What this page gives you
A practical map of 15-day, 10-day, and 2-day reporting windows described in Article 73.
Fields to capture before a legal or conformity reviewer assesses reportability.
How deployers, providers, vendors, legal, and incident teams should hand off facts.
Article 73 timing map
Article 73 requires reporting after the provider has established a causal link, or reasonable likelihood of a causal link, between the high-risk AI system and the serious incident. The table below is an operational triage map, not a legal conclusion.
| Situation | Article 73 timing signal | Operational action |
|---|---|---|
| Standard serious incident path | Report without undue delay and in any event not later than 15 days after awareness. | Open incident record, preserve evidence, start causal-link review. |
| Widespread infringement or certain serious incidents | Report immediately and not later than 2 days after awareness. | Escalate to legal, provider, leadership, and reporting owner immediately. |
| Death of a person | Report immediately after causal relationship is established or suspected, and not later than 10 days after awareness. | Activate executive, legal, provider, and authority-contact workflow. |
| Incomplete information | Article 73 allows an initial incomplete report where necessary, followed by a complete report. | Submit facts known, track missing facts, preserve a completion deadline. |
Article 73 reporting checklist
Markdown checklist for intake, timing, causal-link review, evidence, escalation, and closure.
Download Markdown starterWho needs this guide
This guide is for providers of high-risk AI systems, deployers who may first detect a serious incident, compliance officers, incident response teams, product owners, legal teams, and vendor managers. It is especially useful where a deployer relies on a third-party AI provider and needs a fast evidence handoff.
Facts to capture before deciding reportability
- AI system name, version, owner, provider, deployer, and affected geography.
- High-risk classification assumption and related use case.
- Incident description, timeline, affected persons, harm type, and immediate containment.
- Evidence of model output, logs, human review, override, and escalation.
- Known or suspected causal link between AI system behaviour and the serious incident.
- Provider, deployer, vendor, and authority-contact actions already taken.
Recommended workflow
- Record the incident in the Serious Incident Register Lite.
- Activate the AI Incident Response Plan.
- Notify the provider or deployer counterparty as required by contract and incident process.
- Preserve evidence before altering the system in a way that could affect later evaluation.
- Route the record to qualified legal, compliance, and conformity-assessment review.
- Feed confirmed lessons into the Post-Market Monitoring Plan.
FAQ
Who reports under Article 73?
Article 73 is framed around providers of high-risk AI systems placed on the Union market reporting serious incidents to the relevant market surveillance authorities. Deployers may become aware first, so contracts and internal processes should define handoff duties.
Does every AI incident trigger Article 73?
No. Article 73 concerns serious incidents involving high-risk AI systems. Internal triage should separate ordinary defects, security events, complaints, and suspected serious incidents before qualified review.
Can an initial report be incomplete?
Article 73 allows an initial incomplete report where necessary to ensure timely reporting, followed by a complete report. Teams should track missing facts and assign an owner for completion.
Source and review note
This page is educational. Review any legal, conformity, reporting, or sector-specific decision against Regulation (EU) 2024/1689, European Commission materials, national authority guidance, sector legislation, and qualified legal or conformity-assessment advice where relevant. EU AI Compass does not provide legal advice or certify compliance.