ProcedureReady to Usev2.0

Incident Management Procedure

Procedure for managing and reporting serious incidents per Article 73 including detection, investigation, notification to authorities, and corrective actions.

40 min

Read Time

Intermediate

Level

Owner:Incident Response Manager

Effective:2025-08-01

Standard:STD-AI-013

Category:Operations

Topics:Serious incidentsArticle 73 reportingStatutory reporting deadlinesRoot cause analysisCorrective actions

PROC-AI-INC-001

AI Incident Management Procedure

STD-AI-013: Incident Management Standard

Draft

Controls Covered

INC-001INC-002INC-003INC-004INC-005

Effective Date

[To be filled]

Next Review

[To be filled]

EU AI Act

Article 73 (Reporting of Serious Incidents)

Purpose & Scope

Purpose

This procedure establishes the step-by-step process for detecting, classifying, responding to, investigating, and reporting incidents related to high-risk AI systems in compliance with EU AI Act Article 73. The procedure ensures serious incidents are identified promptly, reported to competent authorities within required timelines, and properly investigated to prevent recurrence and improve AI system safety.

Applies To

All high-risk AI systems classified per AI System Classification Standard (STD-AI-001)
All AI systems that could cause serious incidents as defined in Article 3(49)
Providers and deployers of high-risk AI systems
All incidents and malfunctions affecting AI systems
Serious incidents requiring regulatory reporting per Article 73

Does Not Apply To

Minimal-risk AI systems (unless incident causes serious harm)
Limited-risk AI systems (unless incident causes serious harm)
Third-party AI system incidents (covered by vendor escalation in AI Vendor Management Procedure (PROC-AI-VENDOR-001))

AI INCIDENT MANAGEMENT SYSTEM FRAMEWORK

INCIDENT DETECTION & CLASSIFICATION

Continuous Monitoring

Incident Detection Mechanisms

Serious Incident Classification

Incident Register Maintenance

IMMEDIATE RESPONSE & NOTIFICATION

Incident Response Activation

Immediate Containment Actions

Stakeholder Notification

Authority Initial Notification (if serious)

INVESTIGATION & ROOT CAUSE ANALYSIS

Incident Investigation Process

Root Cause Analysis Methods

Evidence Collection & Preservation

Impact Assessment

REGULATORY REPORTING

Serious Incident Report Preparation

Authority Submission (15-day deadline)

Follow-Up Reporting

Documentation & Record Retention

CORRECTIVE ACTIONS & CONTINUOUS IMPROVEMENT

Corrective Action Planning

Preventive Measures Implementation

Lessons Learned Process

Incident Management Process Improvement

Procedure Steps

Roles Defined

Post-Market Monitoring Procedure

AI Literacy & Training Procedure