EU AI Act Article 73: incident reporting for high-risk AI providers

What counts as a serious incident

Article 3(49) defines a serious incident as any incident or malfunction of a high-risk AI system leading directly or indirectly to: (a) death of a person, or serious damage to a person's health; (b) serious and irreversible disruption of critical infrastructure; (c) infringement of obligations under Union law intended to protect fundamental rights; (d) serious damage to property or the environment. The definition is broad - 'serious' is fact-specific and the relevant national authority makes the final assessment.

Reporting deadlines

Article 73(2): without undue delay after establishing the causal link, and at latest 15 days after awareness. Article 73(3): for incidents involving widespread infringement or serious and irreversible disruption of critical infrastructure - shorter deadline of 2 days. Article 73(4): for incidents involving deaths - immediate reporting, no later than 10 days. The clock starts on awareness, not on confirmation of causation.

Information required

Article 73(5): the report shall include all relevant information available, including: identification of the high-risk AI system, description of the incident, identification of the persons or property affected, description of the cause if known, description of corrective action taken or planned. The report can be supplemented as more information becomes available. National authorities may request additional information.

Who reports

The provider of the high-risk AI system has the primary reporting obligation under Article 73(1). For Article 25-inherited Provider status (substantial modification), the inheriting party reports. Deployers must inform the provider of relevant incidents (Article 26(6)) and may have parallel reporting obligations under sector-specific regulations (Machinery Directive vigilance, Medical Devices Regulation vigilance).

Practical compliance setup

Build the Article 73 workflow before any product release. Required elements: incident detection mechanism (customer support, internal monitoring, user reports, post-market monitoring per Article 72), incident classification rubric to determine 'serious' threshold, reporting template aligned with Article 73(5) requirements, contact list of relevant national authorities for each EU country where you operate, internal escalation chain, deadline tracking system. Test the workflow annually. Document past incidents (anonymised) in compliance archive.

Frequently asked questions

When does Article 73 take effect?

2 August 2026 for high-risk AI systems.

What is the reporting deadline?

15 days from awareness for standard serious incidents. 10 days for incidents involving deaths. 2 days for widespread infringement or critical infrastructure disruption.

Who reports - provider or deployer?

Provider primarily under Article 73(1). Deployers must inform the provider under Article 26(6) and may have parallel obligations under sector-specific rules.

Where do I report?

The national market surveillance authority in each EU country where the incident occurred or where affected persons reside. Each member state has designated authorities under Article 70.

What is the penalty for Article 73 failures?

Up to €15M or 3% of global turnover under Article 99(4). Failure to report serious incidents is treated similarly to other high-risk obligation failures.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj