applies to high-risk systems, whose main obligations were deferred to December 2027 under the 2026 Digital Omnibus. Given the short deadlines, building the incident process well ahead of time is the sensible move.