EU AI Act Sets 15-Day Incident Reporting Window

- Non-compliance with the EU AI Act's provisions can lead to significant fines, with the most severe violations, such as using prohibited AI practices, drawing penalties of up to €35 million or 7% of a company's global annual turnover, whichever is higher. - The obligations for providers of high-risk AI systems, including the incident reporting requirement, are scheduled to become fully applicable on August 2, 2026, as part of the Act's staggered implementation timeline. - High-risk AI systems are defined by their intended use and are listed in annexes to the Act; categories include AI used in critical infrastructure, educational and vocational training, employment, and access to essential public and private services. - While the standard reporting deadline is 15 days, the timeline is accelerated for more severe events; incidents resulting in a death must be reported within 10 days, and widespread infringements or disruptions to critical infrastructure require reporting within just two days. - Beyond the EU, efforts to standardize AI incident reporting are underway at the international level; ISO/IEC is developing a common reporting framework (ISO/IEC 25870) to ensure consistent data collection and sharing across different countries. - The AI Act has prompted varied international responses, with China developing its own AI safety framework and putting forward proposals for global AI governance. - Enforcement of the AI Act is decentralized, with each EU member state responsible for designating national authorities to oversee the implementation of the rules and to issue penalties for infringements. - Similar to the GDPR, the EU AI Act has an extraterritorial reach, applying to any AI system that is placed on the market, put into service, or used within the European Union, regardless of where the provider is based.