Reporting serious AI incidents: what does AI Act Art. 73 require?
Adopted 2026-06-16 Β· ≈ 2 min read Β· 
edited by Dirk Baaijen
Providers of high-risk AI must report serious incidents to the market surveillance authority: without undue delay and within 15 days at most, shorter (2-10 days) in case of death or a widespread infringement.
Short answer: Article 73 of the AI Act requires providers of high-risk AI systems to report serious incidents to the market surveillance authority of the Member State where the incident occurred. This must happen without undue delay and within 15 days at most; shorter deadlines of 2 to 10 days apply in case of death or a widespread infringement.
What counts as a serious incident?
Article 3 of the AI Act defines a "serious incident" as an incident or malfunctioning that directly or indirectly leads to one of the following:
- The death or serious harm to the health of a person.
- A serious and irreversible disruption of the management or operation of critical infrastructure.
- An infringement of obligations under Union law intended to protect fundamental rights.
- Serious harm to property or the environment.
The link to the AI system need not be proven with certainty: a reasonable suspicion of a causal connection is enough to trigger the reporting duty.
Who must report, and when?
The reporting duty rests primarily with the provider of the high-risk system. Where relevant, the deployer can also have a role: they must inform the provider as soon as they identify a serious incident.
The deadlines are layered:
- Standard: report without undue delay, and in any case no later than 15 days after the provider became aware of the incident.
- Widespread infringement or death of a person: no later than 2 days (death) to 10 days (widespread infringement).
- Where information is incomplete, you may file an initial report first and complete it later with a full report.
Connection with post-market monitoring
Article 73 does not stand alone. Article 72 requires providers to maintain a system of post-market monitoring: the systematic collection and analysis of performance data once a system is on the market. That monitoring system is the source that surfaces serious incidents. Together, Arts 72 and 73 form the loop between observing, reporting and correcting.
What to put in place now
- Document a reporting process: who detects, who assesses whether something is a serious incident, and who reports within the deadline.
- Identify the competent authority in each Member State where your system operates.
- Secure the chain with deployers, so that field incidents reach you in time.
Note: enforcement of the high-risk obligations applies in phases. Align your internal planning with the application dates set out in the Regulation.
Read more: AI Act: timeline of obligations. Take the scan.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act), Arts 72-73: monitoring and incident reporting.
Read next
National supervisors: how AI Act enforcement is divided (the Dutch case)
The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 Aprilβ1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.
The AI Act for non-EU companies: extraterritorial reach
The AI Act also applies to companies outside the EU if their AI system or its output is used in the Union. Non-EU providers often have to appoint an authorised representative in the EU.
The EU declaration of conformity under the AI Act (Article 47)
The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.