EU AI Act Post-Market Monitoring & Incident Reporting (Articles 72–73)
Compliance does not end when a high-risk AI system ships. Article 72 requires providers to monitor systems in the field against a documented plan, and Article 73 sets strict deadlines for reporting serious incidents to the authorities. Both feed back into the Article 9 risk-management system so lessons in production drive real change.
EU AI Act Post-Market Monitoring & Incident Reporting (Articles 72–73)
Compliance does not end when a high-risk AI system ships. Article 72 requires providers to monitor systems in the field against a documented plan, and Article 73 sets strict deadlines for reporting serious incidents to the authorities. Both feed back into the Article 9 risk-management system so lessons in production drive real change.
አስተናጅ እንደማስተናጅ አስተናገጅ: 4 ጁላይ 2026
Article 72: Post-Market Monitoring
Providers of high-risk AI systems must actively monitor how their systems perform after they are placed on the market or put into service:
- Establish and document a post-market monitoring system proportionate to the nature of the AI technology and its risks
- Collect, document and analyse relevant data on performance throughout the system's lifetime, including from deployers and other sources
- Base the activity on a post-market monitoring plan that forms part of the technical documentation — the Commission is to provide a template
- Use the monitoring to evaluate continued compliance and detect problems that need corrective action
Article 73: Serious-Incident Reporting
When something goes seriously wrong, Article 73 imposes short, tiered deadlines to report to the market surveillance authority. A serious incident includes death or serious harm to health, serious and irreversible disruption of critical infrastructure, breach of fundamental-rights obligations, or serious harm to property or the environment:
- General rule: report immediately after the provider establishes a causal link (or reasonable likelihood) between the system and the incident, and no later than 15 days after becoming aware
- Widespread infringement or serious and irreversible disruption of critical infrastructure: no later than 2 days
- Death of a person: no later than 10 days
- An initial, possibly incomplete report may be filed first to meet the deadline, followed by a complete report; the provider must also investigate and take corrective action
The clock is short — days, not months. Reconstructing what an agent did, after the fact, without a durable record is exactly where teams get caught out.
The Feedback Loop into Article 9
Monitoring and incident reporting are not standalone paperwork — they close the loop back into risk management:
- Findings from post-market monitoring feed the Article 9 risk-management system, which must be a continuous, iterative process across the lifecycle
- Serious incidents and identified risks trigger review and update of risk controls and, where needed, the technical documentation
- This makes compliance an ongoing operational discipline, not a one-off pre-market conformity exercise
- Good production evidence is what lets you both report accurately and prove you acted on what you found
How AIAgentree helps
Post-market monitoring and incident reporting both depend on having a reliable record of what your agents actually did — which is exactly what AIAgentree captures:
- Decision traces are your incident evidence: tamper-evident records of what an agent decided and why give you the reconstruction a serious-incident report needs, on a days-long deadline
- Outcome tracking surfaces drift and failures in production, supporting the ongoing data collection and analysis Article 72 monitoring requires
- Audit-fit retention (six months or more) with EU data residency in Germany keeps tamper-evident records available for reporting and for feeding lessons back into your risk-management process
Frequently Asked Questions
What is post-market monitoring under the EU AI Act?
Article 72 requires providers of high-risk AI systems to establish and document a monitoring system, proportionate to the risks, that collects and analyses performance data throughout the system's lifetime. It runs against a post-market monitoring plan that is part of the technical documentation.
How quickly must a serious incident be reported?
Under Article 73, the general deadline is immediately after establishing a causal link and no later than 15 days after becoming aware. It shortens to 10 days if a person has died, and to 2 days for widespread infringement or serious and irreversible disruption of critical infrastructure.
What counts as a serious incident?
A serious incident includes an incident or malfunction leading to death or serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of obligations meant to protect fundamental rights, or serious harm to property or the environment.
Who is responsible for post-market monitoring and incident reporting?
These are primarily provider obligations for high-risk AI systems. Deployers contribute by monitoring operation and informing the provider or authority where relevant, but the documented monitoring system and the serious-incident reports to the market surveillance authority sit with the provider.
How does monitoring connect to risk management?
The findings feed the Article 9 risk-management system, which is a continuous, iterative process. Serious incidents and monitoring results trigger review and update of risk controls and, where necessary, the technical documentation — making compliance an ongoing discipline rather than a one-time exercise.
Continue exploring the EU AI Act guide
EU AI Act Compliance Guide
The complete guide to EU AI Act compliance for AI agents — start here.
Article 12 — Record-Keeping & Logging
What every high-risk AI system must log, and how to capture it.
Article 14 — Human Oversight
Designing effective human-in-the-loop controls for AI decisions.
Annex III — High-Risk AI Systems
Which AI use cases the Act classifies as high-risk.
EU AI Act Compliance Checklist
A step-by-step checklist to reach and document compliance.
Compliance Cost Calculator
Estimate your EU AI Act compliance effort and cost.
Deadlines & Timeline
Key enforcement dates, including the August 2, 2026 deadline.
Fines & Penalties
Penalty tiers up to €35M or 7% of global annual turnover.
Transparency Obligations (Art. 13 & 50)
Disclosure duties for AI systems and their outputs.
Risk Management & Conformity Assessment
Build a risk management system and assess conformity.
GPAI Obligations
Rules for providers of general-purpose AI models.
EU AI Act for US Companies
Extraterritorial scope and what US providers must do.
Omnibus Update
The latest changes to the EU AI Act timeline and rules.
Penalty Calculator
Estimate your maximum fine under the Article 99 tiers.
Article 11 + Annex IV
What technical documentation the EU AI Act requires.
Article 26: Deployer Obligations
What deployers of high-risk AI must do, including log retention.
Article 17: Quality Management
The QMS providers of high-risk AI must document.
Article 10: Data Governance
Data quality, bias mitigation, and governance duties.
Article 4: AI Literacy
The staff AI-literacy duty in force since February 2025.
Deployer vs Provider
Who bears which obligation — and when a deployer becomes a provider.
FRIA (Article 27)
Who must run a Fundamental Rights Impact Assessment, and how.
Who Does It Apply To?
Scope, operators, and the extraterritorial reach of the EU AI Act.
ISO 42001 vs EU AI Act
How the voluntary standard and the binding law fit together.
NIST AI RMF vs EU AI Act
A practical crosswalk between the framework and the law.
EU AI Act for Healthcare
High-risk medical AI, MDR/IVDR interplay, and clinician oversight.
EU AI Act for Financial Services
Credit scoring, insurance pricing, and existing financial regulation.
EU AI Act for HR & Employment
Hiring AI as high-risk, plus NYC LL144 and EEOC overlap.