FAQEU AI Act

AI Act serious incidents Article 73 FAQ

Use this FAQ to separate high-risk AI system serious-incident reporting from GPAI systemic-risk incident reporting under the EU AI Act.

Covers the Article 3 serious-incident definition, Article 73 provider timing, deployer escalation, importer and distributor notices, corrective action, and Article 55 GPAI reporting.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 73 of Regulation (EU) 2024/1689 is the serious-incident reporting rule for providers of high-risk AI systems placed on the Union market. The first triage question is whether the event is a serious incident under Article 3, point (49); the second is whether the organization is the provider, deployer, importer, distributor, authorised representative, or a GPAI model provider with systemic risk.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

When does an EU AI Act serious-incident report become required for a high-risk AI system?

For a high-risk AI system, Article 73 requires the provider to report any serious incident to the market surveillance authorities of the Member States where the incident occurred. Article 3, point (49), defines a serious incident as an incident or malfunctioning of an AI system that directly or indirectly leads to death or serious harm to health, serious and irreversible disruption of critical infrastructure management or operation, infringement of Union-law obligations protecting fundamental rights, or serious harm to property or the environment.

The provider does not wait for perfect certainty about root cause. The Article 73 clock is tied to awareness of the serious incident and to establishing a causal link between the AI system and the incident, or a reasonable likelihood of that link.

  • Confirm that the system is a high-risk AI system and that the event fits one of the Article 3 serious-incident outcomes.
  • Identify the Member State or Member States where the incident occurred because Article 73 points the report to those market surveillance authorities.
  • Record when the provider, or where applicable the deployer, became aware of the serious incident.
  • Record when the causal link or reasonable likelihood of a causal link was established, because that determines when the report must be made immediately.
Citations
Question 2

What timing and follow-up steps should the provider track under Article 73?

Article 73 sets a default outer deadline of 15 days after the provider, or where applicable the deployer, becomes aware of the serious incident. Shorter outer deadlines apply for two categories: a widespread infringement or a serious and irreversible disruption of critical infrastructure management or operation must be reported not later than two days after awareness, and a death-related incident must be reported not later than 10 days after awareness.

If a complete report would delay timely reporting, Article 73 allows an incomplete initial report followed by a complete report. After reporting, the provider must without delay investigate the serious incident and the AI system concerned, including a risk assessment and corrective action, and must cooperate with competent authorities and, where relevant, the notified body.

  • Keep separate timestamps for awareness, causal-link or reasonable-likelihood assessment, initial report, complete report, authority acknowledgements, and corrective actions.
  • Escalate critical-infrastructure disruption, widespread-infringement, and death-related cases into the shorter Article 73 timing track instead of using the default timing.
  • Do not alter the AI system in a way that may affect later evaluation of incident causes before informing competent authorities of that action.
  • Link the Article 73 report to the provider quality-management procedure for serious incidents and to the post-market monitoring evidence for the affected high-risk AI system.
Citations
Question 3

How should deployers, importers, distributors, and GPAI model providers be separated?

A deployer is not the normal Article 73 reporter, but it has an explicit escalation duty when it identifies a serious incident: inform the provider first, then the importer or distributor and the relevant market surveillance authorities. Importers and distributors have their own high-risk AI system duties to withhold, notify, or help correct non-conforming or risky systems, so incident intake should route them into the communication record even when the provider owns the Article 73 report.

Do not merge this workflow with the EU AI Act rule for providers of general-purpose AI models with systemic risk. Article 55 requires those providers to keep track of, document, and report without undue delay to the AI Office and, as appropriate, national competent authorities relevant information about serious incidents and possible corrective measures. The Commission's GPAI serious-incident template is for that Article 55 model-provider context, not a replacement for Article 73 high-risk AI system reporting.

  • Check whether an importer, distributor, deployer, or other third party has become the provider by putting its name or trademark on the high-risk AI system, making a substantial modification, or changing intended purpose so the system becomes high-risk.
  • Use Article 23 importer records for provider, authorised-representative, and market surveillance authority notice when the importer has sufficient reason to consider the high-risk AI system is non-conforming, falsified, or risky.
  • Use Article 24 distributor records for provider or importer notice, authority notice, and corrective-action handling when the distributor has sufficient reason to consider a high-risk AI system it made available is non-conforming or risky.
  • Use a separate Article 55 record when the incident concerns a general-purpose AI model with systemic risk, including the model involved, resulting harm, chain of events, evidence of model involvement, response, root-cause analysis, and any corrective measures.
Citations
Recommended next step

Turn Article 73 intake into reportable facts, roles, and corrective actions

Sorena can help structure high-risk AI system incident intake around Article 73 timing, deployer escalation, importer and distributor notices, corrective-action evidence, and GPAI systemic-risk separation.

Research workflow
Open Research Copilot for EU AI Act

Ask cited questions about Article 73 serious-incident scope, timing, role allocation, and GPAI systemic-risk reporting.

Explore next step
Talk to Sorena
Talk through implementation

Review your serious-incident intake workflow, evidence fields, and source gaps with Sorena.

Explore next step
Primary sources

References and citations

European Commission - GPAI serious-incident reporting template
digital-strategy.ec.europa.eu
Referenced sections
  • Supports the distinction between Article 55 GPAI systemic-risk incident reporting and Article 73 high-risk AI system serious-incident reporting.
"serious incidents involving general-purpose AI models with systemic risk"
Regulation (EU) 2024/1689 (Artificial Intelligence Act)
eur-lex.europa.eu
Referenced sections
  • Supports Article 23 importer duties, Article 24 distributor duties, Article 25 value-chain role changes, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reporting.
"keep track of, document, and report, without undue delay"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.