EU AI Act Serious Incident Reporting 2026: When SaaS Developers Must Notify NCAs

Post #1377 in the sota.io EU AI Compliance Series — EU-AI-ACT-NATIONAL-COMPETENT-AUTHORITIES-2026 #4/5

With 65 days until the EU AI Act's full enforcement deadline on August 2, 2026, most SaaS developers are focused on classification, documentation, and conformity assessments. But there is one obligation that triggers after your system is live — and the window is measured in days, not months.

Article 73 of the EU AI Act requires providers of high-risk AI systems to report serious incidents to the relevant National Competent Authority (NCA) within specific time windows — as little as 2 days for the most severe cases. Miss that window and you are not just non-compliant — you are demonstrating to regulators that you have no monitoring infrastructure in place.

This is Part 4 of our 5-part series on NCAs and EU AI Act enforcement. Part 1 covered who enforces where. Part 2 covered what NCAs test. Part 3 covered how to use regulatory sandboxes. Part 4 covers when and how to file mandatory incident reports.

What Article 73 Actually Says

Article 73(1) of the EU AI Act states:

"Providers of high-risk AI systems placed on the Union market shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred."

The key phrase is serious incident — defined in Article 3(49) as an incident or malfunction that:

• Directly or indirectly leads to the death of a person, or serious damage to a person's health, or serious damage to property or the environment; or
• Leads to a serious and irreversible disruption of the management and operation of critical infrastructure; or
• Causes infringement of obligations under Union law intended to protect fundamental rights.

For SaaS developers, the third category is the sleeper risk. An AI system that makes credit decisions, hiring recommendations, or public service eligibility determinations — and does so in a discriminatory way — can trigger Article 73 obligations even if nobody was physically harmed.

The Tiered Notification Window

Article 73 establishes a tiered reporting timeline based on incident severity. Critically, the deadlines are measured in days, not hours — the 24/72-hour figures familiar from GDPR and NIS2 do not apply here:

The clock starts ticking when you become aware, not when the incident occurred. This means your monitoring infrastructure — how quickly your systems detect anomalous outputs, system failures, or harm signals — directly determines whether you can meet the 2-day window for the most urgent track.

For most SaaS providers, the practical implication is that you need:

1. Real-time alerting on output anomalies and system failures
2. A documented escalation path from DevOps to Legal/Compliance in under 2 hours
3. NCA contact information pre-loaded and ready (see our NCA Country Guide)
4. A pre-written incident report template (provided below)

What Qualifies as a "Serious Incident" for SaaS AI

The definition is broad enough to create genuine ambiguity for SaaS providers. Here is how the three harm categories map to typical SaaS AI use cases:

Category 1: Physical Harm

This category is most relevant for AI systems embedded in physical workflows — medical diagnosis support, predictive maintenance, autonomous logistics routing. For pure SaaS, direct physical harm is rare but not impossible:

• A medical record AI that misclassifies a drug interaction and the clinician acts on it
• A predictive safety AI for industrial IoT that fails to flag a hazard

SaaS verdict: Moderate risk if your product touches healthcare, safety systems, or physical infrastructure management.

Category 2: Critical Infrastructure Disruption

EU law defines critical infrastructure sectors broadly — energy, water, transport, banking, financial market infrastructure, health, and digital infrastructure. If your AI system is deployed as an operational component of any of these sectors and malfunctions cause service disruption, you are in Article 73 territory — and on the shortest, 2-day reporting track.

SaaS verdict: High risk for B2B SaaS targeting critical sectors. Even a "support tool" can become an operational dependency if a customer integrates it deeply enough.

Category 3: Fundamental Rights Infringement

This is the category most SaaS developers underestimate. It includes:

• Discrimination in automated decisions (Article 21 EU Charter — non-discrimination)
• Unlawful processing of personal data via AI outputs
• Access denial to public services or benefits due to AI system error
• Freedom of expression violations from AI content moderation

Any AI system used for employment screening, credit scoring, benefits eligibility, public service access, or content moderation can trigger this category. You do not need physical harm. You need a demonstrable infringement of a Charter-listed fundamental right.

SaaS verdict: Very high risk for HR tech, fintech, legaltech, govtech, and content platforms.

The Article 73 Reporting Obligation: Step by Step

Here is the exact process you need to follow from detection to final report:

Step 1: Incident Detection and Internal Classification (T+0 to T+2h)

When your monitoring detects an anomaly or a user reports an incident:

1. Log the incident with timestamp, system version, affected user count, and output samples
2. Classify against the three harm categories — does this meet the Article 3(49) definition?
3. Escalate to legal/compliance if classification is ambiguous
4. Determine NCA jurisdiction — which country did the incident affect? Multi-country incidents require notification to each affected NCA
5. Determine the window — the 2-day track (widespread/critical infrastructure), the 10-day track (death), or the 15-day track (all other serious incidents)?

Critical mistake to avoid: Waiting for legal confirmation before starting the internal clock. The clock starts when anyone in your organization becomes aware. An alert that reaches a DevOps engineer at 2 AM on a Saturday starts the reporting clock — and on the most urgent track that leaves only 2 days — even if legal does not see it until Monday morning.

Step 2: Initial NCA Notification

The initial notification does not need to be a complete investigation. Article 73 allows providers to submit an initial notification that may be incomplete, followed by a complete report once the investigation concludes. Whichever track applies (2, 10, or 15 days), the initial notice must be filed within that window.

The initial notification must include:

• Provider identity and contact information
• AI system identification (name, version, registration number if applicable)
• Date and time of incident detection
• Country and context where incident occurred
• Nature of the harm (which window/category)
• Number of affected users or systems
• Immediate mitigation actions taken

Most NCAs accept email notifications at this stage. Contact addresses for EU member states are listed in our NCA Country Guide.

Step 3: Interim Mitigation Actions (up to T+15d)

Between the initial notification and the full report, you must demonstrate active response:

• Suspend or limit the affected functionality if the incident is ongoing
• Notify affected users in accordance with your data protection obligations (GDPR Article 33/34 if personal data is involved)
• Preserve evidence — logs, model versions, training data snapshots
• Conduct root cause analysis to distinguish between model failure, deployment error, and misuse

The NCA may contact you during this window for interim updates. Respond promptly — ideally within 24 hours — to any NCA inquiry during an active incident.

Step 4: Full Investigation Report

The full report is the document that will determine the NCA's enforcement response. It must include:

The full report is the document NCAs use to decide whether to escalate to formal market surveillance, impose corrective measures, or close the case. A well-documented report that shows genuine root cause analysis and systematic remediation dramatically reduces escalation risk.

Incident Report Template (Article 73 Compliant)

Use this template for your full investigation report:

SERIOUS INCIDENT REPORT — EU AI ACT ARTICLE 73
Provider: [Company name, legal address, EU registration number]
AI System: [Name, version, EU AI Act classification]
Registration Number: [EUDB number if applicable]
Date of Initial NCA Notification: [Date + NCA name]

1. INCIDENT TIMELINE
   - First user/system signal: [timestamp]
   - Internal detection: [timestamp]
   - Initial NCA notification: [timestamp]
   - System suspension/limitation: [timestamp, or N/A]
   - Affected user count: [number, or estimate]
   - Geographic scope: [countries]

2. TECHNICAL ROOT CAUSE
   [Description of what failed — model, infrastructure, data, deployment — with evidence]
   Model version: [hash or version]
   Training data relevant: [Yes/No, and why]
   Reproducible: [Yes/No, steps to reproduce]

3. HARM ASSESSMENT
   Article 3(49) category: [Category 1/2/3]
   Reporting track applied: [2-day / 10-day / 15-day]
   Actual harm documented: [description]
   Affected users identified: [number and notification status]
   Fundamental rights implicated: [EU Charter article, or N/A]

4. CORRECTIVE ACTIONS TAKEN
   Immediate: [within the reporting window]
   Short-term: [within 15d]
   Long-term: [scheduled remediation]
   
5. POST-MARKET MONITORING ENHANCEMENT
   [What was added to detection, alerting, or response procedures]

6. CERTIFICATION
   We certify that this system remains in compliance with Regulation (EU) 2024/1689
   following the described corrective actions.
   [Authorised signatory, date]

Post-Market Monitoring: The Infrastructure Behind Incident Reporting

Article 73 obligations are downstream of Article 72, which requires providers of high-risk AI systems to establish a post-market monitoring system. The system must:

1. Continuously collect and analyse data on system performance in real-world conditions
2. Identify and report serious incidents within the Article 73 windows
3. Document and investigate near-misses — incidents that did not meet the Article 3(49) threshold but indicate potential failure modes
4. Feed findings back into the system improvement and retraining cycle

For SaaS providers, this translates to specific technical requirements:

Minimum Infrastructure for Article 72 Compliance

Logging requirements:

• Per-request output logs with model version, input hash, confidence scores, and user context
• Retention: for a period appropriate to the system's purpose, and aligned with the provider's Article 18 documentation-keeping duty (10 years)
• Tamper-evident logging (hash chaining or external log storage)

Alerting thresholds:

• Output confidence drops below defined threshold → alert
• Error rate spike above baseline → alert
• User complaint clustering on specific output patterns → alert
• Downstream system failures correlated with AI outputs → alert

Escalation pipeline:

• DevOps alert → On-call engineer (T+15min)
• On-call engineer → Legal/Compliance triage (T+2h)
• Legal/Compliance → NCA notification decision (T+6h)
• NCA notification → Initial report filed within the Art. 73 window (as little as 2 days)

GDPR coordination:

• Article 73 notification does not replace GDPR Article 33 breach notification if personal data is involved
• You may need to file both — with the data protection authority (DPA) for GDPR and the NCA for EU AI Act
• Timeline interplay: GDPR requires DPA notification within 72 hours; the EU AI Act's most urgent track (widespread infringement or critical-infrastructure disruption) is tighter still at 2 days
• File both in parallel when a serious incident also involves personal data

Multi-Country Incident Coordination

If your AI system operates across multiple EU member states and an incident affects users in more than one country, Article 73 requires you to notify each affected NCA individually — the obligation runs to the market surveillance authority of every member state where the incident occurred.

The lead NCA for coordination is typically the authority in the member state where your EU establishment is located. However, all affected NCAs receive the same initial notification.

Practical guidance for multi-country incidents:

1. Identify all affected jurisdictions in the first hour after detection
2. File identical initial notifications to each relevant NCA simultaneously
3. Designate a single point of contact for each NCA to avoid conflicting communications
4. Keep investigation reports consistent — NCAs do share information through formal cooperation mechanisms

Enforcement Risk: What Happens If You Miss the Window

NCAs have explicit authority under Article 74 to:

• Require immediate corrective action
• Order suspension of AI system deployment
• Impose penalties for non-notification

Under Article 99, failing to report a serious incident to the NCA can result in fines of up to €15 million or 3% of total annual worldwide turnover (whichever is higher) for providers of high-risk AI systems.

But the penalty for missing the window is often secondary to the reputational and operational consequence of the investigation that follows. An NCA that discovers an unreported incident through market surveillance, user complaints, or media coverage will approach the investigation very differently than one that received a timely, well-documented report.

The single most effective risk reduction strategy is not to avoid incidents — it is to report them correctly and on time.

30-Day Preparation Checklist

With 65 days to full enforcement, these are the highest-priority incident reporting preparation items:

Infrastructure (by June 15):

• Per-request output logging deployed and retained per your Article 18 documentation duty
• Automated alerting for output anomalies and error rate spikes
• Escalation pipeline documented and tested with a tabletop exercise
• NCA contact information for all operating jurisdictions pre-loaded

Documentation (by June 22):

• Incident classification matrix (which events trigger Article 73)
• Initial notification template pre-written and signed off by legal
• Full investigation report template customised for your system
• GDPR/EU AI Act dual-filing procedure documented

Team Readiness (by June 29):

• Legal/compliance on-call rotation established
• Round-the-clock escalation paths tested (including weekends)
• Tabletop incident simulation completed against the 2-day clock
• Response SLA agreed: T+2h for legal triage, T+6h for notification decision

Registration (before August 2):

• High-risk AI system registered in EUDB if Annex III applies
• Registration number included in all post-market monitoring documentation

What NCAs Are Looking For

Based on published NCA guidance from Germany (BNetzA), France (CNIL), and the Netherlands (RDI — Rijksinspectie Digitale Infrastructuur), auditors reviewing post-market monitoring compliance will specifically check:

1. Detection latency — how long between an anomalous output occurring and your team knowing about it?
2. Classification accuracy — do you correctly identify which incidents trigger Article 73 (false negatives are the concern)?
3. Documentation completeness — is the full report a genuine root cause analysis or a summary retelling?
4. Recurrence prevention — did the corrective actions actually address the root cause, or did you only fix the symptom?
5. Near-miss records — are you documenting sub-threshold incidents? Auditors want to see a culture of proactive risk monitoring, not just reactive compliance.

What Comes Next in This Series

This is Part 4 of our 5-part NCA series:

• ✅ Part 1: NCA Country Guide 2026 — Who Enforces the AI Act in Your Country
• ✅ Part 2: NCA Market Surveillance 2026 — Audit Powers and the 47-Item Developer Checklist
• ✅ Part 3: EU AI Act Regulatory Sandboxes 2026 — How SaaS Startups Get Testing Rights
• ✅ Part 4: Serious Incident Reporting 2026 — Serious-Incident NCA Notification (this post)
• ✅ Part 5: NCA Enforcement Finale 2026 — The Complete SaaS Developer Toolkit

Part 5 consolidates the whole series into a single developer toolkit: the two-layer enforcement model, the country map, market-surveillance powers, the sandbox path, this incident-reporting duty, and one merged NCA-readiness checklist for August 2, 2026.

The Bottom Line

Article 73 incident reporting is not a bureaucratic formality. It is the mechanism that determines whether an isolated system malfunction becomes a regulatory enforcement action, and whether a regulatory inquiry remains contained or expands into a full market surveillance investigation.

The 2-day window for the most serious incidents is real. The €15 million fine cap is real. And the NCA investigations that follow unreported incidents — discovered through other channels — are significantly more extensive than investigations that start with a timely, transparent disclosure.

Your preparation in the next 65 days will determine which side of that divide your organisation sits on after August 2.

This post is Part 4 of a 5-part series on EU AI Act enforcement by National Competent Authorities. See the full series →