Regulatory tracker — AI incident reporting obligations

v0.1 LIVE — UNDER ACTIVE REVIEW

This tracker summarises in a simplified format who must report what, to whom, by when. Please note this page is a tracker, not legal advice. Items marked ⏳ have deadlines inside the next 12 months.

European Union // the EU AI Act and adjacent instruments

EU-001 ⏳ The EU AI Act — Article 73: Reporting of Serious Incidents

WHO: Providers of high-risk AI systems; deployers have identification/escalation duties.
WHAT: "Serious incidents" per Art. 3(49) — death or serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, serious harm to property or environment.
WHEN: ≤15 daysDefault. Report immediately upon establishing a causal link (or reasonable likelihood of such link), no later than 15 days after becoming aware.

≤2 daysWidespread infringement or critical-infrastructure incidents.

≤10 daysIncidents involving death.

Initial incomplete reports allowed, followed by complete report.
INVESTIGATION DUTY: Following reporting, providers shall perform the necessary investigations, including performing a risk assessment of the incident and corrective action. They shall cooperate with the authorities and shall not alter the system in any way that affects later evaluation of causes before informing authorities.
Note: the Act does not currently include guidance on an investigative methodology.
STATUS: Applicable from 2 August 2026. Draft guidance and reporting template published 26 September 2025 (consultation closed 7 November 2025); final guidance expected before applicability.
SOURCE: Regulation (EU) 2024/1689, Art. 73; EC draft guidance via digital-strategy.ec.europa.eu.

EU-002 GPAI Code of Practice (systemic-risk models)

WHO: Signatory providers of general-purpose AI models with systemic risk (obligations under Art. 55 applied from 2 August 2025).
WHAT: Serious-incident reporting to the AI Office, including the chain of events and root-cause analysis of causal factors.
SOURCE: EC, General-Purpose AI Code of Practice (July 2025).

United States // federal voluntary + state binding

Federal

US-F-001 NIST AI Risk Management Framework (AI RMF)

NATURE: Voluntary risk-management framework with no direct reporting mandate. Increasingly used as a reference point in procurement, governance programs, and emerging standards of care.

US-F-002 FDA — AI/ML-enabled medical devices

NATURE: AI/ML-enabled medical devices remain subject to existing medical-device obligations, including adverse-event reporting under the Medical Device Reporting regime, 21 CFR Part 803. FDA guidance on AI/ML software lifecycle management continues to evolve.

Track: incident-reporting provisions in agency-specific rules; federal legislative proposals.

State (selected — verify current status before relying)

US-S-001 ⏳ Colorado AI Act (SB 24-205)

NATURE: Duties for developers/deployers of high-risk AI systems, including disclosure of known algorithmic-discrimination risks to the Attorney General.
EFFECTIVE: 30 June 2026 (delayed from February 2026).

US-S-002 Texas (TRAIGA)

NATURE: Responsible AI governance act.
EFFECTIVE: 1 January 2026.

Track: California enacted-law cluster including frontier-model transparency (SB 53); NY; Illinois; Utah disclosure laws.

International / other // voluntary, multilateral, and adjacent regimes

INTL-001 OECD — common reporting framework

NATURE: Common reporting framework (AI Papers No. 34, 2025; 29 criteria) and the AI Incidents Monitor (AIM). Voluntary benchmark; explicitly the interoperability layer that other regimes align to.

INTL-002 G7 Hiroshima AI Process

NATURE: Reporting framework launched February 2025; voluntary transparency reporting for advanced AI developers.

Track: UK, Canada (AIDA successor efforts), China algorithm/incident filing rules, sectoral financial regulators.

How to use this page in an investigation

PRACTITIONER CHECKLIST

Identify every jurisdiction the incident touches (deployment location, affected persons, provider establishment).
Map the incident against each definition above — "serious incident" thresholds differ.
Diary the deadlines from the moment of awareness/causal-link establishment, not from harm.
Preserve evidence before corrective action wherever Art. 73-style non-alteration duties apply.
Record the reporting decision (report / no report / why) — that decision is itself reviewable later.

Corrections with sources are the most valuable contribution: open an issue or write in confidence. Markdown source: on GitHub.