New Playbook for EU AI Act Incident Reporting
As the EU AI Act nears full enforcement, a practical guide has been published detailing a 15-day playbook for reporting "serious incidents" involving high-risk AI systems. The guidance outlines steps for internal triage, risk assessment, and timely notification to authorities, providing templates for compliance documentation.
- The EU AI Act is being implemented in phases, with the ban on certain "unacceptable risk" AI practices taking effect on February 2, 2025. Full compliance for most high-risk AI systems will be required by August 2, 2026. - A "serious incident" is defined as a malfunction or an incident that directly or indirectly leads to death or serious harm to health, a severe disruption of critical infrastructure, a serious infringement of fundamental rights, or significant harm to property or the environment. - The reporting requirement applies to "high-risk" AI systems, a category that includes AI used in critical infrastructure, education, employment and worker management, credit scoring, and law enforcement. - Penalties for non-compliance are substantial and can exceed those under GDPR, with fines for using a prohibited AI system reaching up to €35 million or 7% of a company's global annual turnover, whichever is higher. - Breaches of obligations for high-risk systems, such as the incident reporting requirement, can result in fines of up to €15 million or 3% of global turnover. - Beyond incident reporting, providers of high-risk AI systems are obligated to establish robust risk management and data governance frameworks, maintain extensive technical documentation, and ensure appropriate human oversight. - Upon receiving a serious incident report, a national market surveillance authority can take action within seven days, including ordering a product recall or withdrawal from the market.
