# Regulatory tracker — AI incident reporting obligations Who must report what, to whom, by when. **Primary sources only; verify before relying — this page is a tracker, not legal advice.** *Last reviewed: June 2026 · Items marked ⏳ have deadlines inside the next 12 months.* ## European Union ### EU AI Act — Article 73 (serious incidents, high-risk AI systems) ⏳ - **Who:** Providers of high-risk AI systems; deployers have identification/escalation duties. - **What:** "Serious incidents" per Art. 3(49) — death or serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of fundamental-rights obligations, serious harm to property or environment. - **When:** Report immediately upon establishing a (likely) causal link, and no later than **15 days**; **≤2 days** for widespread infringement or critical-infrastructure incidents; **≤10 days** in case of death. Initial incomplete reports allowed, followed by complete report. - **Investigation duty:** Providers must investigate, perform a risk assessment and corrective action — and must **not** alter the system in a way that affects later evaluation of causes before informing authorities. *Note: the Act mandates investigation; neither it nor the guidance specifies methodology.* - **Status:** Applicable from **2 August 2026**. Draft guidance + reporting template published 26 September 2025 (consultation closed 7 November 2025); final guidance expected before applicability. - **Source:** Regulation (EU) 2024/1689, Art. 73; EC draft guidance via digital-strategy.ec.europa.eu. ### GPAI Code of Practice (systemic-risk models) - **Who:** Signatory providers of general-purpose AI models with systemic risk (obligations under Art. 55 applied from 2 August 2025). - **What:** Serious-incident reporting to the AI Office, including the chain of events and root-cause analysis of causal factors. *Again: required, not specified how.* - **Source:** EC, General-Purpose AI Code of Practice (July 2025). ## United States ### Federal - **NIST AI RMF** — voluntary risk-management framework; no reporting mandate, but increasingly referenced in procurement and de-facto standards of care. - **FDA (AI/ML-enabled medical devices)** — existing medical-device adverse-event reporting (MDR, 21 CFR 803) applies to AI-enabled devices; AI/ML lifecycle guidance evolving. Sectoral reporting therefore already live in healthcare. - *(Track: incident-reporting provisions in agency-specific rules; federal legislative proposals.)* ### State (selected — verify current status before relying) - **Colorado AI Act (SB 24-205)** — duties for developers/deployers of high-risk AI systems incl. disclosure of known algorithmic-discrimination risks to the AG; effective **30 June 2026** (delayed from February 2026). - **Texas (TRAIGA)** — responsible AI governance act, effective **1 January 2026**. - *(Track: California enacted-law cluster incl. frontier-model transparency (SB 53); NY; Illinois; Utah disclosure laws.)* ## International / other - **OECD** — common reporting framework (AI Papers No. 34, 2025; 29 criteria) and the AI Incidents Monitor (AIM). Voluntary benchmark; explicitly the interoperability layer other regimes align to. - **G7 Hiroshima AI Process** — reporting framework launched February 2025; voluntary transparency reporting for advanced AI developers. - *(Track: UK, Canada (AIDA successor efforts), China algorithm/incident filing rules, sectoral financial regulators.)* ## How to use this page in an investigation 1. Identify every jurisdiction the incident touches (deployment location, affected persons, provider establishment). 2. Map the incident against each definition above — "serious incident" thresholds differ. 3. Diary the deadlines **from the moment of awareness/causal-link establishment**, not from harm. 4. Preserve evidence before corrective action wherever Art. 73-style non-alteration duties apply. 5. Record the reporting decision (report / no report / why) — that decision is itself reviewable later.