Article 73: Reporting of Serious Incidents
Article 73 requires providers of high-risk AI systems to report serious incidents to the market surveillance authorities of the Member State(s) where the incident occurred. Reports must be made immediately after the provider establishes a causal link (or reasonable likelihood) between the AI system and the incident, and no later than 15 days after becoming aware. For death or serious damage to health, an initial report must be submitted immediately and no later than 2 days after awareness. The article also covers follow-up reporting, deployer cooperation, and interaction with sectoral incident reporting. Always verify on EUR-Lex.
Who does this apply to?
- -Providers of high-risk AI systems who become aware of serious incidents
- -Deployers who must cooperate with providers and authorities on incident investigation
- -Market surveillance authorities receiving and acting on incident reports
- -Incident response and legal teams designing reporting workflows
Scenarios
A high-risk AI medical triage system misclassifies a critical patient, contributing to delayed treatment and serious harm.
A high-risk credit scoring AI systematically denies applications to a protected group due to a data drift issue discovered in post-market monitoring.
A deployer notices anomalous behaviour in a high-risk employment AI but the provider has not yet been informed.
What counts as a serious incident (plain terms)
A serious incident is defined in Article 3(49) as an incident or malfunction of an AI system that directly or indirectly leads to:
- Death of a person
- Serious damage to health of a person
- Serious and irreversible disruption of the management or operation of critical infrastructure
- Breach of obligations under Union law intended to protect fundamental rights
- Serious damage to property or the environment
The threshold is functional harm, not just technical malfunction. A near-miss that could have caused the above may also warrant reporting depending on the facts.
Reporting timelines
Article 73 establishes two-track reporting deadlines:
Track 1 — Death or serious health damage: - Initial report: Immediately, and no later than 2 days after the provider becomes aware of the incident - Follow-up report: Within 15 days with additional investigation details
Track 2 — Other serious incidents (fundamental rights, critical infrastructure, property, environment): - Report: Immediately after establishing the causal link between the AI system and the incident, and no later than 15 days after becoming aware
All timelines run from awareness — providers must have internal processes to surface potential incidents quickly from post-market monitoring (Article 72).
What the report must contain
Reports must include at minimum: - Identification of the provider and the high-risk AI system - Description of the serious incident and circumstances - The date and location of the incident - Assessment of the causal link or reasonable likelihood - Corrective measures taken or planned
The Commission may adopt implementing acts specifying report templates and formats.
How Article 73 connects to the rest of the Act
- Article 3(49) — Definition of serious incident.
- Article 17 — QMS must include incident reporting procedures (element 8).
- Article 26 — Deployer duty to inform the provider and cooperate on incidents.
- Article 55(1)(c) — GPAI systemic-risk providers have a separate serious incident reporting duty to the AI Office.
- Article 72 — Post-market monitoring must surface incidents that trigger Article 73.
- Article 74 — Market surveillance authority follow-up and corrective actions.
- Article 99 — Penalties for failure to report.
Recitals (preamble) on EUR-Lex
The recitals in the same consolidated AI Act on EUR-Lex contextualise proportionality of reporting, interaction with sectoral incident reporting (MDR, product safety), and the causal link assessment. Use the official preamble on EUR-Lex.
Compliance checklist
- Define internal escalation procedures to surface potential serious incidents within hours, not days.
- Build a triage workflow: assess causal link between the AI system and the incident.
- Implement the two-track timeline: 2 days for death/serious health, 15 days for other serious incidents.
- Pre-populate report templates with system identification, version, and deployment context.
- Identify the correct market surveillance authority for each Member State where you operate.
- Coordinate with deployers on incident information sharing (Article 26 duties).
- If also GPAI systemic-risk: maintain a parallel reporting channel to the AI Office (Article 55(1)(c)).
- Archive all incident reports, investigation notes, and corrective actions.
- Integrate Article 73 procedures into the QMS (Article 17 element 8).
Build your serious incident reporting workflow—free assessment.
Start Free AssessmentRelated Articles
Article 3: Definitions
Article 17: Quality Management System for High-Risk AI
Article 26: Obligations of Deployers of High-Risk AI Systems
Article 55: Obligations for Providers of GPAI Models with Systemic Risk
Article 72: Post-Market Monitoring
Article 74: Market Surveillance and Control of AI Systems in the Union Market
Article 99: Penalties for AI Act Infringements
Article 113: Entry into Force and Application Dates
Frequently asked questions
Does Article 73 apply to near-misses?
The article targets incidents that actually occurred. However, near-misses may indicate risks under Article 72 post-market monitoring and should be documented. Some may meet the 'reasonable likelihood' threshold.
What if we also report under MDR or product safety laws?
Article 73 works alongside sectoral reporting. If the same incident triggers both MDR vigilance and AI Act reporting, coordinate to avoid inconsistencies but comply with both timelines.
Who decides if the causal link exists?
The provider must assess the causal link using available evidence. When in doubt, report — late reporting carries greater enforcement risk than conservative early reporting.
Can deployers report directly?
Article 73 places the reporting duty on the provider. Deployers must cooperate and inform the provider (Article 26). In practice, deployers should escalate immediately so the provider can meet deadlines.