EU AI Act: The 15, 10 and 2-Day Incident Clock | TLY

AI Regulation Tracker  /  Regulation guidance

EU AI Act Article 73 Puts High-Risk AI Providers on a 15-Day Serious-Incident Reporting Clock

Providers of high-risk AI systems must report serious incidents to market-surveillance authorities on a tiered clock as short as two days. The Commission has issued a draft reporting template targeted to apply from August 2, 2026.

EU AI Act Article 73 Puts High-Risk AI Providers on a 15-Day Serious-Incident Reporting Clock regulation briefing
The Leveraged Years AI Regulation Tracker

The European Union has moved from telling companies that they must report AI failures to telling them exactly how fast and in what form. Under Article 73 of the EU AI Act, Regulation (EU) 2024/1689, providers of high-risk AI systems must notify the relevant national market-surveillance authority when a serious incident occurs. The European Commission has now issued draft guidance and a standardized reporting template to give that duty operational shape. The template is targeted to apply from August 2, 2026.

For working professionals in regulated fields, the important part is the clock. The law does not set one deadline. It sets three, keyed to severity.

The tiered reporting clock

The default window is 15 days. Article 73 requires a provider, or where applicable a deployer, to report "not later than 15 days after" it becomes aware of a serious incident. If the incident involved a person's death, the window shortens to 10 days. And where the incident is a widespread infringement, or a disruption to critical infrastructure, the report is due within 2 days of awareness.

The clock starts on awareness, not on confirmation. That distinction matters, because a firm cannot wait for a full internal investigation to conclude before the deadline runs. The law anticipates this: it permits an initial, incomplete report followed by a complete one once the facts are established. The practical effect is that a firm must be able to file something accurate and structured within the applicable window, then supplement it.

A simplified channel for already-regulated entities

The Commission's framework recognizes that some operators already report incidents under other EU law. Article 73 provides that, for certain high-risk systems whose providers are subject to equivalent reporting obligations under other Union instruments, the notification is narrowed. In practice this gives entities covered by regimes such as NIS2 a simplified, fundamental-rights-focused reporting channel rather than a full duplicate filing. The aim is to avoid making the same firm report the same event twice under two overlapping rulebooks.

What the template does, and what it does not do

The draft template standardizes the content of a report: what happened, which system was involved, the harm, and the corrective steps. It is meant to remove ambiguity about format so authorities across member states receive comparable information.

It does not, however, replace a firm's own safety and risk-management obligations, and it does not decide for you whether an event is a "serious incident" in the first place. That classification judgment stays with the provider, which is why the internal triage step is the real work. A firm that cannot quickly tell a serious incident from a routine bug will struggle to hit a two-day deadline. The guidance is still finalizing, so the exact template fields and thresholds may shift before they apply.

The cross-border angle

For a US reader, this is not a distant European matter. A firm placing a high-risk AI system on the EU market, or whose system is used there, inherits the Article 73 reporting duty regardless of where the company sits. That means a US developer of, for example, hiring, credit, or medical AI sold into Europe must stand up an EU-facing incident-reporting process. As with much of the AI Act, the practical result is a de-facto standard that reaches well beyond the bloc's borders.

The message for compliance teams is simple. The obligation itself is already binding law. What is new is that the Commission is supplying the form and the deadlines that make it enforceable in practice, and August 2, 2026 is the date to plan against.

Frequently Asked Questions

What changed under Article 73 of the EU AI Act?

The reporting duty for serious incidents involving high-risk AI already exists in the law. The European Commission has now issued draft guidance and a standardized reporting template that operationalize it, with tiered deadlines of 15 days, 10 days, and 2 days depending on severity. The template is targeted to apply from August 2, 2026.

Who has to report a serious AI incident?

Providers of high-risk AI systems, and where applicable deployers, must report to the market-surveillance authority of the member state where the incident occurred. This includes non-EU firms, such as US companies, that place high-risk AI on the EU market or whose systems are used there.

How fast must a serious incident be reported?

Within 15 days of becoming aware of it as a default. The window drops to 10 days if a person died, and to 2 days for a widespread infringement or a disruption to critical infrastructure. An incomplete initial report is allowed, followed by a complete one.

Is there any relief for firms already covered by other EU rules?

Yes. Entities subject to equivalent reporting obligations under other Union law, such as NIS2-covered sectors, get a narrowed, fundamental-rights-focused reporting channel instead of a full duplicate filing, to avoid reporting the same event twice.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.