EU AI Act · Article 73

EU AI Act Article 73 Serious Incident Reporting: Evidence for Triage, Reconstruction, and Notification Decisions

Create an incident triage record →Export an incident evidence bundle

Answer box

Article 73 should be treated as an evidence workflow, not a static compliance note. Article 73 is where weak evidence systems become painful. When something goes wrong, teams need to reconstruct what happened, which system version acted, what data or model was involved, who reviewed it, what monitoring signal appeared, and why a notification decision was made. CertifiedData and Decision Ledger can support the evidence layer with SHA-256 artifact fingerprints, Ed25519 signatures, RFC 8785-style canonical payloads where appropriate, signed decision records, and exportable evidence bundles. This page is not legal advice and does not claim that any tool alone makes a system compliant.

Official basis to verify before publication

Serious incident reporting for high-risk AI systems, including obligations to report certain serious incidents to market surveillance authorities under defined conditions.

Editorial note: verify exact statutory language, numbering, applicability dates, and any post-publication Commission guidance against official EU sources before publishing. Keep the page framed as audit-readiness and evidence infrastructure, not legal compliance automation.

Why this matters

Incident response often starts with logs, screenshots, chat messages, and guesses. For AI systems, that is not enough. A serious incident review needs decision records, artifact references, monitoring signals, deployer reports, oversight actions, and a signed triage trail.

For CertifiedData, the strategic opportunity is to translate regulatory language into evidence objects. A reader should leave this page understanding what records they may need, why screenshots are weak, how signed artifacts improve reviewability, and when to route into Decision Ledger or an evidence bundle.

Incident reporting starts before the incident

A team cannot reconstruct an AI incident if it did not log decisions, artifacts, oversight actions, and monitoring signals beforehand. Article 73 therefore depends on earlier evidence infrastructure: Article 12 records, Article 19 logs, Article 26 deployer records, Article 72 monitoring, and Article 9 risk files.

What an incident evidence bundle should contain

The bundle should include incident summary, timeline, affected system, model version, dataset or artifact references, relevant decision records, monitoring signals, human review events, mitigation actions, and notification decision. Each critical artifact should have a stable identifier or hash.

CertifiedData's role in incident reconstruction

CertifiedData can help preserve the records needed for reconstruction and notification decisions. It can show whether a decision record or artifact changed after signing. It cannot decide whether an event is legally reportable or whether the notification satisfied regulatory requirements.

Why this page belongs in Sprint 2

Article 73 is optional but commercially useful because it connects evidence to urgent buyer pain. It makes Decision Ledger feel operational, not abstract. A company may ignore governance until procurement asks. It will not ignore incident reconstruction.

Evidence matrix

Evidence area	What the team should preserve	CertifiedData / Decision Ledger evidence object
Detection signal	Monitoring event, deployer report, complaint, anomaly, or internal finding.	Monitoring or intake record
Timeline reconstruction	Sequence of decisions, outputs, versions, reviews, and mitigations.	Decision Ledger chain
Artifact references	Data, model, prompt, policy, and output artifacts involved.	Certified artifact records
Triage decision	Assessment of severity, reporting path, responsible owner, and rationale.	Signed incident decision
Post-incident update	Risk file, monitoring plan, documentation, and oversight changes.	Change and remediation records

Example machine-readable evidence object

{ "evidence_type": "serious_incident_triage_record", "related_ai_act_articles": [ "Article 73", "Article 72", "Article 12", "Article 26" ], "incident_id": "inc_...", "system_version": "aisys_v2.1", "timeline_records": [ "dec_..." ], "notification_decision_id": "dec_...", "reportability_status": "requires_legal_review" }

This example is intentionally illustrative. Production payloads should be versioned, canonicalized, signed, and linked to public or permissioned verification paths as appropriate.

What CertifiedData can prove

CertifiedData can help prove that a particular evidence payload existed at a particular time, was associated with a stable artifact identifier, was signed by a known key, and has not changed since signing. For datasets and AI artifacts, this can include SHA-256 fingerprints, certificate metadata, issuer identity, timestamp, schema version, and verification status. For Decision Ledger records, it can include actor, action, system version, referenced artifacts, rationale, chain position, hash, signature, and key ID.

What CertifiedData does not prove

CertifiedData does not determine legal compliance, replace conformity assessment, guarantee fairness, prove that a model is accurate, or certify that a risk control is sufficient. It does not turn a weak governance process into a compliant process by itself. Its role is narrower and stronger: preserve verifiable evidence so compliance, legal, engineering, procurement, and audit stakeholders can review the system with less reliance on trust, memory, or screenshots.

FAQ

Does CertifiedData determine whether an incident is reportable?

No. It preserves evidence and decision records. Reportability is a legal and regulatory judgment.

Why do Article 12 logs matter for Article 73?

Incident reconstruction depends on knowing what the system did and when. Article 12 records can provide the timeline foundation.

Should this page have a strong CTA?

Yes. It should route to Decision Ledger because incident evidence is a recurring operational need.

Suggested JSON-LD

Use TechArticle plus FAQPage when converting this Markdown into page.tsx. Include breadcrumbs under /eu-ai-act and keep the canonical URL at https://certifieddata.io/eu-ai-act/article-73-serious-incident-reporting.

Editorial checklist

Confirm official EU AI Act article wording and current applicability timing.
Keep evidence/readiness language; avoid saying "guarantees compliance" or "satisfies the EU AI Act."
Preserve at least five internal links.
Preserve both CTAs.
Add schema JSON-LD in the final TSX page.
Keep final user-facing copy above 1,000 words.

Implementation pattern for CertifiedData teams

A practical implementation should start with a small evidence inventory. Identify the system, its intended purpose, the operator role, the datasets and artifacts it depends on, the human decisions that approve or reject its use, and the monitoring signals that should trigger review. Then decide which records belong in CertifiedData certificates and which records belong in Decision Ledger. The goal is not to collect every possible event. The goal is to preserve the records that make a later review possible: what changed, who approved it, what evidence was available, and how the record can be verified.

For this article page, the strongest commercial path is a demo that shows a signed record, a related artifact certificate, and an exportable bundle. The page should invite the reader to move from reading about obligations to seeing how evidence can be structured. Link to the Decision Ledger demo for the fastest proof point, then to the sample evidence bundle for the buyer who needs something to share with legal, procurement, or security.

Make it real

Generate a signed evidence record and verify it yourself.

The anonymous demo turns one AI event into a canonical payload, SHA-256 hash, Ed25519 signature, key id, and verification result — exactly the shape an evidence package relies on.

Run live demo →Download evidence bundle