Beta

Source: OJ L, 2024/1689, 12.7.2024

EN

Article 73 Reporting of serious incidents

    1. Providers of high-risk AI systems placed on the Union market shall report any serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; to the market surveillance authorities means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; of the Member States where that incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; occurred.

    1. The report referred to in paragraph 1 shall be made immediately after the provider has established a causal link between the AI system and the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; or the reasonable likelihood of such a link, and, in any event, not later than 15 days after the provider or, where applicable, the deployer, becomes aware of the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

    2. The period for the reporting referred to in the first subparagraph shall take account of the severity of the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

    1. Notwithstanding paragraph 2 of this Article, in the event of a widespread infringement or a serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; as defined in Article 3, point (49)(b), the report referred to in paragraph 1 of this Article shall be provided immediately, and not later than two days after the provider or, where applicable, the deployer becomes aware of that incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

    1. Notwithstanding paragraph 2, in the event of the death of a person, the report shall be provided immediately after the provider or the deployer has established, or as soon as it suspects, a causal relationship between the high-risk AI system and the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, but not later than 10 days after the date on which the provider or, where applicable, the deployer becomes aware of the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;.

    1. Where necessary to ensure timely reporting, the provider or, where applicable, the deployer, may submit an initial report that is incomplete, followed by a complete report.

    1. Following the reporting of a serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; pursuant to paragraph 1, the provider shall, without delay, perform the necessary investigations in relation to the serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; and the AI system concerned. This shall include a risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; assessment of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, and corrective action.

    2. The provider shall cooperate with the competent authoritiesas defined in Article 46, and where relevant with the notified body means a conformity assessment body designated in accordance with Article 43 and other relevant Union harmonisation legislation; concerned, during the investigations referred to in the first subparagraph, and shall not perform any investigation which involves altering the AI system concerned in a way which may affect any subsequent evaluation of the causes of the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, prior to informing the competent authoritiesas defined in Article 46 of such action.

    1. Upon receiving a notification related to a serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; referred to in Article 3, point (49)(c), the relevant market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall inform the national public authorities means any government or other public administration entity, including national central banks. or bodies referred to in Article 77(1). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1 of this Article. That guidance shall be issued by 2 August 2025, and shall be assessed regularly.

    1. The market surveillance authority means a market surveillance authority as defined in Article 3, point (4), of Regulation (EU) 2019/1020; shall take appropriate measures, as provided for in Article 19 of Regulation (EU) 2019/1020, within seven days from the date it received the notification referred to in paragraph 1 of this Article, and shall follow the notification procedures as provided in that Regulation.

    1. For high-risk AI systems referred to in Annex III that are placed on the market or put into service by providers that are subject to Union legislative instruments laying down reporting obligations equivalent to those set out in this Regulation, the notification of serious incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; shall be limited to those referred to in Article 3, point (49)(c).

    1. For high-risk AI systems which are safety components means software or hardware intended for integration into an electronic information system; of devices, or are themselves devices, covered by Regulations (EU) 2017/745 and (EU) 2017/746, the notification of serious incidents means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; shall be limited to those referred to in Article 3, point (49)(c) of this Regulation, and shall be made to the national competent authorityas defined in Article 46 chosen for that purpose by the Member States where the incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555; occurred.

    1. National competent authoritiesas defined in Article 46 shall immediately notify the Commission of any serious incident means an incident as defined in Article 6, point (6), of Directive (EU) 2022/2555;, whether or not they have taken action on it, in accordance with Article 20 of Regulation (EU) 2019/1020.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod