The 15-day serious incident reporting deadline: what counts and how to comply
Article 73 gives providers of high-risk AI systems 15 days to report serious incidents to market surveillance authorities. Here is exactly what triggers the clock and what the report must contain.
What starts the 15-day clock
The deadline begins when the provider establishes a causal link β or reasonable likelihood of one β between the AI system and a serious incident. A serious incident is defined in Article 3(49) as any incident that directly or indirectly causes death, serious damage to health, serious disruption to critical infrastructure management, or a breach of fundamental rights obligations.
Note: the clock does not start at the moment the incident occurs. It starts when the provider becomes aware (or should reasonably have become aware) that the incident is linked to the AI system. However, delaying internal triage to push the start date is not a defensible strategy β regulators will scrutinise whether the provider had adequate monitoring in place.
What the initial report must contain
The initial report to the relevant market surveillance authority must include: identification of the AI system (name, version, registration number), a description of the incident and its consequences, corrective measures already taken or planned, and any known details about affected persons. If full information is not yet available, a preliminary report is acceptable β but a final report must follow without undue delay.
Providers must also notify the importer or distributor who made the system available. If the system is used across multiple Member States, each relevant authority must be informed. ActLoom generates a structured incident report template that maps to Article 73 requirements and tracks your notification timeline automatically.
Penalties for missing the deadline
Failure to report a serious incident within 15 days is a separate infringement from the incident itself. Under Article 99, administrative fines for non-compliance with post-market obligations can reach up to β¬15 million or 3% of worldwide annual turnover. Beyond fines, late reporting erodes trust with market surveillance authorities and can trigger broader investigations into your quality management system.
Building an internal incident workflow before an incident occurs is critical. Your process should include automated detection, triage criteria, responsibility assignment, and pre-drafted notification templates. The organisations that respond within 15 days are the ones that rehearsed the process in advance.