Providers of high-risk AI systems must establish post-market monitoring systems under Art.72 that actively collect and analyze data on system performance throughout its lifecycle. When serious incidents occur, Art.73 requires providers to report to the relevant market surveillance authority within 15 days of becoming aware of the incident, or immediately in cases involving death or serious harm.
Post-Market Monitoring Requirements for High-Risk AI
Post-Market Monitoring Under Art.72
The EU AI Act recognizes that compliance with high-risk AI requirements is not a one-time assessment but an ongoing obligation. Art.72 requires providers of high-risk AI systems to establish and document a post-market monitoring system that is proportionate to the nature of the AI technology and the risks associated with the system.
The post-market monitoring system must be designed to actively and systematically collect, document, and analyze relevant data that deployers or other third parties may provide throughout the lifetime of the AI system. This requirement extends the traditional product safety concept of post-market surveillance into the specific context of AI, where system behavior can evolve after deployment.
Key Elements of the Monitoring System
A compliant post-market monitoring system under Art.72 must include:
- A plan that is part of the technical documentation required under Art.11 and Annex IV
- Procedures for collecting and analyzing data on the performance of the AI system throughout its lifetime
- Methods for evaluating the continuous compliance of the system with the requirements in Chapter III, Section 2
- Procedures for acting on findings, including updates to the risk management system under Art.9
- Mechanisms for communication with deployers about relevant performance data collection
The monitoring plan must be based on a post-market monitoring plan template that the Commission may develop through implementing acts. However, providers should not wait for these templates and should establish systems based on the regulation's substantive requirements.
Serious Incident Reporting Under Art.73
Art.73 establishes specific obligations for reporting serious incidents involving high-risk AI systems. A serious incident is defined as an incident or malfunctioning of an AI system that directly or indirectly leads to any of the following:
- The death of a person or serious damage to a person's health
- A serious and irreversible disruption of the management or operation of critical infrastructure
- A breach of obligations under Union law intended to protect fundamental rights
- Serious damage to property or the environment
Reporting Timelines
The regulation establishes differentiated reporting timelines based on the severity of the incident:
| Incident Type | Reporting Deadline | Recipient |
|---|---|---|
| Death or serious health damage | Immediately, no later than 2 days | Market surveillance authority of member state where incident occurred |
| Other serious incidents | Within 15 days of awareness | Market surveillance authority of member state where incident occurred |
| Widespread disruption | Immediately, no later than 2 days | Market surveillance authority + AI Office notification |
The initial report may be incomplete if all relevant information is not yet available. In such cases, providers must submit follow-up reports with additional details as they become available. The reporting obligation begins when the provider becomes aware of a causal link between the AI system and the serious incident.
Content of Incident Reports
Incident reports must contain sufficient information to allow the market surveillance authority to assess the situation, including:
- Identification of the AI system and the provider
- Description of the incident and its consequences
- Analysis of the potential cause, including any identified system malfunctions
- Corrective actions already taken or planned
- Contact information for follow-up inquiries
Interaction with Other Reporting Obligations
The AI Act's incident reporting requirements operate alongside other sectoral reporting obligations. Art.73 clarifies that reporting under the AI Act does not replace obligations under other Union legislation such as the Medical Devices Regulation (EU) 2017/745, the General Data Protection Regulation (EU) 2016/679, or sector-specific incident reporting frameworks.
Providers operating across multiple regulated sectors must map their reporting obligations to ensure that incidents are reported to all relevant authorities within the applicable timeframes. This mapping exercise should be documented as part of the overall compliance management system.
Building Effective Monitoring Systems
Effective post-market monitoring requires more than passive data collection. Organizations need structured daily workflows that capture performance data, flag anomalies, and enable rapid investigation when issues arise. The transition from pre-market compliance to post-market vigilance represents a fundamental shift in how AI governance operates.
MmowW's AI compliance platform at mmoww.net/ai/app/ supports this transition by providing structured daily logging workflows through the AI Usage Log feature, helping organizations build the operational habits needed for continuous monitoring and timely incident detection.
Start your AI compliance journey with MmowW — Ready before you deploy.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.