Quick answer

Article 73 of the EU AI Act requires providers of high-risk AI systems to report serious incidents to the market surveillance authorities of the Member State where the incident occurred, immediately after establishing a causal link or its reasonable likelihood, and at the latest within 15 days of awareness, shortened to 10 days for deaths and 2 days for widespread infringements or serious irreversible disruption of critical infrastructure.

Updated June 2026 · MmowW AI Compliance

EU AI Act Article 73: Serious Incident Reporting Duties and Deadlines

What Article 73 Covers

Article 73 of Regulation (EU) 2024/1689 is the emergency-line provision of the AI Act. Where Article 72 monitors the routine, Article 73 governs the exceptional: providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred.

The definition comes from Article 3(49). A serious incident is an incident or malfunctioning of an AI system that directly or indirectly leads to any of the following: the death of a person, or serious harm to a person's health; a serious and irreversible disruption of the management or operation of critical infrastructure; the infringement of obligations under Union law intended to protect fundamental rights; or serious harm to property or the environment.

The Reporting Deadlines

Article 73 sets a layered clock that compliance teams must know precisely:

The period for reporting shall take account of the severity of the incident, and where necessary to ensure timely reporting, the provider or deployer may submit an initial report that is incomplete, followed by a complete report. After reporting, the provider shall, without delay, perform the necessary investigations in relation to the serious incident and the AI system concerned, including a risk assessment of the incident and corrective action. A critical procedural rule sits here: the provider shall cooperate with the competent authorities and, where relevant, the notified body concerned, and shall not perform any investigation which involves altering the AI system concerned in a way which may affect any subsequent evaluation of the causes of the incident, prior to informing the competent authorities of such action.

Overlap with Other Reporting Regimes

Article 73 avoids double reporting in two situations. For high-risk AI systems referred to in Annex III placed on the market by providers that are subject to Union legislative instruments laying down reporting obligations equivalent to those of the AI Act, the notification of serious incidents is limited to the infringement of obligations under Union law intended to protect fundamental rights. Similarly, for high-risk AI systems that are safety components of devices, or are themselves devices, covered by the medical devices regulations, Regulations (EU) 2017/745 and 2017/746, the notification under the AI Act is likewise limited to the fundamental-rights category, with other incident types reported under the sectoral regime. Upon receiving a notification related to a fundamental-rights incident, the market surveillance authority shall inform the national public authorities or bodies referred to in Article 77(1).

The Commission is tasked with developing dedicated guidance to facilitate compliance, to be issued by August 2, 2025, with periodic assessment thereafter, and follow-up powers for authorities, including the measures in Article 19 of Regulation (EU) 2019/1020, structure the aftermath.

How to Build an Article 73 Process in Practice

  1. Translate the four serious-incident categories into recognition criteria your support, engineering and operations teams can apply, with worked examples relevant to your system.
  2. Build the intake-to-decision pipeline: any employee or deployer report enters triage, a designated owner assesses causal link plausibility, and a decision to report is taken against the statutory clocks, which run from awareness, not from completed analysis.
  3. Pre-draft report skeletons per category, identify the market surveillance authorities of the Member States where your systems operate, and know their submission channels.
  4. Encode the evidence-preservation rule: no fixes that alter the system in ways affecting later causal evaluation before authorities are informed of the planned action. This requires explicit coordination between incident response engineers and the compliance owner.
  5. Connect the pipeline to Articles 20 and 72: monitoring detects, corrective action remedies, Article 73 reports, and all three share one event record.
  6. Contract the deployer interface: deployers also carry incident-related duties under Article 26(5), and your agreements should define how their reports reach you within hours, not weeks.

A Concrete Example

A provider's high-risk AI system manages access decisions for essential public benefits at a national agency. A model defect causes a batch of wrongful automated rejections that effectively deny eligible applicants their statutory entitlements, an infringement of obligations protecting fundamental rights. The agency flags anomalies on a Tuesday; the provider's triage confirms by Thursday that a causal link is reasonably likely. The provider files an initial, partly incomplete report with the market surveillance authority well within the 15-day limit, freezes the affected model version without destroying the inference logs, informs the authority before deploying the corrective patch, completes the investigation with a risk assessment, and follows with the complete report and the Article 20 notifications to the deployer chain.

How Article 73 Connects to Other Provisions

Article 73 sits at the junction of the post-market chapter: Article 72 monitoring typically surfaces the events, Article 20 governs the corrective actions, Article 12 logs and Article 18 retention supply the evidence, and the Article 17 quality management system must contain the incident reporting procedures. Deployer duties in Article 26 feed the awareness clock. Authorities act on reports through the market surveillance powers of Chapter IX, including Article 79 procedures for systems presenting risks. Failure to report within the deadlines is non-compliance with operator obligations, sanctionable under Article 99 with fines up to 15 million euros or 3 percent of total worldwide annual turnover.

Actions to Take Before August 2, 2026

Incident reporting fails on speed, and speed comes from preparation. Before the high-risk regime applies on August 2, 2026, providers should run a tabletop exercise against each deadline tier, finalise authority contact maps for every Member State they serve, align deployer contracts on notification timing, and review the Commission guidance. An organisation that first reads Article 73 during its first serious incident has already lost most of its 15 days. This article provides general information about Regulation (EU) 2024/1689 and is not advice on any specific incident.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.