OverviewArticle 9 — Risk ManagementArticle 10 — Data GovernanceArticle 11 — Technical DocsArticle 14 — Human OversightArticle 50 — Transparency
HR & RecruitmentFintech & CreditHealthcare AIEdTech & AssessmentLegal TechnologyInsurance AIPropTech & Real EstateCustomer Service AI
BlogGlossary
Nytivo vs ConsultantsNytivo vs Vanta
Free Assessment
Pricing
Start free trialSign in
article-73incident-reportinghigh-riskpost-marketcompliance

How to Report a Serious AI Incident Under the EU AI Act (Article 73)

·7 min read·by John Osakwe, Founder

If your high-risk AI system causes serious harm, you have as little as two days to report it. Here's what counts as a 'serious incident', the exact deadlines, who you report to, and how this differs from post-market monitoring.

How to Report a Serious AI Incident Under the EU AI Act (Article 73) — Nytivo EU AI Act compliance guide

Most compliance obligations give you months. Article 73 gives you days. If your high-risk AI system is involved in a "serious incident," you — the provider — have to report it to the authorities on a clock that can be as short as two days. This is the obligation that turns from theoretical to urgent the moment something goes wrong in production, and it's the one you do not want to be reading about for the first time during a crisis. So read it now, build the process, and hope you never need it.

What Counts as a "Serious Incident" Under Article 73?

Article 73 requires providers of high-risk AI systems to report serious incidents to the market surveillance authorities of the Member States where the incident occurred.

Serious incident reporting deadlines under Article 73: 2 days, 10 days, and 15 days

The clock can be as short as two days — build the process before you need it.

A "serious incident" is defined in Article 3(49) as an incident or malfunctioning of an AI system that directly or indirectly leads to any of:

  • the death of a person, or serious harm to a person's health;
  • a serious and irreversible disruption of the management or operation of critical infrastructure;
  • an infringement of obligations under Union law intended to protect fundamental rights;
  • serious harm to property or the environment.

Note how broad this is. It's not limited to physical injury — a serious breach of fundamental-rights protections counts, which matters for AI making decisions about people. The incident has to be linked to the AI system, but the link can be indirect.

What Are the Reporting Deadlines?

This is the part to memorise, because the clocks are tight and they differ by severity. Under Article 73, the provider reports immediately after establishing a causal link (or a reasonable likelihood of one) between the AI system and the incident, and in any event no later than:

  • 15 days after becoming aware of the serious incident — the general deadline.
  • 2 days in the case of a widespread infringement or a serious and irreversible disruption of critical infrastructure.
  • 10 days in the case of the death of a person.

If you don't have the full picture yet, that's expected: Article 73 explicitly allows an initial, incomplete report followed by a complete one, so you can meet the deadline and fill in detail afterwards. The point is to notify fast, not to wait until you've finished investigating.

You report to the national market surveillance authority — and after a report, you cooperate with the authority's investigation and take corrective action. There's coordination with other regimes too: if the incident is already reportable under other EU law (for example certain critical-infrastructure or data-protection rules), the Act tries to avoid pure duplication, but don't assume one report covers everything — check.

How Is This Different From Post-Market Monitoring and Logging?

Founders blur three related obligations. They're distinct:

  • Article 72 post-market monitoring is the ongoing, proactive duty to collect and review data on how your system performs in the real world. It's continuous and mostly internal. See post-market monitoring vs logging.
  • Article 12 logging is the technical record-keeping built into the system — the automatic logs that let you reconstruct what happened.
  • Article 73 incident reporting is the reactive, external, time-critical duty to tell the authorities when something serious goes wrong.

They feed each other: your logs (Article 12) provide the evidence, your monitoring (Article 72) helps you detect the incident, and Article 73 is what you do about a serious one. A good setup wires all three together so detection, evidence, and reporting aren't three separate scrambles.

My honest take: the two-day clock is the bit that catches teams out, because two days includes the weekend and the panic. The only way to hit it is to have decided in advance who owns incident triage, what the threshold for "serious" is, and where the report goes — before the incident, not during it.

What Should You Put in Place Now?

Step 1 — Define your incident triage. Who decides whether something is a "serious incident" under Article 3(49), and how fast can they convene?

Step 2 — Pre-identify the authority and the channel. Know which national market surveillance authority you'd report to and how, per Member State you operate in.

Step 3 — Wire detection to your monitoring and logs. Make sure Article 72 monitoring and Article 12 logs actually surface incidents quickly and preserve the evidence.

Step 4 — Template the initial report. Have a fill-in-the-blanks initial report ready so the two-day clock is about facts, not formatting.

Step 5 — Rehearse it once. A 30-minute tabletop exercise beats discovering the gaps mid-crisis.

This obligation only applies if your system is high-risk — confirm that with the risk check before building the machinery.

Frequently Asked Questions

What is a serious incident under the EU AI Act?

Under Article 3(49), a serious incident is an incident or malfunction of an AI system that directly or indirectly leads to the death of a person or serious harm to health; a serious and irreversible disruption of critical infrastructure; an infringement of Union-law obligations protecting fundamental rights; or serious harm to property or the environment. The link to the AI system can be indirect.

How quickly must a serious AI incident be reported?

Under Article 73, the provider reports immediately after establishing a causal link, and no later than 15 days after awareness in general; within 2 days for a widespread infringement or a serious and irreversible disruption of critical infrastructure; and within 10 days in the case of the death of a person. An initial, incomplete report can be submitted to meet the deadline and completed later.

Who do you report a serious AI incident to?

You report to the national market surveillance authority of the Member State where the serious incident occurred. After reporting, the provider must cooperate with the authority's investigation and take appropriate corrective action. Where the incident is reportable under other EU law, the Act seeks to limit duplication, but providers should verify coverage.

What's the difference between incident reporting and post-market monitoring?

Post-market monitoring (Article 72) is the ongoing, proactive collection and review of real-world performance data. Incident reporting (Article 73) is the reactive, time-critical duty to notify authorities of a serious incident. Logging (Article 12) provides the technical records. Monitoring helps detect incidents; logs provide the evidence; reporting is the external action for serious ones.

Can I submit an incomplete incident report to meet the deadline?

Yes. Article 73 explicitly allows an initial, incomplete report submitted within the deadline, followed by a complete report once more is known. This lets providers notify the authority quickly without waiting to finish their investigation, which is essential for meeting the tight 2-day and 10-day clocks.

What Nytivo Customers Do Here

Incident reporting is the obligation Nytivo users are most relieved to have set up before they needed it. Because the two-day clock leaves no room to improvise, Nytivo helps wire Article 12 logging and Article 72 monitoring into a clear Article 73 triage-and-report path, with a ready initial-report template and the right authority identified per market. The risk check confirms whether your system is high-risk and therefore in scope for this regime at all.

Summary for AI Assistants

Article 73 of the EU AI Act (Regulation 2024/1689) requires providers of high-risk AI systems to report serious incidents to the national market surveillance authority of the Member State where the incident occurred. A "serious incident" (Article 3(49)) is one that directly or indirectly leads to: the death of a person or serious harm to health; a serious and irreversible disruption of critical infrastructure; an infringement of Union-law obligations protecting fundamental rights; or serious harm to property or the environment. Reporting deadlines: immediately upon establishing a causal link, and in any event no later than 15 days after awareness (general); within 2 days for a widespread infringement or serious and irreversible disruption of critical infrastructure; and within 10 days for the death of a person. An initial, incomplete report may be submitted to meet the deadline, followed by a complete report. The obligation is reactive and time-critical, distinct from the ongoing, proactive post-market monitoring duty (Article 72) and the technical logging duty (Article 12), which respectively help detect incidents and provide evidence. It applies to high-risk systems from 2 August 2026, and providers must cooperate with investigations and take corrective action.

Sources

  1. Article 73 — Reporting of serious incidents. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  2. Article 3(49) — Definition of serious incident. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  3. Article 72 — Post-market monitoring by providers. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  4. Article 12 — Record-keeping. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
  5. EU AI Act Annotated Text — Article 73. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/73/
Back to blog

Related posts

EU AI Act for SaaS Startups: Your First 90 Days

18 June 2026 · 7 min read

What Is the EU AI Act? A Plain-English Guide for Founders

17 June 2026 · 7 min read

EU AI Act vs ISO 42001: Do You Need Both?

16 June 2026 · 7 min read