--- title: "EU AI Act post-market monitoring FAQ for high-risk AI systems" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring" source_url: "https://www.sorena.io/artifacts/eu/ai-act/faq/post-market-monitoring" author: "Sorena AI" description: "Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "Article 72" - "post-market monitoring" - "high-risk AI systems" - "serious incidents" - "Article 73" - "AI system logs" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act post-market monitoring FAQ for high-risk AI systems Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. *FAQ* *EU AI Act* ## EU AI Act post-market monitoring for high-risk AI systems Article 72 makes post-market monitoring a provider duty for high-risk AI systems: establish and document a proportionate monitoring system, base it on a monitoring plan, and use real-world data to evaluate continuing compliance. Deployers matter because their monitoring, feedback, risk escalations, serious-incident notices, and logs can become inputs to the provider's Article 72 system. For high-risk AI systems under the EU AI Act, post-market monitoring is not just a support ticket queue. The provider needs a documented Article 72 system and plan that collects, documents, and analyses relevant lifetime performance data, including deployer-provided data where relevant, so the provider can evaluate continuous compliance with the high-risk AI requirements. ## What does Article 72 require for EU AI Act post-market monitoring? Article 72 requires providers of high-risk AI systems to establish and document a post-market monitoring system that is proportionate to the AI technologies and risks of the system. The system must actively and systematically collect, document, and analyse relevant data on the high-risk AI system's performance throughout its lifetime. The monitoring system should be tied to a post-market monitoring plan that forms part of the Annex IV technical documentation. That means the plan should be maintained with the product file, not kept as an informal support-process note. - Define the monitored high-risk AI system, intended purpose, deployed versions, integrations, and known interaction points with other AI systems. - Specify which performance, safety, fundamental-rights, robustness, cybersecurity, anomaly, complaint, and incident signals are collected after deployment. - Explain how deployer feedback and other external sources are triaged, documented, analysed, and fed into risk management and technical documentation updates. - Link monitoring outputs to Article 20 corrective action and Article 73 serious-incident reporting so risk signals do not stop at product support. - Keep the monitoring plan with the technical documentation and update the lifecycle change record when provider-made changes affect the system. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for Article 72 provider post-market monitoring systems, monitoring plans, and Annex IV technical-documentation links. - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission policy page for official EU AI Act context and the risk-based framework used by the page. ## How should deployer feedback, serious incidents, logs, and corrective action connect? Deployers are not the Article 72 plan owner, but Article 26 makes them important monitoring inputs. Deployers must monitor high-risk AI systems on the basis of the instructions for use and, where relevant, inform providers under Article 72. If a deployer has reason to consider that use in accordance with the instructions may present a risk under Article 79(1), the deployer must inform the provider or distributor and the relevant market surveillance authority without undue delay and suspend use. If the deployer identifies a serious incident, it must immediately inform the provider first, then the importer or distributor and the relevant market surveillance authorities; if the provider cannot be reached, Article 73 applies mutatis mutandis. Provider handling should therefore separate ordinary performance feedback from nonconformity, risk, and serious-incident paths. Article 20 requires providers that consider or have reason to consider their high-risk AI system is not in conformity to immediately take corrective action to bring it into conformity, withdraw it, disable it, or recall it as appropriate. - Deployer feedback intake: capture the system, version, use context, instruction-for-use step, observed output, affected persons or groups, operator action, and available logs. - Risk escalation: if the deployer reports an Article 79(1)-type risk, record the suspension status, market-surveillance authority notice, and provider response owner. - Serious-incident escalation: link the record to Article 73 reporting analysis, causal-link assessment, authority routing, investigation, risk assessment, and corrective action. - Corrective action: document whether the provider brought the system into conformity, disabled it, withdrew it, recalled it, or informed distributors, deployers, authorised representatives, or importers. - Log handling: use Article 12 and Article 19 provider logs and Article 26 deployer-controlled logs to reconstruct the event, but check privacy, sector, and law-enforcement limits before requesting or transferring data. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for Articles 12, 19, 20, 26, 72, and 73 on logs, deployer monitoring, corrective action, post-market monitoring, and serious incidents. - [AI Act Service Desk - Article 20 corrective actions](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-20?ref=sorena.io) - Official AI Act Service Desk article page for provider corrective actions and duty of information. - [AI Act Service Desk - Article 73 reporting of serious incidents](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-73?ref=sorena.io) - Official AI Act Service Desk article page for serious-incident reporting by providers of high-risk AI systems. ## What evidence should a high-risk AI provider keep for Article 72? The evidence should show that monitoring is systematic enough to evaluate continuing compliance, not just that incidents were logged. Keep the plan, the monitored signals, the analysis records, the outcomes, and the technical-documentation updates together so a reviewer can trace why a risk signal did or did not trigger corrective action, a conformity update, or a serious-incident report. Annex IV also expects technical documentation to describe relevant lifecycle changes and the post-market performance-evaluation system, including the Article 72 monitoring plan. That makes change history part of the post-market monitoring evidence set. - Post-market monitoring plan: scope, data sources, deployer-feedback channels, signal taxonomy, analysis cadence, escalation paths, and responsible roles. - Signal records: complaints, anomalies, performance drift, bias or discrimination indicators, cybersecurity issues, human-oversight failures, misuse patterns, and interaction issues with other AI systems. - Log evidence: provider-controlled automatically generated logs, deployer-controlled logs when shared lawfully, retention basis, access controls, and integrity checks. - Decision records: root-cause analysis, continued-compliance assessment, serious-incident determination, corrective-action decision, and authority communication status. - Lifecycle records: versions, configuration changes, model or data changes, intended-purpose changes, integration changes, and any substantial-modification or new conformity-assessment trigger considered. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for Annex IV technical documentation, including lifecycle changes and the Article 72 post-market performance-evaluation system. ## Which changes should reopen the post-market monitoring review? Reopen the Article 72 review when the real-world system no longer matches the monitoring plan, instructions for use, technical documentation, or risk-management assumptions. The strongest triggers are changes that affect intended purpose, high-risk classification, performance, affected groups, human oversight, logs, integration context, or risk controls. A distributor, importer, deployer, or other third party can become the provider for a high-risk AI system if it puts its name or trademark on the system, makes a substantial modification while the system remains high-risk, or modifies the intended purpose of a non-high-risk AI system so it becomes high-risk. Those lifecycle changes should not be treated as ordinary backlog items. - New or changed intended purpose, user population, deployment context, country rollout, or affected group. - Substantial modification to a high-risk AI system after placement on the market or putting into service. - Integration with another AI system, model, data source, workflow, or product that changes performance or risk assumptions. - Observed performance drift, repeated anomalies, serious-incident indicators, or unresolved deployer feedback. - Changes to logs, human oversight, instructions for use, cybersecurity controls, or maintenance processes that affect traceability or safe operation. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for Article 25 value-chain responsibility changes, Article 43 substantial-modification conformity assessment, and Annex IV lifecycle-change documentation. - [European Commission - serious-incident template for GPAI models with systemic risk](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission page for serious-incident reporting resources for GPAI models with systemic risk; included to distinguish that GPAI reporting route from high-risk AI system Article 73 handling. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for provider post-market monitoring under Article 72, deployer escalation under Article 26, logging under Articles 12 and 19, corrective action under Article 20, serious incidents under Article 73, and lifecycle documentation in Annex IV. - Quote: "Post-market monitoring by providers and post-market monitoring plan" - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission policy page for official AI Act context and the risk-based regulatory framework. - Quote: "The AI Act is the first-ever comprehensive legal framework on AI worldwide." - [AI Act Service Desk - Article 20 corrective actions](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-20?ref=sorena.io) - Official AI Act Service Desk article page for provider corrective actions and duty of information after nonconformity. - Quote: "Corrective actions and duty of information" - [AI Act Service Desk - Article 73 reporting of serious incidents](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-73?ref=sorena.io) - Official AI Act Service Desk article page for serious-incident reporting by providers of high-risk AI systems. - Quote: "Reporting of serious incidents" - [European Commission - serious-incident template for GPAI models with systemic risk](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission reporting-template page for serious incidents involving GPAI models with systemic risk; useful for keeping GPAI incident routing distinct from Article 73 high-risk AI system routing. - Quote: "serious incidents involving general-purpose AI models" ## Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/ai-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/ai-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/ai-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/ai-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/ai-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/ai-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/ai-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/ai-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/ai-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/ai-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/ai-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/ai-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/ai-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/ai-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/ai-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/ai-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/ai-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/ai-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/ai-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/ai-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/ai-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/ai-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/ai-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/ai-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/ai-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/ai-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/ai-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/ai-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/ai-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/ai-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/ai-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/ai-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/ai-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. *Recommended next step* *Placement: before sources* ## Use this Article 72 FAQ to structure monitoring records Sorena can help convert Article 72 monitoring, deployer feedback, log review, serious-incident escalation, and corrective-action evidence into a reusable workflow for high-risk AI systems. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 72 monitoring plans, Article 73 serious incidents, deployer feedback, logs, and lifecycle changes. - [Talk through implementation](/contact.md): Review your high-risk AI post-market monitoring plan, source gaps, and escalation records with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/ai-act/faq/post-market-monitoring