Article

The EU AI Act and what it means for managing incidents

If you've been in earshot of tech leadership lately, you've probably heard the words 'EU,' 'AI,' and 'compliance' in conversation.

The EU AI Act is officially upon us, and with it comes a whole new set of incident response and reporting requirements that might feel like a yet another bureaucratic set of requirements to worry about.

But there's a different way to look at this legislation. At its core, the EU AI Act is trying to do something sensible—protect consumers in a rapidly evolving AI landscape where the potential for harm is real.

The good news is that companies with structured incident processes aren't going to see this as a big deal. They're likely already capturing the right information, maintaining clear timelines, and documenting impacts. The compliance comes almost for free.

For those who haven't invested in incident management yet, this regulation provides the perfect catalyst. The frameworks and tools exist (have you heard of incident.io?!) to make compliance straightforward.

The EU AI Act's overlap with incident management

Article 73 of the EU AI Act mandates that providers of high-risk AI systems (see here for the definition of that) need to report any "serious incident" or "malfunctioning" to authorities within 72 hours of becoming aware of it.

Beyond just reporting, you need:

  1. A description of what happened and who was affected
  2. Details of any measures taken to mitigate or remedy the situation
  3. Information on what EU member states and individuals were impacted

If you take a step back, what's being asked isn't unreasonable—it's actually the foundation of good incident management.

What Article 73 actually requires

Before diving into implementation, let's be clear about what Article 73 of the EU AI Act actually mandates. The core requirements are straightforward:

  • Timing: Providers of high-risk AI systems must report any "serious incident" or "malfunctioning" to relevant authorities within 72 hours of becoming aware of it.
  • Content: The report must include:
    • A detailed description of the incident and any relevant information about it
    • The consequences on health, safety, and fundamental rights
    • Any corrective measures taken or planned
    • Information about affected EU member states and individuals
  • Follow-up: You must maintain records of all incidents for regulatory inspection and potentially provide additional information upon request.

Despite the legal language, the underlying goal is sensible: ensure organizations detect, document, and address AI-related incidents that could harm people or their rights. The challenge isn't understanding what's required, it's implementing practical systems to meet these requirements without disrupting your ability to actually handle incidents.


The three key areas to focus on

When implementing EU AI Act compliance, three critical areas need your attention to create an effective incident management process:

Bridging detection and reporting

The 72-hour window requires a process that captures critical information during active response. With such a short time window, there's a few key considerations to think about:

  • How do you loop in legal and reporting teams early so they have visibility and clarity on the issue whilst it's potentially ongoing?
  • What mechanisms do you have in place to get hold of teams out-of-hours? An incident on a Friday night would leave little room for reporting teams weren't engaged until the following Monday.

You want a system that captures key events during the incident, not stitched together in hindsight, and a way to immediately notify and involve people if you suspect an incident falls into scope of the regulation.

Knowledge preservation and context

Establish mechanisms to retain incident context long after resolution. The goal isn't just documenting what happened, but preserving why decisions were made and how understanding evolved throughout the incident.

Instead of relying on tacit knowledge or scattered notes, implement structured post-mortems with clear timelines and decision records that remain accessible months later when regulators have follow-up questions.

Cross-functional collaboration

Design your incident process for interaction between technical teams, legal, communications, and leadership. Each role needs visibility into the right information at the right time.

Create clear handoffs between teams with documented responsibilities. For example, engineering should know exactly what details legal needs for regulatory reports, and communications should understand precisely what information is verified versus still under investigation.

Proof if it was needed that incidents aren't an engineering problem, they're a whole organization problem.

Overlapping regulation makes compliance easier

What's interesting is that the EU AI Act isn't operating in isolation. Its incident reporting requirements overlap significantly with other regulations your organization is likely already dealing with:

  • DORA (Digital Operational Resilience Act) requires financial entities to report major digital incidents within strict timeframes
  • NIS2 Directive mandates incident reporting for essential service providers
  • GDPR requires 72-hour notification for data breaches
  • Sector-specific regulations in healthcare, energy, and transportation all have their own incident reporting requirements

There's a common thread in that these all demand structured incident management, clear documentation, and timely reporting.

This regulatory convergence presents a compelling opportunity: implement a single, robust incident management approach that satisfies multiple regulatory frameworks simultaneously. No more siloed compliance efforts or duplicated work across different regulatory requirements.


Using incident.io to turn compliance into competitive advantage

So how do we flip this from regulatory headache to organizational advantage? By implementing structured incident management practices that simultaneously satisfy the EU AI Act without adding overhead on the people trying to respond.

Here's where incident.io comes in (and yes, minor sales pitch here, but hopefully helpful too).

Real-time documentation that doesn't slow response

The most painful part of compliance is documentation, especially when it has to happen alongside the actual response work. But what if your incident management tool was capturing that documentation automatically as you work?

With incident.io, every action, decision, and timeline event gets recorded as part of the natural workflow. You're not choosing between fixing the problem and documenting it—the documentation is a byproduct of the response.

Built-in compliance workflows

The EU AI Act requires specific information in specific formats. Rather than reinventing this wheel for each incident, incident.io has built-in workflows designed specifically for AI Act compliance.

From the moment you declare an incident, compliance fields are tracked—impact assessment, remediation steps, affected jurisdictions. By the time you need to file a report, the heavy lifting is already done.

Cross-team coordination by design

When engineering, legal, and communications are all working in different tools with different information, compliance becomes nearly impossible.

Instead, imagine a single source of truth where legal can access the same incident timeline engineers are working from, communications can see real-time updates on remediation progress, and leadership gets the full picture without endless status meetings.

That's not just good for compliance—it's good incident management.

AI that writes the report for you

We're not quite here yet, but we will be soon. One of the major powers of AI and LLMs is the ability to take messy, low-structure data and assemble it into a known-good format.

With incident.io, whether your talking in Microsoft Teams or Slack, or discussing things over Zoom or Google meet, we're capturing all of the information by default.

And with all of your data and context in one place, extracting the signal to turn that into the first draft of a regulatory report isn't a huge leap. Expect developments here soon!


From compliance burden to competitive advantage

There are two paths organizations can take with the EU AI Act and similar regulations:

  1. The tactical approach: Build just enough process to satisfy regulators, treating each new regulation as a separate compliance burden.
  2. The strategic approach: Use these converging requirements as a catalyst to implement practices that simultaneously satisfy multiple regulations while fundamentally improving how you handle incidents.

The difference is transformative. With structured incident management, regulatory compliance becomes a natural byproduct of good practice, not extra work. The detailed timelines, impact assessments, and remediation documentation required by Article 73 emerge naturally from your response process.

At incident.io, we've built our platform to satisfy multiple regulatory frameworks with a single, effortless approach. Because in a world where incidents are increasingly complex and consequential, good incident management isn't just about compliance—it's essential to your operation.


Picture of Chris Evans
Chris Evans
Co-Founder & CPO

I'm one of the co-founders and the Chief Product Officer of incident.io.

Move fast when you break things