Artifact GuideEU

EU AI Act Post-Market Monitoring and Serious Incidents

Use this page to turn Articles 72 and 73 into a working high-risk AI monitoring and incident workflow.

Covers provider monitoring plans, deployer escalation, reporting clocks, corrective action, cooperation with authorities and notified bodies, and the separate GPAI systemic-risk route.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Articles 72 and 73 of the EU AI Act are high-risk AI system obligations. Article 72 requires providers to establish and document a proportionate post-market monitoring system based on a monitoring plan in the technical documentation. Article 73 requires providers of high-risk AI systems placed on the Union market to report serious incidents to the market surveillance authorities of the Member States where the incident occurred.

Section 1

Article 72: build the post-market monitoring system around evidence, not a calendar reminder

The provider's Article 72 system must actively and systematically collect, document, and analyse relevant data about high-risk AI system performance throughout the system lifetime. The data may come from deployers or other sources and must allow the provider to evaluate continuous compliance with the Chapter III, Section 2 high-risk requirements.

The monitoring plan is part of Annex IV technical documentation, so it should be versioned with the system description, intended purpose, risk management file, testing evidence, change history, instructions for use, and EU declaration of conformity. Treat deployer feedback, support tickets, operational logs, drift metrics, bias or discrimination signals, cybersecurity signals, near misses, and complaints as inputs to a monitored compliance file, not only as customer-success data.

  • Scope the plan to each high-risk AI system, its intended purpose, deployment context, known limitations, expected performance metrics, and foreseeable misuse.
  • Define data sources: deployer reports, logs under provider control, incident tickets, complaints, model or data drift checks, security events, human-oversight escalations, and third-party component notices.
  • Set triage criteria that separate routine performance degradation, non-conformity, Article 79 risk, substantial modification, and potential Article 73 serious incident.
  • Link every monitoring finding to a decision: no action, provider investigation, deployer instruction update, corrective action, notified-body contact, authority notification, withdrawal, disabling, or recall.
  • Keep law-enforcement deployer limitations in view: Article 72 excludes sensitive operational data of law-enforcement deployers from the monitoring obligation.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 72 requires a documented post-market monitoring system and plan for high-risk AI systems.
Regulation (EU) 2024/1689 (EU AI Act)
Annex IV requires technical documentation to describe the post-market performance evaluation system and Article 72 plan.
Section 2

Article 73: serious incident reporting starts from causal-link and awareness evidence

Article 73 applies to providers of high-risk AI systems placed on the Union market. The provider reports any serious incident to the market surveillance authorities of the Member States where the incident occurred. The default outer limit is 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident, but the report is due immediately after the provider establishes a causal link or reasonable likelihood of a causal link between the AI system and the incident.

The shorter clocks matter. A widespread infringement or a serious incident involving serious and irreversible disruption of critical infrastructure must be reported immediately and no later than two days after awareness. Death must be reported immediately after the provider or deployer establishes or suspects a causal relationship, and no later than 10 days after awareness. Where necessary for timely reporting, Article 73 allows an incomplete initial report followed by a complete report.

  • Use the Article 3(49) definition to triage: death or serious health harm, serious and irreversible disruption of critical infrastructure, infringement of Union-law fundamental-rights obligations, or serious property or environmental harm.
  • Record awareness time, source of awareness, causal-link analysis, affected Member State, severity category, and the reporting deadline selected.
  • Prepare an initial report path for cases where facts are incomplete but the Article 73 clock requires timely notice.
  • After reporting, run the required investigation without delay, including incident risk assessment and corrective action.
  • Do not alter the AI system in a way that may affect later cause evaluation before informing competent authorities of that action.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 73 sets the recipients, timing, incomplete-report option, investigation duty, and authority cooperation duty for serious incidents.
Regulation (EU) 2024/1689 (EU AI Act)
Article 3(49) defines the serious incident categories used for Article 73 triage.
Section 3

Provider corrective action and notified-body cooperation must be wired into the incident workflow

Article 20 sits next to Articles 72 and 73 in practice. If a provider considers, or has reason to consider, that a high-risk AI system it placed on the market or put into service is not in conformity, it must immediately take necessary corrective actions to bring it into conformity, withdraw it, disable it, or recall it as appropriate. It must also inform distributors and, where applicable, deployers, the authorised representative, and importers.

Where the system presents an Article 79 risk and the provider becomes aware of it, the provider must investigate causes, collaborating with the reporting deployer where applicable, and inform the competent market surveillance authorities and, where applicable, the notified body that issued a certificate. If the conformity route used Annex VII, notified-body touchpoints may also include approved quality-management changes, technical-documentation changes, certificate restrictions, or additional tests.

  • Keep one escalation record that joins monitoring signal, incident triage, non-conformity analysis, Article 79 risk analysis, corrective action, and external notifications.
  • Name who can approve disabling, withdrawal, recall, deployer notice, importer or distributor notice, authority report, and notified-body communication.
  • Preserve system state, logs, model version, data version, instructions for use, deployment configuration, and human-oversight records before making remediating changes.
  • When a notified body issued a certificate, track whether the event affects certificate scope, technical documentation, quality-management-system approval, or intended purpose.
  • Close the loop by updating the Article 72 monitoring plan and risk management file with lessons from serious incidents, near misses, and corrective actions.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 20 requires immediate corrective action and information duties for non-conforming high-risk AI systems.
Regulation (EU) 2024/1689 (EU AI Act)
Annex VII explains notified-body assessment, approved quality-management-system surveillance, and change handling.
Section 4

Deployer escalation is part of the monitoring system

Article 26 makes deployers an early-warning source for provider monitoring and incident reporting. Deployers must monitor operation on the basis of the instructions for use and, where relevant, inform providers under Article 72. If they have reason to consider that use in accordance with instructions may result in Article 79 risk, they must without undue delay inform the provider or distributor and the relevant market surveillance authority, and suspend use.

If a deployer identifies a serious incident, it must immediately inform first the provider, then the importer or distributor and relevant market surveillance authorities. If the deployer cannot reach the provider, Article 73 applies mutatis mutandis. The contract, support process, and instructions for use should therefore give deployers a direct serious-incident route, not only a general support inbox.

  • Put monitoring and incident escalation instructions in deployer-facing documentation, including what evidence to preserve and which contact channel to use.
  • Require deployers to record the system version, use case, input category, output, human-oversight decision, affected persons or groups, logs under their control, and immediate mitigation taken.
  • Create a separate path for suspected Article 79 risk that requires suspension of use even before a full Article 73 serious-incident report is complete.
  • For public-authority deployers and workplace deployments, align incident escalation with their registration, worker-information, DPIA, and authority-cooperation obligations where applicable.
  • State how sensitive law-enforcement operational data will be protected while still enabling required safety and market-surveillance escalation.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 26(5) requires deployers to monitor high-risk AI operation, inform providers, suspend risky use, and escalate serious incidents.
Regulation (EU) 2024/1689 (EU AI Act)
Article 26(6) requires deployers to keep generated logs under their control for an appropriate period of at least six months unless another law provides otherwise.
Section 5

Do not confuse high-risk AI Article 73 reporting with GPAI systemic-risk incident reporting

The Commission's serious-incident template for general-purpose AI models with systemic risk is useful as a comparison point, but it is not the Article 73 route for high-risk AI systems. For GPAI models with systemic risk, Article 55(1)(c) requires providers to keep track of, document, and report relevant information about serious incidents and possible corrective measures to the AI Office and, as appropriate, national competent authorities.

A company can face both regimes when it provides a GPAI model and also places a high-risk AI system on the Union market, or when a high-risk AI system is built on a GPAI model. Keep the records connected but legally separated: Article 72 and 73 for the high-risk AI system and Article 55 for the GPAI model with systemic risk.

What is the first practical step for Article 72 post-market monitoring?

Create a system-specific monitoring plan in the technical documentation that defines data sources, deployer feedback routes, performance and risk signals, triage criteria, owners, records, and links back to risk management and corrective action.

When does Article 73 serious incident reporting become urgent?

It is urgent once the provider establishes a causal link or reasonable likelihood of a causal link between the high-risk AI system and a serious incident. The outer deadline is generally 15 days after awareness, but some incidents require reporting within two days or 10 days.

What should deployers do if they identify a serious incident?

They should immediately inform the provider first, then the importer or distributor and relevant market surveillance authorities. If the provider cannot be reached, Article 73 applies mutatis mutandis.

  • Route high-risk AI system serious incidents to the Member State market surveillance authorities where the incident occurred under Article 73.
  • Route GPAI systemic-risk serious incident information to the AI Office and, where appropriate, national competent authorities under Article 55.
  • For GPAI incidents, the Commission template asks for start and end dates, harm, chain of events, model involved, evidence, response, recommendations, root cause analysis, monitoring patterns, and submitter information.
  • Avoid reusing a GPAI template as the only Article 73 procedure; high-risk AI Article 73 has its own timing, authority recipients, deployer escalation, and post-report investigation requirements.
  • When one event implicates both a model and a deployed high-risk system, preserve a shared factual chronology and separate legal reporting decisions for each route.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 55(1)(c) creates the separate serious-incident and corrective-measure duty for GPAI models with systemic risk.
European Commission - GPAI serious incident reporting template
Commission page explaining that the GPAI serious-incident template concerns general-purpose AI models with systemic risk under Article 55.
European Commission - GPAI serious incident report form
Commission GPAI report form listing fields such as harm, chain of events, evidence, response, root cause analysis, monitoring patterns, and submitter information.
Recommended next step

Build a monitoring and serious-incident route that product teams can use

Sorena can help map your high-risk AI systems, deployer channels, incident triage, corrective-action records, and authority reporting evidence against the cited AI Act sources.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 72 monitoring plans, Article 73 incident reporting, deployer escalation, and GPAI incident distinctions.

Explore next step
Talk to Sorena
Talk through implementation

Review your post-market monitoring plan, serious-incident workflow, corrective-action records, and source gaps with Sorena.

Explore next step
Primary sources

References and citations

European Commission - GPAI serious incident report form
ec.europa.eu
Referenced sections
  • Commission GPAI report form listing fields such as harm, chain of events, evidence, response, root cause analysis, monitoring patterns, and submitter information.
"Patterns in post-market monitoring on serious incidents"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Article 55(1)(c) creates the separate serious-incident and corrective-measure duty for GPAI models with systemic risk.
"general-purpose AI models with systemic risk"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.