RatedWithAI

RatedWithAI

Accessibility scanner

AI RegulationJuly 1, 2026

EU AI Act Incident Reporting & Post-Market Monitoring 2026: What Businesses Must Do

High-risk AI enforcement begins August 2026. Providers must report serious incidents to national authorities within 15 days and maintain ongoing post-market monitoring systems. Most businesses haven't started building these processes. Here's exactly what's required.

15 days
Max time to report a serious incident to national authorities
Aug 2026
High-risk AI obligations enforceable — monitoring required from day 1
€15M
Max fine for high-risk AI violations (or 3% global revenue)

Why Incident Reporting Is Often the Last Thing Businesses Prepare For

When companies audit their EU AI Act readiness, they focus on the obvious: risk classification, technical documentation, conformity assessments, EU database registration. Incident reporting and post-market monitoring are treated as operational afterthoughts — processes you build "once you're up and running."

That sequencing is backwards. The EU AI Act requires incident reporting and post-market monitoring to be in place from the moment a high-risk AI system is deployed in the EU market. Enforcement begins August 2026. If you don't have these systems running on day one, you're already non-compliant — regardless of how good your technical documentation is.

This guide covers what you must build: what qualifies as a reportable serious incident, the exact reporting window and content requirements, how post-market monitoring systems are supposed to work, and what national authorities will actually want to see when they audit.

What Is a "Serious Incident" Under the EU AI Act?

Article 3(49) defines a serious incident as any incident or malfunction of a high-risk AI system that directly or indirectly leads to any of the following:

HEALTH & SAFETY

Death or serious harm to a person's health

An AI medical diagnosis system recommends an incorrect treatment that causes patient injury. An AI hiring system systematically screens out protected-class candidates in a way that causes documented economic harm.

PROPERTY DAMAGE

Serious damage to property or the environment

An AI system managing industrial operations fails and causes equipment damage or an environmental release. Less commonly applicable to SaaS, but relevant for AI embedded in operational technology.

CRITICAL INFRASTRUCTURE

Serious disruption to critical infrastructure

AI systems managing energy grids, transportation networks, water systems, financial market infrastructure, or communications systems that fail in a way causing significant service outages.

FUNDAMENTAL RIGHTS

Breach of obligations protecting fundamental rights

An AI system used in law enforcement, border control, judicial decisions, or access to essential services that operates in a discriminatory manner or violates privacy in ways that breach EU fundamental rights law.

What's not a serious incident: an AI model giving an inaccurate answer, a recommendation the user disagrees with, or a system bug that causes a feature to malfunction without causing measurable harm. The threshold is significant, real-world harm — not every model failure. This distinction matters because over-reporting creates regulatory burden, but under-reporting when harm does occur creates liability.

The 15-Day Reporting Window: What to Submit

Article 73 of the EU AI Act establishes the incident reporting obligation. Providers of high-risk AI systems must report serious incidents to the national competent authority (NCA) of the member state where the incident occurred "without undue delay, and in any case within 15 days" of becoming aware of the incident.

"Becoming aware" is the trigger — not when the incident occurred. If a serious incident happened on July 1 but you didn't discover it until July 10 due to a monitoring gap, your 15-day clock starts July 10. But a monitoring gap itself may be a compliance violation.

What Your Incident Report Must Include

1.
Identity of the AI system involved
Name, version, and EU AI Act database registration number of the high-risk AI system.
2.
Description of the incident
What happened, when it happened, what the AI system's output was, and what harm resulted or was likely to result.
3.
Affected persons or entities
Who was harmed or at risk. If individuals are identifiable, their details — subject to GDPR data minimization. If a class of users was affected, describe the class and estimated count.
4.
Initial assessment of cause
Your preliminary analysis of what caused the incident. Not required to be definitive — authorities understand investigations take time — but must be substantive and good-faith.
5.
Corrective measures taken
What steps you have taken to stop ongoing harm, prevent recurrence, and protect affected users. Suspension of the AI feature may be appropriate depending on severity.
6.
Contact information
Your EU representative or technical lead responsible for the AI system, with direct contact details for follow-up questions from the NCA.

For incidents involving a risk to human health or safety, authorities may contact you for an expedited initial notification — sometimes within 24-72 hours. Your monitoring system needs to be able to trigger emergency escalation processes, not just queue a 15-day report.

Which National Competent Authority Do You Report To?

The EU AI Act requires each member state to designate at least one national competent authority (NCA). Reports go to the NCA of the member state where the incident occurred or where the affected users are located.

If your AI system is deployed across multiple EU member states and a serious incident affects users in multiple countries, you may need to report to multiple NCAs. The EU AI Act does not yet have a fully unified one-stop-shop mechanism for pan-EU incidents the way GDPR has lead supervisory authority. The European AI Office at the European Commission plays a coordination role, particularly for GPAI model incidents.

Practical approach for multi-market SaaS providers

Identify the member state where you have the largest user base or where you have designated your EU establishment or EU representative (required if you have no EU entity). Build a relationship with that NCA proactively — before an incident occurs. NCAs in Germany (BNetzA), France (CNIL), and the Netherlands (ACM) have been most active in AI regulation so far. Some NCAs are publishing incident report templates; check their websites for current forms.

Post-Market Monitoring: The Ongoing Obligation

Article 72 of the EU AI Act requires providers of high-risk AI systems to establish and maintain a post-market monitoring system. This is a permanent, ongoing requirement — not a one-time deployment review. The system must "actively and systematically collect, document, and analyze relevant data on the performance of high-risk AI systems throughout their lifetime."

What does this mean in practice?

Continuous Output Monitoring

You must track the actual outputs of your high-risk AI system in production — not just test them before deployment. For an AI hiring screening tool, this means monitoring acceptance/rejection rates by demographic group on an ongoing basis to catch emerging bias drift.

Performance Against Declared Metrics

Your technical documentation declares performance metrics (accuracy, error rates, fairness thresholds). Post-market monitoring must verify these hold in production. If real-world performance diverges from declared metrics, it's both a technical issue and a compliance issue.

User Feedback Mechanisms

Users of high-risk AI systems must have a way to report problems or unexpected outputs. This isn't just a support ticket form — it's a structured mechanism that feeds back into your post-market monitoring log and triggers review processes.

Incident Detection and Logging

Your monitoring system must be capable of detecting serious incidents — not just operational metrics. This requires anomaly detection on outputs, not just uptime monitoring. A system that's 99.9% uptime but producing discriminatory decisions needs the latter caught.

Regular Reporting to Authorities

Depending on your sector and the specific AI system, periodic reporting of post-market monitoring summaries may be required by national authorities — even when no serious incidents occurred. Build reporting infrastructure now.

Log Retention

Logs of high-risk AI system inputs and outputs must be retained for a minimum period. Article 12 specifies retention aligned with the system's intended purpose. In employment/HR contexts, align with local labor record retention laws (often 5-7 years in the EU).

Deployer Obligations: You're Not Off the Hook

If you are a deployer of a high-risk AI system — meaning you use a third-party high-risk AI product in your business operations rather than building one yourself — you still have incident reporting obligations under Article 73(6).

Deployers must:

  • Report serious incidents that occur during their use of the high-risk AI system to the provider
  • Report to national authorities when required (particularly if the provider is outside the EU and the NCA requests direct deployer reporting)
  • Cooperate with the provider's post-market monitoring program by providing usage data and incident information
  • Maintain records of AI system usage sufficient to support incident investigation

If you use third-party AI tools for HR screening, credit assessment, or other high-risk applications, your contracts with those vendors should specify incident reporting procedures, data sharing for monitoring purposes, and who bears primary reporting responsibility to which national authority.

Building Your Compliance Infrastructure: 7-Step Checklist

1

Classify your AI systems

Determine which of your AI systems qualify as high-risk under Annex III. If you're in employment, credit, education, healthcare, or public services — assume high-risk until you've done a documented analysis confirming otherwise.

2

Define your 'serious incident' threshold

Document what specific types of AI failures would constitute serious incidents for your system. Create an internal severity matrix: what's a bug vs. a monitoring alert vs. a reportable serious incident. Have legal counsel review the definitions against EU AI Act language.

3

Identify your national competent authority

Determine which NCA(s) you would report to based on your EU user base. Find the current contact details and any incident report templates they've published. Some NCAs have pre-incident notification programs for major deployers.

4

Build incident detection into your monitoring stack

Output monitoring for high-risk AI systems is not optional. Implement anomaly detection on AI outputs — not just infrastructure metrics. For HR AI: demographic parity monitoring. For credit AI: outcome rate monitoring by protected class.

5

Create an incident response runbook

Document the exact internal escalation path when a potential serious incident is detected: who is notified, who assesses severity, who drafts the NCA report, who approves it, and who is responsible for corrective action. This runbook should be tested before enforcement begins.

6

Set up logging and retention

Implement logging of high-risk AI system inputs and outputs. Configure retention policies aligned with your sector's requirements. Ensure logs are stored in a way that enables rapid extraction for incident investigation — not buried in application logs.

7

Establish user feedback mechanisms

Add in-product mechanisms for users to flag unexpected or harmful AI outputs. These must feed into your monitoring system — not just a generic support queue. Document how you review and act on user-submitted AI feedback.

Frequently Asked Questions

What counts as a 'serious incident' under the EU AI Act?

Under Article 3(49) of the EU AI Act, a serious incident is any incident or malfunction of a high-risk AI system that directly or indirectly leads to: death or serious harm to the health of a person; serious damage to property or the environment; serious and irreversible disruption to critical infrastructure; or a breach of obligations under Union law intended to protect fundamental rights. For most SaaS companies, this means AI outputs that cause measurable harm to users — not just inaccurate outputs or minor errors.

How quickly must serious incidents be reported under the EU AI Act?

High-risk AI providers must report serious incidents to the relevant national competent authority (NCA) without undue delay, and in any case within 15 days of becoming aware of the incident. For incidents involving a risk to the health or safety of persons, the reporting window may be shorter — authorities can request immediate notification. The report must include a description of the incident, the AI system involved, likely cause, and initial corrective measures taken.

Who is the 'national competent authority' for EU AI Act incident reports?

Each EU member state must designate at least one national competent authority (NCA) responsible for supervising the EU AI Act. For most high-risk AI systems, you report to the NCA of the member state where the serious incident occurred or where the affected user is located. If your product is available across the EU, you may designate a primary NCA. As of mid-2026, most member states have designated NCAs; check the EU AI Office's registry for your relevant authority.

Does post-market monitoring apply to all AI systems?

Mandatory post-market monitoring is a requirement for high-risk AI system providers and deployers. For minimal-risk and limited-risk AI systems, post-market monitoring is encouraged under voluntary codes of conduct but not legally mandated. However, any business using AI in a regulated context should implement some form of output monitoring as best practice, given that risk classifications can change.

Find AI Compliance and Monitoring Tools on RatedWithAI

Building EU AI Act-compliant post-market monitoring requires the right tooling — AI output monitoring platforms, bias detection tools, audit trail systems, and incident management software. RatedWithAI reviews and rates the tools businesses are actually using for AI governance and compliance.

Explore AI Compliance Guides