The European Commission Publishes Draft Guidance for Serious AI Incidents Under the EU AI Act
On September 26, 2025, the European Commission unveiled the ‘Draft Guidance Article 73 AI Act – Incident Reporting’ (the Draft Guidance). This guidance is designed to assist providers and deployers of High-Risk AI Systems, as defined under the EU Artificial Intelligence Act (the AI Act), in complying with their post-market monitoring obligations to report serious incidents and widespread infringements to national authorities, as mandated by Article 73 of the AI Act.
Clarification of Definitions and Reporting Obligations
The Draft Guidance aims to elucidate key definitions and reporting obligations by providing detailed explanations regarding the nature of obligations, including what, when, and how to report incidents. It also offers practical examples to facilitate understanding.
Among its key components, the Draft Guidance outlines the concept of a serious incident that triggers reporting obligations. It considers incidents or malfunctions of AI systems that directly or indirectly result in death or serious harm, whether the system is used as intended or misused in reasonably foreseeable ways.
Examples of Serious Harm
The guidance clarifies that serious harm includes infringements of fundamental rights as outlined by the EU Charter of Fundamental Rights. Notably, only those infringements that significantly impact rights protected by the Charter on a large scale are subject to reporting. Examples provided include:
- Discriminatory AI in recruitment processes.
- Credit scoring systems that exclude individuals based on names associated with certain regions or geographic locations.
- Biometric identification systems that frequently misidentify individuals from specific backgrounds.
Overlap with Other EU Legislation
The Draft Guidance also emphasizes that the same incident might trigger reporting obligations under various EU legislation. It details how the AI Act includes provisions to mitigate the risk of overlapping obligations and reporting fatigue. For instance, under the Critical Entities Resilience Directive, entities within essential sectors, such as energy and water, are required to report incidents disrupting essential services within 24 hours. However, under the AI Act, only incidents involving fundamental rights violations necessitate additional reporting.
For example, if an AI system managing power supply discriminates against low-income areas, this incident must be reported under the AI Act. Similarly, under the Digital Operational Resilience Act, financial entities must report major ICT incidents and cyber threats using standardized templates. For AI systems in financial services, only incidents involving fundamental rights require further reporting under the AI Act.
Alignment with International Standards
The Draft Guidance highlights the EU’s commitment to align AI incident monitoring with international standards, including the Organisation for Economic Co-Operation and Development’s AI Incidents Monitor and Common Reporting Framework.
General-Purpose AI Models
It is important to note that the Draft Guidance does not address general-purpose AI models that pose systemic risks and their associated reporting duties, which fall under Article 55 of the AI Act.
Incident Reporting Template
Alongside the Draft Guidance, the European Commission has published a template for ‘Incident Reports for Serious Incidents under the AI Act (High-Risk AI Systems)’. Stakeholders are encouraged to provide feedback on the Draft Guidance and Reporting Template until November 7, 2025.
For further information, the Draft Guidance and Reporting Template are available online.
