European Commission Publishes Draft Guidance on Reporting Serious AI Incidentsh2>
On September 26, 2025, the European Commission issued draft guidance concerning the reporting of serious incidents under Article 73 of the Regulation (EU) 2024/1689 on artificial intelligence, commonly referred to as the EU AI Act. This regulation mandates that providers of high-risk AI systems promptly notify national market surveillance authorities regarding serious incidents that arise from the use of these systems.p>
Understanding Serious Incidentsh3>
Article 73 defines a b>“serious incident”b> as any event or malfunction of an AI system that leads to significant consequences. Examples of such outcomes include:p>
-
li>b>Death or serious harmb> to an individual’s health;li>
li>b>Serious and irreversible disruptionb> to critical infrastructure management;li>
li>b>Infringementsb> of EU law intended to protect fundamental rights;li>
li>b>Serious harmb> to property or the environment.li>
ul>
This reporting obligation specifically targets providers of high-risk AI systems, which the EU considers to pose significant risks to health, safety, or fundamental rights.p>
Scope and Definitionsh3>
The draft guidance refines the conditions under which a reporting obligation is triggered. The Commission asserts that even an b>indirect causal linkb> between the AI system and the resultant harm necessitates a report. For instance, if an AI system delivers an incorrect medical diagnosis that leads to harm following a clinical decision, this still qualifies as a reportable incident. Similar expectations apply for flawed AI assessments leading to unfair loan denials.p>
The Commission also proposes a simplified reporting regime for high-risk AI systems operating within sectors that already have established reporting obligations, such as critical infrastructure under the NIS-2 Directive (2022/2555).p>
Timelines and Investigation Responsibilitiesh3>
Companies are required to report serious incidents without undue delay, specifically within a maximum of b>15 daysb> of awareness. In cases of potential death, the deadline shortens to b>10 daysb>, and b>2 daysb> for widespread infringements or serious disruptions.p>
Article 73(5) allows providers to submit an initial incomplete report with the understanding that supplemental information will follow. After reporting, the provider must conduct an investigation into the incident, following specified duties, including a prohibition against altering the AI system during this investigation without notifying authorities.p>
Enforcement and Compliance Risksh3>
Reports of serious incidents often trigger market-surveillance actions and regulatory measures within seven days of receipt. These actions may include product recalls, market withdrawals, or restrictions on product availability.p>
Non-compliance with these reporting obligations can lead to severe repercussions, including administrative fines that can reach up to b>€15 millionb> or b>3%b> of a company’s worldwide annual turnover, whichever is higher. Companies may also face civil claims from affected users.p>
Recommendations for Companiesh3>
It is imperative for companies to review their reporting processes early and integrate new obligations into their incident-reporting frameworks. Key recommendations include:p>
-
li>Establishing clear incident-response protocols;li>
li>Monitoring systems to detect potential serious incidents;li>
li>Maintaining evidence preservation measures;li>
li>Defining internal roles and responsibilities for reporting.li>
ul>
These processes should align closely with reporting obligations under other regulatory frameworks, including the GDPR, while incorporating best practices from product-safety regulations.p>
Conclusion and Future Outlookh3>
The draft guidance and accompanying reporting template are currently open for public consultation until b>November 7, 2025b>. The Commission is expected to refine the scope of Article 73 during this consultation period. Companies are encouraged to submit practical suggestions for clarifying the guidance and reporting template.p>
