Article 72: Post-Market Monitoring
Article 72 requires providers of high-risk AI systems to establish and maintain a post-market monitoring system proportionate to the risks and nature of the AI system. The system must actively collect and review relevant data — including data from deployers — to update risk management, technical documentation, and conformity processes throughout the system's lifecycle. The provider must produce a documented post-market monitoring plan as part of the Annex IV technical documentation. Monitoring outputs feed into Article 73 serious incident reporting and Article 9 risk management updates.
Who does this apply to?
- -Providers of high-risk AI systems under Article 6
- -Quality, safety, and regulatory teams responsible for post-market activities
- -Deployers who supply usage data to providers under contractual arrangements
- -Market surveillance authorities reviewing post-market monitoring evidence
Scenarios
A provider never reviews field incidents or customer complaints after launch.
Quarterly reviews feed model recalibration and updated IFU warnings.
System and plan
Providers must implement a post-market monitoring system that actively collects and reviews performance data, including from deployers where contracts allow. A written plan must describe how monitoring is organised, data sources, and how findings feed back into risk management, technical documentation, and conformity processes.
Serious incidents
Monitoring must surface issues that may qualify as serious incidents under Article 3 point (49) and trigger Article 73 reporting timelines. Integrate with product safety and cybersecurity incident response.
Compliance checklist
- Publish an internal post-market monitoring SOP with RACI roles.
- Contract for telemetry or structured feedback from deployers where lawful.
- Connect monitoring outputs to change control and versioning.
- Train support to escalate suspected serious incidents within legal timelines.
- Archive monitoring reports for notified body or authority review.
Link monitoring to your AI governance hub—start the free assessment.
Start Free AssessmentRelated Articles
Related annexes
- Annex IV — Technical documentation
Frequently asked questions
Is post-market monitoring the same as MDR post-market surveillance?
Conceptually similar for medical devices, but Article 72 is AI Act-specific. If your product is dual-regulated, integrate both programmes rather than duplicating conflicting reports.
Must deployers contribute data to the post-market monitoring plan?
Article 72(2) requires providers to collect and analyse relevant data on the performance of the system from deployers or other sources. Deployers must cooperate with providers, including sharing incident reports and usage data relevant to evaluating the system's continued compliance with Articles 9-15.
How does post-market monitoring differ from serious incident reporting?
Post-market monitoring (Article 72) is a continuous, proactive process of collecting performance data to identify non-conformity risks early. Serious incident reporting (Article 73) is a reactive obligation triggered when a specific incident causes or could cause harm. Both are required for providers of high-risk AI systems.