WorkflowEU AI Act

EU AI Act serious incident reporting triage workflow

Use this workflow to decide whether an AI incident meets Article 3(49), whether Article 73 high-risk AI reporting is triggered, which clock applies, and who must escalate.

The page separates high-risk AI system reporting to market surveillance authorities from Article 55 reporting for providers of general-purpose AI models with systemic risk.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Article 73 reporting is not an ordinary incident-management step. It applies to providers of high-risk AI systems placed on the Union market when a serious incident occurs, with deployers pulled into the awareness and escalation path. Article 55 creates a separate serious-incident reporting duty for providers of general-purpose AI models with systemic risk.

Section 1

1. Start with the Article 3(49) serious-incident definition

Open the triage only for an incident or malfunctioning of an AI system that directly or indirectly leads to one of the Article 3(49) harm categories. Near misses and ordinary support tickets may still matter for post-market monitoring, but Article 73 reporting turns on the serious-incident definition and the later causal-link assessment.

Record the affected system, deployment context, harm category, first awareness time, affected Member State, provider, deployer, importer or distributor contacts, available logs, and whether any evidence may be overwritten by normal operations.

  • Article 3(49)(a): death of a person or serious harm to a person's health.
  • Article 3(49)(b): serious and irreversible disruption of the management or operation of critical infrastructure.
  • Article 3(49)(c): infringement of Union-law obligations intended to protect fundamental rights.
  • Article 3(49)(d): serious harm to property or the environment.
  • If none of these categories is plausible, close Article 73 triage but keep the ordinary incident, post-market monitoring, security, privacy, or safety record.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 3(49) defines the serious-incident harm categories used as the first triage gate.
Section 2

2. Route high-risk AI system incidents through Article 73

For high-risk AI systems placed on the Union market, Article 73 makes the provider responsible for reporting any serious incident to the market surveillance authorities of the Member States where the incident occurred. The first routing decision is therefore: is this a high-risk AI system incident, and which Member State authority receives the report?

Do not wait for perfect root-cause certainty. The Article 73 clock runs after the provider establishes a causal link, or the reasonable likelihood of such a link, between the high-risk AI system and the serious incident. If timely reporting needs an incomplete initial report, Article 73 allows an initial incomplete report followed by a complete report.

  • Default Article 73 deadline: report immediately after the causal-link threshold is met and no later than 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident.
  • Critical-infrastructure acceleration: report immediately and no later than two days after awareness for Article 3(49)(b) serious incidents.
  • Death of a person: report immediately after the provider or deployer establishes or suspects a causal relationship, and no later than 10 days after awareness.
  • Medical-device and in vitro diagnostic-device overlap: Article 73 narrows notification to Article 3(49)(c) serious incidents and routes notification to the national competent authority chosen by the Member State where the incident occurred.
  • After reporting, the provider must investigate without delay, perform incident risk assessment, take corrective action, cooperate with competent authorities and any relevant notified body, and avoid altering the AI system in a way that could affect later causal evaluation before informing authorities.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 73 sets the recipient authority, causal-link trigger, 15-day, two-day, and 10-day reporting clocks, incomplete-report option, and investigation/corrective-action duties.
European Commission - AI Act serious AI incidents consultation
Commission consultation page referenced in the grounding data for draft guidance and a reporting template on serious AI incidents involving high-risk AI systems.
Section 3

3. Use deployer escalation as the early-warning path

Deployers of high-risk AI systems are not passive observers. Article 26 requires deployers to use the system according to the instructions for use, assign competent human oversight, monitor operation on the basis of those instructions, and act when risks or serious incidents appear.

The deployer escalation record should be short and operational: what was observed, when awareness started, who was informed, which instructions-for-use condition was involved, whether use was suspended, and whether the provider could be reached. If the deployer cannot reach the provider after identifying a serious incident, Article 73 applies mutatis mutandis.

  • If use according to the instructions may cause the system to present a risk, the deployer informs the provider or distributor and the relevant market surveillance authority without undue delay, and suspends use.
  • If the deployer identifies a serious incident, it immediately informs first the provider, then the importer or distributor and the relevant market surveillance authorities.
  • Keep logs under deployer control for an appropriate period for the intended purpose and at least six months unless other Union or national law provides otherwise.
  • For triage hand-off, collect incident time, system version, use case, input data context, outputs, human-oversight notes, user impact, authority contact attempts, suspension decision, and preservation steps.
  • Exclude sensitive operational data of law-enforcement deployers where Article 26 preserves that limitation.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 26 supports deployer monitoring, escalation, suspension, immediate serious-incident notice, log retention, and cooperation points for high-risk AI systems.
European Commission - Navigating the AI Act
Commission FAQ explains that deployers monitor high-risk AI systems, act on identified risks or serious incidents, and assign human oversight.
Section 4

4. Keep GPAI systemic-risk reporting separate from Article 73

Article 55 is a separate reporting lane for providers of general-purpose AI models with systemic risk. It is not the same as Article 73 high-risk AI system reporting to Member State market surveillance authorities.

For GPAI systemic-risk incidents, Article 55(1)(c) requires providers to keep track of, document, and report without undue delay to the AI Office and, as appropriate, national competent authorities, relevant information about serious incidents and possible corrective measures. The Commission's GPAI template asks for incident dates, harm, chain of events, model involved, evidence, response, recommendations, root-cause analysis, post-market monitoring patterns, and submitter information.

  • Use Article 73 when the fact pattern is a serious incident involving a high-risk AI system placed on the Union market.
  • Use Article 55 when the fact pattern concerns a provider of a general-purpose AI model with systemic risk reporting serious-incident information and possible corrective measures.
  • If a GPAI model is embedded in a high-risk AI system, run both checks: downstream high-risk AI system reporting may sit with the high-risk-system provider, while systemic-risk model reporting may sit with the GPAI model provider.
  • Keep separate records for Article 73 authority reporting, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reporting so deadlines, recipients, and evidence fields do not get mixed.
  • For GPAI, include model-level evidence such as outputs, inputs, mitigation failures or circumventions, post-market monitoring patterns, and near-miss patterns where reasonably connected to the serious incident.
Sources for this answer
Regulation (EU) 2024/1689 (EU AI Act)
Article 55(1)(c) creates the GPAI systemic-risk provider duty to track, document, and report serious-incident information and possible corrective measures.
European Commission - GPAI serious-incident reporting template
Commission page confirms the template is for serious incidents involving general-purpose AI models with systemic risk under Article 55.
European Commission - GPAI serious-incident report template
The official GPAI template lists the practical fields for Article 55 serious-incident reports, including harm, chain of events, model involved, evidence, response, root cause, and post-market monitoring patterns.
European Commission - Guidelines for GPAI providers
Commission guidance page clarifies the scope of obligations for providers of general-purpose AI models and links those obligations to AI Office submissions.
Recommended next step

Build the Article 73 and Article 55 evidence pack before the clock is disputed

Sorena can help structure serious-incident intake, deployer escalation, authority routing, corrective-action evidence, and separate GPAI systemic-risk reporting records against the cited AI Act sources.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about Article 73 high-risk AI incident reporting, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reports.

Explore next step
Talk to Sorena
Talk through serious-incident triage

Review your AI Act reporting route, authority hand-off, evidence fields, and corrective-action record with Sorena.

Explore next step
Primary sources

References and citations

European Commission - AI Act serious AI incidents consultation
digital-strategy.ec.europa.eu
Referenced sections
  • Commission consultation page referenced in the grounding data for draft guidance and a reporting template on serious AI incidents involving high-risk AI systems.
"reporting template on serious AI incidents"
European Commission - GPAI serious-incident report template
ec.europa.eu
Referenced sections
  • The official GPAI template lists the practical fields for Article 55 serious-incident reports, including harm, chain of events, model involved, evidence, response, root cause, and post-market monitoring patterns.
"Reporting Template"
European Commission - Guidelines for GPAI providers
digital-strategy.ec.europa.eu
Referenced sections
  • Commission guidance page clarifies the scope of obligations for providers of general-purpose AI models and links those obligations to AI Office submissions.
"providers of general-purpose AI models"
European Commission - Navigating the AI Act
digital-strategy.ec.europa.eu
Referenced sections
  • Commission FAQ explains that deployers monitor high-risk AI systems, act on identified risks or serious incidents, and assign human oversight.
"monitor the operation"
Regulation (EU) 2024/1689 (EU AI Act)
eur-lex.europa.eu
Referenced sections
  • Article 55(1)(c) creates the GPAI systemic-risk provider duty to track, document, and report serious-incident information and possible corrective measures.
"Obligations of providers of general-purpose AI models with systemic risk"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.
FAQ: EU AI Act conformity assessment procedures and notified body selection
source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration.