Search pages, courses, and articles
Five questions that map your AI incident to the EU AI Act Article 73 reporting clock: 2 days for public-health threats, 10 days for death or serious harm, 15 days for other serious incidents. Plus a coordinated notify list covering MDR vigilance, GDPR Article 33, and NIS2 where applicable.
Source: AI Act Article 73 + Article 3(49) on EUR-Lex. When in doubt, report. Under-reporting carries the heaviest exposure.
Examples: AI-driven traffic control mis-routing emergency vehicles; healthcare AI mis-classifying multiple patients with a cascading effect; energy grid AI causing widespread outage.
Article 73 of the EU AI Act requires providers of high-risk AI systems to report serious incidents to the national market surveillance authority on a 2 / 10 / 15 day clock from awareness. The 2-day clock applies when the incident poses an immediate or imminent risk of widespread harm to public health or critical infrastructure. The 10-day clock applies when the incident caused death or serious deterioration in a person's state of health. The 15-day clock applies to any other serious incident. The clock starts at awareness, not confirmation, back-dating awareness is a common pitfall.
Article 3(49) defines serious incident as an incident or malfunction of a high-risk AI system that directly or indirectly leads to (a) death or serious harm to health, (b) serious disruption to critical infrastructure, (c) serious breach of fundamental rights protected by Union law, or (d) serious environmental damage. The threshold is meaningfully different from the GDPR Article 33 'breach' threshold, many GDPR breaches are not AI Act serious incidents, and vice versa.
When an AI incident also involves personal-data breach, both regimes apply. GDPR Article 33 requires notification to the lead supervisory authority within 72 hours of awareness. AI Act Article 73 has its own 2 / 10 / 15 day clock to the market surveillance authority. In practice, the lead DPA and AI MSA coordinate, and the same incident package can satisfy both, but the legal obligations are separate. File both notifications independently; coordination is the authorities' job, not yours.
Medical AI under MDR 2017/745 also has its own vigilance regime (Articles 87-92 MDR) on the same 2 / 10 / 15 day cadence. The Commission has signalled that aligned reporting (one notification feeding both regimes) is acceptable, expect coordinated submission to the national medical-device competent authority AND the AI market surveillance authority. The clocks are the same, but the notifications go to different agencies.
Default to reporting. Article 73 doesn't penalise over-reporting, but under-reporting attracts Article 99(4) Tier 2 fines (up to EUR 15M or 3% of turnover) plus civil liability if harm could have been prevented by earlier notification. The rater is conservative, if you tick 'yes' on any threshold question, it triggers the corresponding clock. Document the analysis in your incident log so you can show why you classified the way you did if asked later.
The guide walks the 6-step response plan from detection to root-cause analysis, with the full reporting cascade and coordination with MDR vigilance for medical-device AI.
