--- title: "EU AI Act post-market monitoring and serious incident reporting" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents" author: "Sorena AI" description: "Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "Article 72" - "Article 73" - "post-market monitoring" - "serious incident reporting" - "high-risk AI" - "corrective action" - "market surveillance" - "serious incidents" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act post-market monitoring and serious incident reporting Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. *Artifact Guide* *EU* ## EU AI Act Post-Market Monitoring and Serious Incidents Use this page to turn Articles 72 and 73 into a working high-risk AI monitoring and incident workflow. Covers provider monitoring plans, deployer escalation, reporting clocks, corrective action, cooperation with authorities and notified bodies, and the separate GPAI systemic-risk route. Articles 72 and 73 of the EU AI Act are high-risk AI system obligations. Article 72 requires providers to establish and document a proportionate post-market monitoring system based on a monitoring plan in the technical documentation. Article 73 requires providers of high-risk AI systems placed on the Union market to report serious incidents to the market surveillance authorities of the Member States where the incident occurred. ## Article 72: build the post-market monitoring system around evidence, not a calendar reminder The provider's Article 72 system must actively and systematically collect, document, and analyse relevant data about high-risk AI system performance throughout the system lifetime. The data may come from deployers or other sources and must allow the provider to evaluate continuous compliance with the Chapter III, Section 2 high-risk requirements. The monitoring plan is part of Annex IV technical documentation, so it should be versioned with the system description, intended purpose, risk management file, testing evidence, change history, instructions for use, and EU declaration of conformity. Treat deployer feedback, support tickets, operational logs, drift metrics, bias or discrimination signals, cybersecurity signals, near misses, and complaints as inputs to a monitored compliance file, not only as customer-success data. - Scope the plan to each high-risk AI system, its intended purpose, deployment context, known limitations, expected performance metrics, and foreseeable misuse. - Define data sources: deployer reports, logs under provider control, incident tickets, complaints, model or data drift checks, security events, human-oversight escalations, and third-party component notices. - Set triage criteria that separate routine performance degradation, non-conformity, Article 79 risk, substantial modification, and potential Article 73 serious incident. - Link every monitoring finding to a decision: no action, provider investigation, deployer instruction update, corrective action, notified-body contact, authority notification, withdrawal, disabling, or recall. - Keep law-enforcement deployer limitations in view: Article 72 excludes sensitive operational data of law-enforcement deployers from the monitoring obligation. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 72 requires a documented post-market monitoring system and plan for high-risk AI systems. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Annex IV requires technical documentation to describe the post-market performance evaluation system and Article 72 plan. ## Article 73: serious incident reporting starts from causal-link and awareness evidence Article 73 applies to providers of high-risk AI systems placed on the Union market. The provider reports any serious incident to the market surveillance authorities of the Member States where the incident occurred. The default outer limit is 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident, but the report is due immediately after the provider establishes a causal link or reasonable likelihood of a causal link between the AI system and the incident. The shorter clocks matter. A widespread infringement or a serious incident involving serious and irreversible disruption of critical infrastructure must be reported immediately and no later than two days after awareness. Death must be reported immediately after the provider or deployer establishes or suspects a causal relationship, and no later than 10 days after awareness. Where necessary for timely reporting, Article 73 allows an incomplete initial report followed by a complete report. - Use the Article 3(49) definition to triage: death or serious health harm, serious and irreversible disruption of critical infrastructure, infringement of Union-law fundamental-rights obligations, or serious property or environmental harm. - Record awareness time, source of awareness, causal-link analysis, affected Member State, severity category, and the reporting deadline selected. - Prepare an initial report path for cases where facts are incomplete but the Article 73 clock requires timely notice. - After reporting, run the required investigation without delay, including incident risk assessment and corrective action. - Do not alter the AI system in a way that may affect later cause evaluation before informing competent authorities of that action. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 73 sets the recipients, timing, incomplete-report option, investigation duty, and authority cooperation duty for serious incidents. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 3(49) defines the serious incident categories used for Article 73 triage. ## Provider corrective action and notified-body cooperation must be wired into the incident workflow Article 20 sits next to Articles 72 and 73 in practice. If a provider considers, or has reason to consider, that a high-risk AI system it placed on the market or put into service is not in conformity, it must immediately take necessary corrective actions to bring it into conformity, withdraw it, disable it, or recall it as appropriate. It must also inform distributors and, where applicable, deployers, the authorised representative, and importers. Where the system presents an Article 79 risk and the provider becomes aware of it, the provider must investigate causes, collaborating with the reporting deployer where applicable, and inform the competent market surveillance authorities and, where applicable, the notified body that issued a certificate. If the conformity route used Annex VII, notified-body touchpoints may also include approved quality-management changes, technical-documentation changes, certificate restrictions, or additional tests. - Keep one escalation record that joins monitoring signal, incident triage, non-conformity analysis, Article 79 risk analysis, corrective action, and external notifications. - Name who can approve disabling, withdrawal, recall, deployer notice, importer or distributor notice, authority report, and notified-body communication. - Preserve system state, logs, model version, data version, instructions for use, deployment configuration, and human-oversight records before making remediating changes. - When a notified body issued a certificate, track whether the event affects certificate scope, technical documentation, quality-management-system approval, or intended purpose. - Close the loop by updating the Article 72 monitoring plan and risk management file with lessons from serious incidents, near misses, and corrective actions. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 20 requires immediate corrective action and information duties for non-conforming high-risk AI systems. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Annex VII explains notified-body assessment, approved quality-management-system surveillance, and change handling. ## Deployer escalation is part of the monitoring system Article 26 makes deployers an early-warning source for provider monitoring and incident reporting. Deployers must monitor operation on the basis of the instructions for use and, where relevant, inform providers under Article 72. If they have reason to consider that use in accordance with instructions may result in Article 79 risk, they must without undue delay inform the provider or distributor and the relevant market surveillance authority, and suspend use. If a deployer identifies a serious incident, it must immediately inform first the provider, then the importer or distributor and relevant market surveillance authorities. If the deployer cannot reach the provider, Article 73 applies mutatis mutandis. The contract, support process, and instructions for use should therefore give deployers a direct serious-incident route, not only a general support inbox. - Put monitoring and incident escalation instructions in deployer-facing documentation, including what evidence to preserve and which contact channel to use. - Require deployers to record the system version, use case, input category, output, human-oversight decision, affected persons or groups, logs under their control, and immediate mitigation taken. - Create a separate path for suspected Article 79 risk that requires suspension of use even before a full Article 73 serious-incident report is complete. - For public-authority deployers and workplace deployments, align incident escalation with their registration, worker-information, DPIA, and authority-cooperation obligations where applicable. - State how sensitive law-enforcement operational data will be protected while still enabling required safety and market-surveillance escalation. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 26(5) requires deployers to monitor high-risk AI operation, inform providers, suspend risky use, and escalate serious incidents. - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 26(6) requires deployers to keep generated logs under their control for an appropriate period of at least six months unless another law provides otherwise. ## Do not confuse high-risk AI Article 73 reporting with GPAI systemic-risk incident reporting The Commission's serious-incident template for general-purpose AI models with systemic risk is useful as a comparison point, but it is not the Article 73 route for high-risk AI systems. For GPAI models with systemic risk, Article 55(1)(c) requires providers to keep track of, document, and report relevant information about serious incidents and possible corrective measures to the AI Office and, as appropriate, national competent authorities. A company can face both regimes when it provides a GPAI model and also places a high-risk AI system on the Union market, or when a high-risk AI system is built on a GPAI model. Keep the records connected but legally separated: Article 72 and 73 for the high-risk AI system and Article 55 for the GPAI model with systemic risk. - Route high-risk AI system serious incidents to the Member State market surveillance authorities where the incident occurred under Article 73. - Route GPAI systemic-risk serious incident information to the AI Office and, where appropriate, national competent authorities under Article 55. - For GPAI incidents, the Commission template asks for start and end dates, harm, chain of events, model involved, evidence, response, recommendations, root cause analysis, monitoring patterns, and submitter information. - Avoid reusing a GPAI template as the only Article 73 procedure; high-risk AI Article 73 has its own timing, authority recipients, deployer escalation, and post-report investigation requirements. - When one event implicates both a model and a deployed high-risk system, preserve a shared factual chronology and separate legal reporting decisions for each route. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Article 55(1)(c) creates the separate serious-incident and corrective-measure duty for GPAI models with systemic risk. - [European Commission - GPAI serious incident reporting template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission page explaining that the GPAI serious-incident template concerns general-purpose AI models with systemic risk under Article 55. - [European Commission - GPAI serious incident report form](https://ec.europa.eu/newsroom/dae/redirection/document/121268?ref=sorena.io) - Commission GPAI report form listing fields such as harm, chain of events, evidence, response, root cause analysis, monitoring patterns, and submitter information. *Recommended next step* *Placement: before sources* ## Build a monitoring and serious-incident route that product teams can use Sorena can help map your high-risk AI systems, deployer channels, incident triage, corrective-action records, and authority reporting evidence against the cited AI Act sources. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 72 monitoring plans, Article 73 incident reporting, deployer escalation, and GPAI incident distinctions. - [Talk through implementation](/contact.md): Review your post-market monitoring plan, serious-incident workflow, corrective-action records, and source gaps with Sorena. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202401689&ref=sorena.io) - Primary legal text for Articles 20, 26, 72, 73, Article 3(49), Annex IV, and Annex VII high-risk AI monitoring and incident duties. - Quote: "POST-MARKET MONITORING, INFORMATION SHARING AND MARKET SURVEILLANCE" - [European Commission - GPAI serious incident reporting template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission source distinguishing GPAI systemic-risk serious incident reporting from high-risk AI system serious incident guidance. - Quote: "Under Article 55 of the EU AI Act" - [European Commission - GPAI serious incident report form](https://ec.europa.eu/newsroom/dae/redirection/document/121268?ref=sorena.io) - Official GPAI serious incident report form used only to describe the separate Article 55 GPAI reporting route. - Quote: "Report for Serious Incidents under the AI Act" ## Related Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents