GovCompass
Knowledge base
ReferenceAccountabilitySafety & reliability

Art. 73 EU AI Act: incident reporting to supervisory authorities

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 73 requires deployers and providers to report serious incidents involving high-risk AI to the competent market-surveillance authority without undue delay, within roughly 15 days for most incidents. An incident that is also a personal-data breach must additionally be reported under GDPR Art. 33.

Updated: June 2026

Introduction: the incident reporting framework

Art. 73 of the EU AI Act creates an incident reporting obligation for deployers of high-risk AI systems: "Deployers of high-risk AI systems shall report any serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry → to the relevant market surveillance authority." This connects the EU AI Act's incident regime to the existing regulatory framework for product safety reporting, adapting it to the AI context.

What is a "serious incident"?

Art. 3.49 defines a serious incident as any incident or malfunction of a high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → that directly or indirectly leads, or might reasonably be expected to lead, to:

  1. The death of a person or serious damage to their health
  2. A serious and irreversible disruption of the management and operation of critical infrastructure
  3. The infringement of obligations under Union law intended to protect fundamental rights
  4. Serious damage to property or the environment

The phrase "might reasonably be expected to lead" is significant, this is a prospective standard. Deployers must report not only incidents where harm has occurred, but also near-misses where serious harm was a reasonably foreseeable consequence of the AI system's behaviour.

Reporting timelines

Unlike GDPR breach reporting (72-hour rule), the EU AI Act does not specify a single reporting deadline. Instead, reporting should occur "without undue delay", interpreted in guidance as meaning within 15 business days of becoming aware of the serious incident for most cases. For incidents involving immediate risk to life, authorities expect notification within 24–48 hours.

The reporting process

Step 1: incident detection

Incidents may be detected through: post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry → systems (Art. 26.5), user complaints, staff reports, or external notifications from affected individuals. Your incident detection capability is only as good as your monitoring programme.

Step 2: preliminary assessment

Assess whether the incident meets the "serious incident" threshold under Art. 3.49. Document this assessment with the reasoning. Conservative classification is advisable, if in doubt, report.

Step 3: notification to provider

Before or simultaneously with regulatory reporting, notify the AI system providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry →. The provider has obligations under Art. 73.4 to cooperate in the investigation and may need to take corrective action. Document your notification.

Step 4: regulatory reporting

In the Netherlands, the designated market surveillance authority for the EU AI Act is the Autoriteit Persoonsgegevens (AP). Report using the authority's designated incident reporting channel. Required content: incident description, system identification, population affected, immediate measures taken, and provider notification status.

Step 5: post-incident review

Conduct a structured post-incident reviewpost-incident reviewThe structured learning step after containment: root cause, corrective actions with owners, and updates flowing back into assessments, registers, training and contracts.Open full entry → to identify root cause and implement preventive measures. Document the review and update your risk assessment.

Compliance checklist

  1. Does your incident management policy explicitly cover AI incidents under Art. 73?
  2. Is there a documented procedure for assessing whether an AI incidentAI incidentAny event where an AI system's outputs, actions or data handling caused or plausibly could cause harm, or materially deviated from validated behaviour — including harmful outputs from a system that is technically working.Open full entry → meets the "serious incident" threshold?
  3. Is the AP's incident reporting channel known to your AI governance team?
  4. Is there a notification procedure for informing AI providers of incidents?
  5. Are AI incidents logged, reviewed, and actioned post-incident?
  6. Is incident reporting responsibility assigned to a named person or function?
Legal referencesArt. 73

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Safety & reliability

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.4 EU AI Act: input data quality for deployers

Reference

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Art. 26.5 EU AI Act: post-market monitoring for deployers

Reference

Art. 26.5 requires deployers of high-risk AI to monitor the system's operation against the provider's instructions and to report risks and serious incidents. Monitoring is the early-warning mechanism that connects to incident reporting under Art. 73.

Art. 5 EU AI Act: all 8 prohibited AI practices explained

Reference

Art. 5 lists the eight prohibited AI practices, including subliminal manipulation, exploitation of vulnerable groups, social scoring, and untargeted facial-recognition scraping. These prohibitions are absolute, apply to every organisation regardless of size, and have been in force since 2 February 2025.