The European Commission has published draft guidance and a reporting template for serious incidents caused by high-risk AI systems. These documents, open for public consultation until 7 November 2025, provide companies with hints for implementing one of the law's core compliance requirements in practice.
Why this matters: the goals behind Article 73
The obligation to report serious incidents, anchored in Article 73 of the AI Act, is far more than a bureaucratic exercise. It forms the core of the EU's post-market surveillance system for artificial intelligence. The Commission's guidance outlines four clear objectives pursued through this obligation:
- Creating an early warning system: Reports from across the EU are intended to enable market surveillance authorities to identify systematic risks, harmful patterns, or emerging threats from AI systems at an early stage and to act proactively.
- Establishing accountability: The reporting duty creates clear responsibility for providers. It ensures that those who develop and place AI systems on the market can be held accountable for their safety and proper functioning.
- Enabling rapid responses: The strict reporting deadlines allow authorities to take timely corrective measures to mitigate potential harm to citizens, infrastructure, or the environment.
- Building public trust: Transparency is the key to trust. A robust reporting and oversight system is intended to strengthen public confidence in AI technologies by demonstrating that an effective safeguard mechanism is in place.
Furthermore, the EU aims for alignment with international initiatives, such as the OECD's AI Incidents Monitor, to promote a globally coherent approach to AI safety.
What exactly is a 'serious incident'? The definitions in detail
Previously, the term "serious incident" in the legal text was abstract. The new guidance provides crucial interpretative work here, bringing the definition to life. A reportable incident occurs when a malfunction of an AI system directly or indirectly leads to one of the following four outcomes:
Death or serious harm to health: The guidance specifies "serious harm to a person's health" as life-threatening illness, temporary or permanent impairment of a body structure or function, conditions necessitating or prolonging hospitalisation, or medical intervention to prevent such outcomes.
Serious and irreversible disruption of critical infrastructure: Here, the guidance provides a two-tiered definition. A disruption is "serious" if it results in an imminent threat to life or the physical safety of a person. It is considered "irreversible" if, for instance, physical infrastructure needs to be rebuilt, essential data (such as patient records) cannot be restored, or specialised equipment that cannot be quickly replaced is destroyed.
Infringement of fundamental rights: This is one of the most innovative yet challenging parts of the reporting obligation. The guidance clarifies that not every breach is reportable. It must be an infringement that significantly interferes with Charter-protected rights on a large scale. This high threshold is intended to prevent a flood of reports. Examples provided include:
- An AI-based recruitment tool that systematically discriminates against candidates based on their ethnicity or gender.
- An AI credit scoring system that categorically rejects individuals from certain neighbourhoods.
Serious harm to property or the environment: The "seriousness" of the harm is assessed based on factors such as the economic impact, the cultural significance of the damaged property, and the permanence of the damage. For environmental harm, reference is made to existing EU directives, which presume irreversible or long-lasting damage to ecosystems.
The clock is ticking: who reports, when, and how?
The primary responsibility lies clearly with the providers of high-risk AI systems. As soon as they become aware of a potentially serious incident and establish a causal link to their AI system (or see a reasonable likelihood thereof), strict deadlines begin to run:
- Within 2 days: For a "widespread infringement" or a serious and irreversible disruption of critical infrastructure.
- Within 10 days: In the event of the death of a person.
- Within 15 days: For all other serious incidents.
To meet these deadlines, the AI Act explicitly permits the submission of an incomplete initial report, to be followed by a complete report later.
After reporting, providers are obliged to immediately launch a thorough investigation, conduct a risk assessment, and take corrective action. A crucial point here is that the AI system concerned must not be altered in a way that could affect the subsequent evaluation of the causes before the authorities have been informed.
However, deployers also have a duty. If they identify a serious incident, they must inform the provider "immediately". The guidance pragmatically interprets this as within 24 hours.
Consistency in the regulatory jungle: the interplay with other laws
One of the biggest concerns for businesses was the risk of duplicate reporting obligations. The guidance provides much-needed clarity on this front. For high-risk AI systems in sectors that already have their own equivalent reporting obligations—such as financial services (DORA), critical infrastructure (NIS2, CER), or medical devices (MDR)—a simplified procedure applies: the reporting obligation under the AI Act is triggered only for infringements of fundamental rights. All other incidents (e.g., harm to health) are to be reported exclusively under the respective sectoral laws. This arrangement prevents redundant bureaucratic processes and ensures legal certainty.
A look at the practical side: the new reporting template
The standardised reporting template translates the requirements into a clear, structured format. It is divided into five main sections:
- Administrative information: Who is reporting what, when, and to which authority?
- AI system information: Precise identification of the system, including its EU database ID.
- Incident information: A detailed description of what happened, the causality, and who was affected.
- Provider analysis: The results of the internal investigation and the actions taken.
- General comments: A legal disclaimer stating that the report does not constitute an admission of fault.
This template is supposed to ensure that market surveillance authorities across the EU receive consistent and comparable data.
Next steps and outlook
With the publication of these drafts, the AI Act becomes tangible. Companies developing or deploying high-risk AI systems now have a solid basis on which to prepare their internal processes for incident management and reporting. The public consultation offers an important opportunity for all stakeholders to provide feedback and ensure that the final guidance is practical and effective. The deadline for submitting comments is 7 November 2025.
