When does the post-market monitoring obligation begin?

The obligation applies from the moment the high-risk AI system is placed on the market or put into service. The monitoring plan should be established during development as part of the technical documentation.

How long must post-market monitoring continue?

Monitoring must continue throughout the entire lifetime of the AI system. It does not end after a certain period but continues as long as the system is in use.

What happens if monitoring reveals non-compliance?

The provider must take corrective action to bring the system into compliance. If the non-compliance presents a risk, the provider must inform deployers and, where appropriate, market surveillance authorities. Article 20 requires corrective action when the system does not conform to requirements.

Do deployers need their own monitoring systems?

Deployers must monitor operation based on provider instructions and report issues to the provider. The extent of monitoring depends on the deployer's role and the nature of the AI system.

How does post-market monitoring relate to GDPR data protection impact assessments?

Where the AI system processes personal data, post-market monitoring should be coordinated with GDPR obligations including data protection impact assessments. Monitoring data itself must be collected and processed in compliance with data protection requirements.

Quick answer

EU AI Act Article 72 requires providers of high-risk AI systems to establish proportionate post-market monitoring systems that actively collect and analyze data on system performance throughout its lifecycle, feeding into the conformity assessment and risk management processes.

Updated June 2026 · MmowW AI Compliance

Post-Market Monitoring Under the EU AI Act (Article 72): Requirements and Implementation (2026)

Article 72 Requirements

The EU AI Act establishes mandatory post-market monitoring for providers of high-risk AI systems. Article 72 requires providers to establish and document a post-market monitoring system in a manner that is proportionate to the nature of the AI technologies and the risks of the high-risk AI system.

Post-Market Monitoring Plan

Providers must establish a post-market monitoring plan as part of the technical documentation required under Article 11. The plan should cover the following elements.

Plan Components

Identification of data to be collected and monitored
Methods for data collection and analysis
Frequency and timing of monitoring activities
Criteria and thresholds for triggering corrective actions
Procedures for communication with market surveillance authorities
Mechanisms for collecting feedback from deployers and affected persons

Data Collection Requirements

Article 72(2) specifies that the post-market monitoring system shall actively and systematically collect, document, and analyze relevant data. Sources include the following.

Data Source	Type of Data	Collection Method
AI system logs	Performance metrics, error rates, usage patterns	Automated logging (Article 12)
Deployer feedback	Operational issues, user complaints, near-misses	Reporting channels, surveys
Affected persons	Complaints, adverse outcomes	Complaint mechanisms, public feedback
Market surveillance authorities	Enforcement actions, guidance updates	Regulatory monitoring
Scientific and technical literature	Emerging risks, new methodologies	Literature review

Relationship to Conformity Assessment

Post-market monitoring feeds into the ongoing conformity assessment process. If monitoring reveals that the AI system no longer meets the essential requirements of the EU AI Act, the provider must take corrective actions. Significant changes may trigger a new conformity assessment.

Serious Incident Reporting

Article 73 complements post-market monitoring with specific serious incident reporting obligations. Providers and deployers must report serious incidents to market surveillance authorities. The post-market monitoring system should be designed to detect serious incidents promptly.

Serious Incident Definition

A serious incident is an incident or malfunction that directly or indirectly leads to death or serious damage to health, property, or the environment, or a serious and irreversible disruption of critical infrastructure management.

Implementation Steps

Map all high-risk AI systems subject to Article 72
Identify data sources for each system
Design data collection mechanisms (automated and manual)
Define performance thresholds and alert criteria
Establish analysis procedures and reporting workflows
Document the post-market monitoring plan
Integrate the plan into technical documentation
Train relevant personnel on their monitoring responsibilities
Test the monitoring system before deployment
Review and update the plan at defined intervals

Deployer Obligations

While the primary monitoring obligation falls on providers, deployers of high-risk AI systems also have responsibilities. Deployers must monitor the operation of the AI system based on the instructions of use and inform the provider about any risks and serious incidents they become aware of.

Documentation and Record-Keeping

All monitoring data, analysis results, and actions taken must be documented and retained. Article 18 requires that technical documentation (which includes the post-market monitoring plan) be kept for 10 years after the AI system is placed on the market or put into service.

Integration with Quality Management

The post-market monitoring system should be integrated with the provider's quality management system required under Article 17. This integration ensures that monitoring findings feed into the continuous improvement cycle and that corrective actions are tracked through established quality processes.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.