FAQEU AI Act

EU AI Act post-market monitoring for high-risk AI systems

Article 72 makes post-market monitoring a provider duty for high-risk AI systems: establish and document a proportionate monitoring system, base it on a monitoring plan, and use real-world data to evaluate continuing compliance.

Deployers matter because their monitoring, feedback, risk escalations, serious-incident notices, and logs can become inputs to the provider's Article 72 system.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

For high-risk AI systems under the EU AI Act, post-market monitoring is not just a support ticket queue. The provider needs a documented Article 72 system and plan that collects, documents, and analyses relevant lifetime performance data, including deployer-provided data where relevant, so the provider can evaluate continuous compliance with the high-risk AI requirements.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

What does Article 72 require for EU AI Act post-market monitoring?

Article 72 requires providers of high-risk AI systems to establish and document a post-market monitoring system that is proportionate to the AI technologies and risks of the system. The system must actively and systematically collect, document, and analyse relevant data on the high-risk AI system's performance throughout its lifetime.

The monitoring system should be tied to a post-market monitoring plan that forms part of the Annex IV technical documentation. That means the plan should be maintained with the product file, not kept as an informal support-process note.

  • Define the monitored high-risk AI system, intended purpose, deployed versions, integrations, and known interaction points with other AI systems.
  • Specify which performance, safety, fundamental-rights, robustness, cybersecurity, anomaly, complaint, and incident signals are collected after deployment.
  • Explain how deployer feedback and other external sources are triaged, documented, analysed, and fed into risk management and technical documentation updates.
  • Link monitoring outputs to Article 20 corrective action and Article 73 serious-incident reporting so risk signals do not stop at product support.
  • Keep the monitoring plan with the technical documentation and update the lifecycle change record when provider-made changes affect the system.
Citations
Question 2

How should deployer feedback, serious incidents, logs, and corrective action connect?

Deployers are not the Article 72 plan owner, but Article 26 makes them important monitoring inputs. Deployers must monitor high-risk AI systems on the basis of the instructions for use and, where relevant, inform providers under Article 72.

If a deployer has reason to consider that use in accordance with the instructions may present a risk under Article 79(1), the deployer must inform the provider or distributor and the relevant market surveillance authority without undue delay and suspend use. If the deployer identifies a serious incident, it must immediately inform the provider first, then the importer or distributor and the relevant market surveillance authorities; if the provider cannot be reached, Article 73 applies mutatis mutandis.

Provider handling should therefore separate ordinary performance feedback from nonconformity, risk, and serious-incident paths. Article 20 requires providers that consider or have reason to consider their high-risk AI system is not in conformity to immediately take corrective action to bring it into conformity, withdraw it, disable it, or recall it as appropriate.

  • Deployer feedback intake: capture the system, version, use context, instruction-for-use step, observed output, affected persons or groups, operator action, and available logs.
  • Risk escalation: if the deployer reports an Article 79(1)-type risk, record the suspension status, market-surveillance authority notice, and provider response owner.
  • Serious-incident escalation: link the record to Article 73 reporting analysis, causal-link assessment, authority routing, investigation, risk assessment, and corrective action.
  • Corrective action: document whether the provider brought the system into conformity, disabled it, withdrew it, recalled it, or informed distributors, deployers, authorised representatives, or importers.
  • Log handling: use Article 12 and Article 19 provider logs and Article 26 deployer-controlled logs to reconstruct the event, but check privacy, sector, and law-enforcement limits before requesting or transferring data.
Citations
Question 3

What evidence should a high-risk AI provider keep for Article 72?

The evidence should show that monitoring is systematic enough to evaluate continuing compliance, not just that incidents were logged. Keep the plan, the monitored signals, the analysis records, the outcomes, and the technical-documentation updates together so a reviewer can trace why a risk signal did or did not trigger corrective action, a conformity update, or a serious-incident report.

Annex IV also expects technical documentation to describe relevant lifecycle changes and the post-market performance-evaluation system, including the Article 72 monitoring plan. That makes change history part of the post-market monitoring evidence set.

  • Post-market monitoring plan: scope, data sources, deployer-feedback channels, signal taxonomy, analysis cadence, escalation paths, and responsible roles.
  • Signal records: complaints, anomalies, performance drift, bias or discrimination indicators, cybersecurity issues, human-oversight failures, misuse patterns, and interaction issues with other AI systems.
  • Log evidence: provider-controlled automatically generated logs, deployer-controlled logs when shared lawfully, retention basis, access controls, and integrity checks.
  • Decision records: root-cause analysis, continued-compliance assessment, serious-incident determination, corrective-action decision, and authority communication status.
  • Lifecycle records: versions, configuration changes, model or data changes, intended-purpose changes, integration changes, and any substantial-modification or new conformity-assessment trigger considered.
Citations
Question 4

Which changes should reopen the post-market monitoring review?

Reopen the Article 72 review when the real-world system no longer matches the monitoring plan, instructions for use, technical documentation, or risk-management assumptions. The strongest triggers are changes that affect intended purpose, high-risk classification, performance, affected groups, human oversight, logs, integration context, or risk controls.

A distributor, importer, deployer, or other third party can become the provider for a high-risk AI system if it puts its name or trademark on the system, makes a substantial modification while the system remains high-risk, or modifies the intended purpose of a non-high-risk AI system so it becomes high-risk. Those lifecycle changes should not be treated as ordinary backlog items.

  • New or changed intended purpose, user population, deployment context, country rollout, or affected group.
  • Substantial modification to a high-risk AI system after placement on the market or putting into service.
  • Integration with another AI system, model, data source, workflow, or product that changes performance or risk assumptions.
  • Observed performance drift, repeated anomalies, serious-incident indicators, or unresolved deployer feedback.
  • Changes to logs, human oversight, instructions for use, cybersecurity controls, or maintenance processes that affect traceability or safe operation.
Citations
Regulation (EU) 2024/1689 (EU AI Act)

Primary legal text for Article 25 value-chain responsibility changes, Article 43 substantial-modification conformity assessment, and Annex IV lifecycle-change documentation.

Recommended next step

Use this Article 72 FAQ to structure monitoring records

Sorena can help convert Article 72 monitoring, deployer feedback, log review, serious-incident escalation, and corrective-action evidence into a reusable workflow for high-risk AI systems.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 72 monitoring plans, Article 73 serious incidents, deployer feedback, logs, and lifecycle changes.

Explore next step
Talk to Sorena
Talk through implementation

Review your high-risk AI post-market monitoring plan, source gaps, and escalation records with Sorena.

Explore next step
Primary sources

References and citations

European Commission - AI Act regulatory framework
digital-strategy.ec.europa.eu
Referenced sections
  • Commission policy page for official EU AI Act context and the risk-based framework used by the page.
"The AI Act is the first-ever comprehensive legal framework on AI worldwide."
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Primary legal text for Article 25 value-chain responsibility changes, Article 43 substantial-modification conformity assessment, and Annex IV lifecycle-change documentation.
"a new conformity assessment procedure"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.