--- title: "EU AI Act serious incident reporting triage workflow: Article 73 and Article 55" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow" author: "Sorena AI" description: "Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "AI Act Article 73" - "AI Act Article 55" - "serious incident reporting" - "high-risk AI incident reporting" - "GPAI systemic risk reporting" - "AI Act" - "Article 73" - "Article 55" - "high-risk AI" - "GPAI systemic risk" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act serious incident reporting triage workflow: Article 73 and Article 55 Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. *Workflow* *EU AI Act* ## EU AI Act serious incident reporting triage workflow Use this workflow to decide whether an AI incident meets Article 3(49), whether Article 73 high-risk AI reporting is triggered, which clock applies, and who must escalate. The page separates high-risk AI system reporting to market surveillance authorities from Article 55 reporting for providers of general-purpose AI models with systemic risk. Article 73 reporting is not an ordinary incident-management step. It applies to providers of high-risk AI systems placed on the Union market when a serious incident occurs, with deployers pulled into the awareness and escalation path. Article 55 creates a separate serious-incident reporting duty for providers of general-purpose AI models with systemic risk. ## 1. Start with the Article 3(49) serious-incident definition Open the triage only for an incident or malfunctioning of an AI system that directly or indirectly leads to one of the Article 3(49) harm categories. Near misses and ordinary support tickets may still matter for post-market monitoring, but Article 73 reporting turns on the serious-incident definition and the later causal-link assessment. Record the affected system, deployment context, harm category, first awareness time, affected Member State, provider, deployer, importer or distributor contacts, available logs, and whether any evidence may be overwritten by normal operations. - Article 3(49)(a): death of a person or serious harm to a person's health. - Article 3(49)(b): serious and irreversible disruption of the management or operation of critical infrastructure. - Article 3(49)(c): infringement of Union-law obligations intended to protect fundamental rights. - Article 3(49)(d): serious harm to property or the environment. - If none of these categories is plausible, close Article 73 triage but keep the ordinary incident, post-market monitoring, security, privacy, or safety record. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 3(49) defines the serious-incident harm categories used as the first triage gate. ## 2. Route high-risk AI system incidents through Article 73 For high-risk AI systems placed on the Union market, Article 73 makes the provider responsible for reporting any serious incident to the market surveillance authorities of the Member States where the incident occurred. The first routing decision is therefore: is this a high-risk AI system incident, and which Member State authority receives the report? Do not wait for perfect root-cause certainty. The Article 73 clock runs after the provider establishes a causal link, or the reasonable likelihood of such a link, between the high-risk AI system and the serious incident. If timely reporting needs an incomplete initial report, Article 73 allows an initial incomplete report followed by a complete report. - Default Article 73 deadline: report immediately after the causal-link threshold is met and no later than 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident. - Critical-infrastructure acceleration: report immediately and no later than two days after awareness for Article 3(49)(b) serious incidents. - Death of a person: report immediately after the provider or deployer establishes or suspects a causal relationship, and no later than 10 days after awareness. - Medical-device and in vitro diagnostic-device overlap: Article 73 narrows notification to Article 3(49)(c) serious incidents and routes notification to the national competent authority chosen by the Member State where the incident occurred. - After reporting, the provider must investigate without delay, perform incident risk assessment, take corrective action, cooperate with competent authorities and any relevant notified body, and avoid altering the AI system in a way that could affect later causal evaluation before informing authorities. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 73 sets the recipient authority, causal-link trigger, 15-day, two-day, and 10-day reporting clocks, incomplete-report option, and investigation/corrective-action duties. - [European Commission - AI Act serious AI incidents consultation](https://digital-strategy.ec.europa.eu/en/consultations/ai-act-commission-issues-draft-guidance-and-reporting-template-serious-ai-incidents-and-seeks?ref=sorena.io) - Commission consultation page referenced in the grounding data for draft guidance and a reporting template on serious AI incidents involving high-risk AI systems. ## 3. Use deployer escalation as the early-warning path Deployers of high-risk AI systems are not passive observers. Article 26 requires deployers to use the system according to the instructions for use, assign competent human oversight, monitor operation on the basis of those instructions, and act when risks or serious incidents appear. The deployer escalation record should be short and operational: what was observed, when awareness started, who was informed, which instructions-for-use condition was involved, whether use was suspended, and whether the provider could be reached. If the deployer cannot reach the provider after identifying a serious incident, Article 73 applies mutatis mutandis. - If use according to the instructions may cause the system to present a risk, the deployer informs the provider or distributor and the relevant market surveillance authority without undue delay, and suspends use. - If the deployer identifies a serious incident, it immediately informs first the provider, then the importer or distributor and the relevant market surveillance authorities. - Keep logs under deployer control for an appropriate period for the intended purpose and at least six months unless other Union or national law provides otherwise. - For triage hand-off, collect incident time, system version, use case, input data context, outputs, human-oversight notes, user impact, authority contact attempts, suspension decision, and preservation steps. - Exclude sensitive operational data of law-enforcement deployers where Article 26 preserves that limitation. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 26 supports deployer monitoring, escalation, suspension, immediate serious-incident notice, log retention, and cooperation points for high-risk AI systems. - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ explains that deployers monitor high-risk AI systems, act on identified risks or serious incidents, and assign human oversight. ## 4. Keep GPAI systemic-risk reporting separate from Article 73 Article 55 is a separate reporting lane for providers of general-purpose AI models with systemic risk. It is not the same as Article 73 high-risk AI system reporting to Member State market surveillance authorities. For GPAI systemic-risk incidents, Article 55(1)(c) requires providers to keep track of, document, and report without undue delay to the AI Office and, as appropriate, national competent authorities, relevant information about serious incidents and possible corrective measures. The Commission's GPAI template asks for incident dates, harm, chain of events, model involved, evidence, response, recommendations, root-cause analysis, post-market monitoring patterns, and submitter information. - Use Article 73 when the fact pattern is a serious incident involving a high-risk AI system placed on the Union market. - Use Article 55 when the fact pattern concerns a provider of a general-purpose AI model with systemic risk reporting serious-incident information and possible corrective measures. - If a GPAI model is embedded in a high-risk AI system, run both checks: downstream high-risk AI system reporting may sit with the high-risk-system provider, while systemic-risk model reporting may sit with the GPAI model provider. - Keep separate records for Article 73 authority reporting, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reporting so deadlines, recipients, and evidence fields do not get mixed. - For GPAI, include model-level evidence such as outputs, inputs, mitigation failures or circumventions, post-market monitoring patterns, and near-miss patterns where reasonably connected to the serious incident. Sources for this answer: - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 55(1)(c) creates the GPAI systemic-risk provider duty to track, document, and report serious-incident information and possible corrective measures. - [European Commission - GPAI serious-incident reporting template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission page confirms the template is for serious incidents involving general-purpose AI models with systemic risk under Article 55. - [European Commission - GPAI serious-incident report template](https://ec.europa.eu/newsroom/dae/redirection/document/121270?ref=sorena.io) - The official GPAI template lists the practical fields for Article 55 serious-incident reports, including harm, chain of events, model involved, evidence, response, root cause, and post-market monitoring patterns. - [European Commission - Guidelines for GPAI providers](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance page clarifies the scope of obligations for providers of general-purpose AI models and links those obligations to AI Office submissions. *Recommended next step* *Placement: before sources* ## Build the Article 73 and Article 55 evidence pack before the clock is disputed Sorena can help structure serious-incident intake, deployer escalation, authority routing, corrective-action evidence, and separate GPAI systemic-risk reporting records against the cited AI Act sources. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 73 high-risk AI incident reporting, Article 26 deployer escalation, and Article 55 GPAI systemic-risk reports. - [Talk through serious-incident triage](/contact.md): Review your AI Act reporting route, authority hand-off, evidence fields, and corrective-action record with Sorena. ## Primary sources - [Regulation (EU) 2024/1689 (EU AI Act)](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal text for Article 3(49), Article 26 deployer escalation, Article 55 GPAI systemic-risk reporting, and Article 73 high-risk AI serious-incident reporting. - Quote: "Reporting of serious incidents" - [European Commission - AI Act serious AI incidents consultation](https://digital-strategy.ec.europa.eu/en/consultations/ai-act-commission-issues-draft-guidance-and-reporting-template-serious-ai-incidents-and-seeks?ref=sorena.io) - Commission consultation page referenced in the grounding data for draft guidance and a reporting template on serious AI incidents involving high-risk AI systems. - Quote: "serious AI incidents" - [European Commission - GPAI serious-incident reporting template](https://digital-strategy.ec.europa.eu/en/library/ai-act-commission-publishes-reporting-template-serious-incidents-involving-general-purpose-ai?ref=sorena.io) - Commission page for the Article 55 serious-incident template for general-purpose AI models with systemic risk. - Quote: "general-purpose AI models with systemic risk" - [European Commission - GPAI serious-incident report template](https://ec.europa.eu/newsroom/dae/redirection/document/121270?ref=sorena.io) - Official GPAI report template fields for Article 55 serious-incident reports, including harm, events, model involvement, evidence, response, root cause, and monitoring patterns. - Quote: "Report for Serious Incidents" - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ context for high-risk provider and deployer obligations, including monitoring, serious-incident response, corrective actions, and GPAI systemic-risk duties. - Quote: "reporting serious incidents" - [European Commission - Guidelines for GPAI providers](https://digital-strategy.ec.europa.eu/en/policies/guidelines-gpai-providers?ref=sorena.io) - Commission guidance page for the scope and submission context of obligations applying to providers of general-purpose AI models. - Quote: "general-purpose AI models" ## Related Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk conformity assessment route selector](/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow.md): Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow