Home / Guides / EU AI Act Serious Incident Reporting
EU AI Act

EU AI Act Serious Incident Reporting (Article 73)

If you provide a high-risk AI system in the EU, one obligation deserves a plan before you need it: serious incident reporting under Article 73 of the EU AI Act. When something goes seriously wrong, the clock starts, and the deadlines are short. This guide covers who has to report, what counts as a serious incident, the reporting windows, and how to be ready.

Who has to report

The duty falls on providers of high-risk AI systems placed on the EU market. When a serious incident occurs, the provider reports it to the market surveillance authority of the Member State where the incident happened. Deployers have a related duty: they must report serious incidents to the provider, and notify the provider and the relevant authority where they identify risks to health, safety, or fundamental rights.

What counts as a serious incident

The Act defines a serious incident as one that directly or indirectly leads to a serious outcome. There are four categories:

Causation can be indirect. An AI system that produces a wrong output that a person then acts on, leading to harm, can qualify. That is why downstream effects belong in your risk thinking, not just the model's direct behaviour.

The reporting deadlines

The windows are tight, and they vary by severity:

If you cannot assemble a full report in time, the Act lets you file an initial, incomplete report and follow up with the complete version. After a report, the market surveillance authority is expected to take appropriate measures within seven days.

What you must do after reporting

Reporting is the start, not the end. The provider must investigate the incident, carry out a risk assessment, and take corrective action, cooperating with the authorities. Importantly, you must not alter the AI system in a way that could affect a later evaluation of the causes before you have informed the authorities.

Overlap with other laws is handled. Where a high-risk system is already covered by equivalent reporting duties under laws such as NIS2, DORA, or the critical entities rules, the Article 73 obligation generally narrows to fundamental-rights infringements, with other incidents reported under the sector rules.

When this applies, and why to prepare now

The obligation attaches to high-risk systems, and the main high-risk obligations were deferred to 2 December 2027 under the 2026 Digital Omnibus. The European Commission has been developing guidance and a reporting template to support the regime. None of that is a reason to wait. The deadlines are far too short to design a process during an incident, and non-compliance with reporting obligations can draw penalties of up to 15 million euros or 3 percent of worldwide annual turnover. The move to make now is to stand up a documented AI incident process, integrated with your existing security incident response, so the reporting path is known before you need it.

The turnkey option

The EU AI Act High-Risk Provider Pack

The Article 73 runbook with the 2, 10, and 15 day deadlines, plus the risk management system, Annex IV documentation, human oversight, and post-market monitoring a high-risk provider needs. Editable Word and PDF.

Common questions

Who has to report under Article 73?

Providers of high-risk AI systems placed on the EU market. Deployers must report serious incidents to the provider and notify authorities where they identify risks to health, safety, or fundamental rights.

What are the reporting deadlines?

Two days for a widespread infringement or serious critical-infrastructure disruption, ten days where a death is involved, and fifteen days for other serious incidents. An initial incomplete report is allowed, followed by a full one.

What is a serious incident under the Act?

An incident that directly or indirectly leads to death or serious harm to health, serious irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, or serious harm to property or the environment.

When does this obligation apply?

It applies to high-risk systems, whose main obligations were deferred to December 2027 under the 2026 Digital Omnibus. Given the short deadlines, building the incident process well ahead of time is the sensible move.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.