Art. 73 EU AI Act: Incident Reporting to Supervisory Authorities

Updated: June 2026 — full revision to Validai quality standard

Introduction: The Incident Reporting Framework

Art. 73 of the EU AI Act creates an incident reporting obligation for deployers of high-risk AI systems: "Deployers of high-risk AI systems shall report any serious incident to the relevant market surveillance authority." This connects the EU AI Act's incident regime to the existing regulatory framework for product safety reporting — adapting it to the AI context.

What Is a "Serious Incident"?

Art. 3.49 defines a serious incident as any incident or malfunction of a high-risk AI system that directly or indirectly leads, or might reasonably be expected to lead, to:

1. The death of a person or serious damage to their health
2. A serious and irreversible disruption of the management and operation of critical infrastructure
3. The infringement of obligations under Union law intended to protect fundamental rights
4. Serious damage to property or the environment

The phrase "might reasonably be expected to lead" is significant — this is a prospective standard. Deployers must report not only incidents where harm has occurred, but also near-misses where serious harm was a reasonably foreseeable consequence of the AI system's behaviour.

Reporting Timelines

Unlike GDPR breach reporting (72-hour rule), the EU AI Act does not specify a single reporting deadline. Instead, reporting should occur "without undue delay" — interpreted in guidance as meaning within 15 business days of becoming aware of the serious incident for most cases. For incidents involving immediate risk to life, authorities expect notification within 24–48 hours.

The Reporting Process

Step 1: Incident Detection

Incidents may be detected through: post-market monitoring systems (Art. 26.5), user complaints, staff reports, or external notifications from affected individuals. Your incident detection capability is only as good as your monitoring programme.

Step 2: Preliminary Assessment

Assess whether the incident meets the "serious incident" threshold under Art. 3.49. Document this assessment with the reasoning. Conservative classification is advisable — if in doubt, report.

Step 3: Notification to Provider

Before or simultaneously with regulatory reporting, notify the AI system provider. The provider has obligations under Art. 73.4 to cooperate in the investigation and may need to take corrective action. Document your notification.

Step 4: Regulatory Reporting

In the Netherlands, the designated market surveillance authority for the EU AI Act is the Autoriteit Persoonsgegevens (AP). Report using the authority's designated incident reporting channel. Required content: incident description, system identification, population affected, immediate measures taken, and provider notification status.

Step 5: Post-Incident Review

Conduct a structured post-incident review to identify root cause and implement preventive measures. Document the review and update your risk assessment.

Compliance Checklist

1. Does your incident management policy explicitly cover AI incidents under Art. 73?
2. Is there a documented procedure for assessing whether an AI incident meets the "serious incident" threshold?
3. Is the AP's incident reporting channel known to your AI governance team?
4. Is there a notification procedure for informing AI providers of incidents?
5. Are AI incidents logged, reviewed, and actioned post-incident?
6. Is incident reporting responsibility assigned to a named person or function?