Six Article 72 obligations on the monitoring system itself. Six Article 73 obligations on serious-incident reporting. Different timelines, different audiences, one continuous duty.

Article 72 — the monitoring system itself

From Fontvera's obligations corpus (regulation = 'AI Act' AND article_number = '72'), the six obligations on the monitoring system resolve to:

1. 72(1) — establish and document the system. The monitoring system must be proportionate to the nature of the AI technologies and the risks of the high-risk AI system. Documentation lives inside the technical file.
2. 72(2) — active and systematic data collection. Performance data on how the system operates throughout its lifetime, with analysis to detect previously unknown risks.
3. 72(3) — interaction with other AI systems. Where relevant, monitoring includes analysis of how the system interacts with other AI systems in the operational environment. This is the clause that catches AI-pipeline degradation.
4. 72(4) — written monitoring plan. The plan is part of the technical documentation under Annex IV and must be drawn up before placing on the market.
5. 72(5) — sectoral integration. For high-risk AI systems already covered by Union harmonisation legislation (medical devices under MDR, machinery, automotive type-approval, etc.), the AI Act monitoring system is integrated with the sectoral scheme — not duplicated. Same applies to financial-services post-market under Union financial law.
6. 72(6) — Commission template. The Commission shall adopt an implementing act with detailed provisions for the monitoring plan template before 2 February 2026 — the template is the format authorities will accept.

Source: Article 72 of Regulation (EU) 2024/1689.

Article 73 — serious incidents on three different clocks

The six Article 73 obligations divide a serious incident into three reporting windows depending on severity:

Article 73(5) permits an initial incomplete report followed by a complete report — the regulator's acknowledgement that the deepest analysis arrives later. Article 73(6) requires the provider to perform necessary investigations including risk assessment and corrective measures without delay following the initial report.

What counts as a serious incident — Article 3(49)

The definition has four prongs. Any one of these triggers Article 73:

• (a) the death of a person, or serious harm to a person's health.
• (b) a serious and irreversible disruption of the management or operation of critical infrastructure.
• (c) infringement of obligations under Union law intended to protect fundamental rights.
• (d) serious harm to property or the environment.

Prong (b) is the one that connects most strongly to NIS2 (Directive (EU) 2022/2555) and DORA (Regulation (EU) 2022/2554). Prong (c) is the bridge to GDPR personal-data breach reporting under Article 33 GDPR — separate timeline (72 hours), separate authority (DPA), but often the same underlying event.

Sectoral integration — DORA Article 17 and NIS2 Article 23

Article 72(5) is explicit: where a high-risk AI system is already covered by sectoral post-market obligations under Union harmonisation legislation, the AI Act monitoring system is integrated, not duplicated.

• DORA Article 17 — financial entities must classify ICT-related incidents and report major ones to competent authorities within tight initial / intermediate / final reporting windows. Where the incident also meets AI Act Article 3(49), Article 73 attaches in parallel and the operator must reconcile the two timelines.
• NIS2 Article 23 — essential and important entities must notify significant incidents to CSIRTs / competent authorities within 24 hours (early warning) / 72 hours (incident notification) / one month (final report). Where the incident involves a high-risk AI system, AI Act Article 73 still applies on its own clock.
• MDR Article 87 — medical-device manufacturers report serious incidents to competent authorities within timelines defined by the regulation. AI medical devices on the market are integrated under AI Act Article 72(5).

Deployer side — Article 26 hands off to Article 73

Deployers have their own duty under Article 26: where they have reason to consider that the use of a high-risk AI system may result in a risk under Article 79(1), they must inform the provider or distributor and the relevant market surveillance authority without undue delay (Article 26(5)). Where the deployer has identified a serious incident, they must immediately inform the provider, then the importer/distributor, then the market surveillance authority (Article 26(5) third sub-paragraph).

The deployer's notification triggers the provider's Article 73 reporting clock. Internal SLAs between provider and deployer should mirror the Article 73 windows — anything else introduces preventable delay.

Real numbers Fontvera tracks

• 12 obligations under Articles 72 and 73 in Fontvera's structured corpus — six on the monitoring system, six on incident reporting.
• 743 AI Act obligations total. Articles 72–73 are the operational backbone of the post-market regime that connects to Article 99(2) penalties.
• 5 AI Act ↔ DORA cross-references and 5 AI Act ↔ NIS2 cross-references — the integration points referenced by Article 72(5).
• 312,758 current EU regulatory documents — including AI Office working drafts on the Article 72(6) implementing template, ENISA cybersecurity incident-reporting guidance, and ESMA / EBA / EIOPA DORA reporting standards — feed the post-market graph.

Penalty exposure

Breach of Article 72 monitoring or Article 73 incident reporting sits in Article 99(2) — €15,000,000 or 3% of worldwide turnover. Failure to provide accurate and complete information to authorities additionally exposes the operator to Article 99(3) — €7,500,000 or 1.5%. For incidents that also breach DORA, NIS2 or GDPR, those penalty regimes stack on top.

What good looks like before 2 August 2026

1. Draft the Article 72(4) monitoring plan now in the format of the forthcoming Commission template (expected before 2 February 2026). Put it in the technical file under Annex IV before placing on market.
2. Map your incident-classification taxonomy to Article 3(49). The four prongs determine the Article 73 clock — get this wrong and the 15-day window becomes a 2-day window in retrospect.
3. If you operate under DORA or NIS2, reconcile the timelines in a single playbook. One incident drives multiple reports on different clocks — the provider that learns this during an incident is the provider that misses a deadline.
4. Set provider-deployer SLAs that mirror Article 73 windows. Deployer Article 26 notification feeds provider Article 73 reporting; build the contractual flow before an incident.
5. Practice the initial-incomplete-report workflow under Article 73(5). The window does not pause while you wait for a perfect root-cause analysis.

Run your free AI Act compliance diagnostic

Returns whether Articles 72 and 73 apply, and the specific articles that match your system class.

→ Run the AI Act diagnostic