aicomply.
aicomply.
Home
Understand OverviewLearning ModulesGlobal RegulationsEU AI Act TextGlossaryFAQ
Assess Overview1. Register2. Classify3. Requirements4. Comply5. Monitor
Implement OverviewPoliciesStandardsControlsProceduresTemplates
Resources
GitHubGet Started
STD-AI-013

AI Incident Management Standard

Report serious incidents and malfunctions to competent authorities.

Standards LibrarySTD-AI-013

2

Controls

0

Compliant

2

In Progress

0

Not Started

Overall Progress
55%
Controls
2 controls defined in this standard
INC-001highIn Progress

Incident Detection and Classification

Detect and classify AI incidents promptly

70%
INC-002criticalIn Progress

Authority Reporting

Report serious incidents to competent authorities

40%
Implementation Guidance
Detailed guidance for implementing this standard

AI Incident Management Standard

Document Type: Standard
Standard ID: STD-AI-013
Standard Title: AI Incident Management Standard
Version: 1.0
Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change
Parent Policy: POL-AI-001 - Artificial Intelligence Policy
Owner: AI Risk Manager
Approved By: AI Governance Committee Chair
Status: Draft
Classification: Internal Use Only

TABLE OF CONTENTS

  1. Document History
  2. Objective
  3. Scope and Applicability
  4. Control Standard
  5. Supporting Procedures
  6. Compliance
  7. Roles and Responsibilities
  8. Exceptions
  9. Enforcement
  10. Key Performance Indicators (KPIs)
  11. Training Requirements
  12. Definitions
  13. Link with AI Act and ISO42001

DOCUMENT HISTORY

VersionDateAuthorChangesApproval DateApproved By
0.12025-07-18AI Risk ManagerInitial draft--
0.22025-08-01AI Risk ManagerAdded Article 73 details--
0.32025-08-01AI Risk ManagerIncorporated stakeholder feedback--
1.02025-08-01AI Risk ManagerFinal version approved - GRC restructured2025-07-25Jane Doe, AI Governance Committee Chair

OBJECTIVE

This standard defines requirements for reporting serious incidents and malfunctions to competent authorities in compliance with EU AI Act Article 73.

Primary Goals:

  • Detect and classify incidents per Article 73
  • Report serious incidents to authorities within the applicable deadline per Article 73: 15 days for general serious incidents (Art. 73(2)); 10 days for incidents involving death (Art. 73(4)); 2 days for widespread infringements or critical infrastructure disruption (Art. 73(3))
  • Follow up on incidents and implement improvements

SCOPE AND APPLICABILITY

2.1 Mandatory Applicability

This standard is mandatory for:

  • All high-risk AI systems (EU AI Act Article 73)
  • All serious incidents and malfunctions
  • All incidents affecting health, safety, or fundamental rights

2.2 Incident Management Requirements Covered

  • Incident detection and classification
  • Serious incident reporting
  • Incident investigation
  • Corrective actions
  • Lessons learned

2.3 Out of Scope

  • Non-serious incidents (handled by standard incident management)
  • Incidents outside EU AI Act scope

CONTROL STANDARD

Control INC-001: Incident Detection and Classification

Control ID: INC-001
Control Name: Incident Detection and Serious Incident Classification
Control Type: Detective
Control Frequency: Continuous
Risk Level: High

Control Objective

Detect incidents and classify them as serious or not per Article 73(1) to ensure serious incidents are identified promptly and reported to authorities.

Control Requirements

CR-001.1: Incident Detection

Implement comprehensive incident detection mechanisms.

Detection Methods:

MethodDescriptionImplementationFrequency
Automated MonitoringAutomated monitoring and alertingMonitoring systemsReal-time
User ReportsReports from usersUser support systemAs needed
Deployer ReportsReports from deployersDeployer communicationAs needed
Internal TestingIssues found in testingTesting processesContinuous
Post-Market MonitoringIssues from PMMPMM system (STD-AI-012)Continuous

Mandatory Actions:

  • Implement detection mechanisms
  • Monitor continuously
  • Triage incidents
  • Escalate serious incidents immediately
  • Document all incidents

CR-001.2: Serious Incident Classification

Classify incidents as serious or not per Article 73(1).

Serious Incident Definition (Article 3(49), reporting obligation Article 73(1)):

Incident or malfunctioning that directly or indirectly leads to:

CriterionDescriptionExamplesClassification
DeathDeath of a personFatal accidentSerious
Serious Health DamageSerious damage to health of a personSevere injury, hospitalizationSerious
Critical Infrastructure DisruptionSerious and irreversible disruption of management/operation of critical infrastructureSystem failure affecting critical servicesSerious
Fundamental Rights InfringementInfringement of obligations under Union law intended to protect fundamental rightsDiscrimination, privacy violationSerious
Property/Environment HarmSerious harm to property or the environmentEnvironmental damage, significant property destructionSerious

Mandatory Actions:

  • Assess incident severity
  • Classify as serious or not
  • Document assessment
  • Escalate serious incidents immediately
  • Notify stakeholders

Evidence Required:

  • Incident detection logs
  • Severity assessments
  • Classification records
  • Escalation records
  • Notification records

Audit Verification:

  • Verify incident detection implemented
  • Confirm incidents classified
  • Check serious incidents escalated
  • Validate assessments documented

Control INC-002: Immediate Incident Response

Control ID: INC-002
Control Name: Immediate Incident Response and Notification
Control Type: Corrective
Control Frequency: As needed, within 24 hours
Risk Level: Critical

Control Objective

Respond immediately to serious incidents and notify stakeholders per Article 73 to ensure rapid response and proper escalation.

Control Requirements

CR-002.1: Immediate Response Actions

Take immediate actions upon serious incident detection.

Immediate Actions (Day 0-1):

ActionDescriptionTimelineOwner
Incident AssessmentAssess if incident is serious< 1 hourAI Risk Manager
Stakeholder NotificationNotify key stakeholders< 2 hoursAI Risk Manager
Incident Response InitiationInitiate incident response< 2 hoursIncident Response Team
Incident ContainmentContain incident impact< 4 hoursIncident Response Team
Legal NotificationNotify Legal immediately< 1 hourAI Risk Manager

Stakeholder Notification:

StakeholderNotification MethodTimelineInformation Provided
AI System OwnerPhone, email< 1 hourIncident summary, severity
AI Governance CommitteePhone, email< 1 hourIncident summary, severity
LegalPhone, email< 1 hourIncident summary, legal implications
Executive ManagementPhone, email< 2 hoursIncident summary, business impact
Product DirectorEmail< 2 hoursIncident summary, product impact

Mandatory Actions:

  • Assess severity immediately
  • Notify stakeholders per timeline
  • Initiate incident response
  • Contain incident
  • Document all actions

Evidence Required:

  • Incident assessment
  • Notification records
  • Response initiation records
  • Containment records
  • Action logs

Audit Verification:

  • Verify immediate response taken
  • Confirm stakeholders notified per timeline
  • Check incident response initiated
  • Validate incident contained

Control INC-003: Incident Investigation and Report Preparation

Control ID: INC-003
Control Name: Serious Incident Investigation and Report Preparation
Control Type: Corrective
Control Frequency: Per serious incident, within 10 days
Risk Level: High

Control Objective

Investigate serious incidents and prepare serious incident report per Article 73(2) to provide complete information to competent authorities.

Control Requirements

CR-003.1: Incident Investigation

Conduct comprehensive investigation of serious incident.

Investigation Requirements (Day 1-10):

RequirementDescriptionTimelineOwner
Investigation InitiationInitiate investigationDay 1AI Risk Manager
Information GatheringGather all relevant informationDay 1-7Investigation Team
Root Cause AnalysisAnalyze root causesDay 3-8Investigation Team
Impact AssessmentAssess impactDay 5-9Investigation Team
Findings DocumentationDocument findingsDay 7-10Investigation Team

Information to Gather:

Information TypeDescriptionSourceRequired
Incident DetailsWhat happened, when, whereIncident logs, witnessesYES
AI System DetailsSystem identification, versionTechnical documentationYES
Persons AffectedWho was affected, how manyIncident reports, user dataYES
Root CausesWhy it happenedRoot cause analysisYES
ImpactWhat was the impactImpact assessmentYES
Corrective MeasuresWhat was doneResponse recordsYES

Mandatory Actions:

  • Conduct investigation
  • Gather all relevant information
  • Conduct root cause analysis
  • Assess impact
  • Document findings
  • Prepare investigation report

CR-003.2: Serious Incident Report Preparation

Prepare serious incident report per Article 73(2).

Report Contents (Article 73(2)):

SectionContentRequiredSource
Incident IdentificationUnique identifier, reference numberYESIncident system
AI System DetailsName, type, version, registration numberYESTechnical documentation
Date and TimeWhen incident occurredYESIncident logs
DescriptionDescription of incidentYESInvestigation report
Nature and CauseNature and cause of incidentYESRoot cause analysis
Persons AffectedNumber and details of persons affectedYESImpact assessment
Corrective MeasuresCorrective measures takenYESResponse records
Preventive MeasuresPreventive measures plannedYESAction plan

Mandatory Actions:

  • Prepare serious incident report
  • Include all required information
  • Obtain legal review
  • Obtain executive approval
  • Finalize report

Evidence Required:

  • Investigation report
  • Root cause analysis
  • Impact assessment
  • Serious incident report (RPT-AI-INC-XXX)
  • Legal review records
  • Approval records

Audit Verification:

  • Verify investigation conducted
  • Confirm all information gathered
  • Check report prepared with all required elements
  • Validate legal review and approval obtained

Control INC-004: Regulatory Reporting

Control ID: INC-004 Control Name: Serious Incident Regulatory Reporting Control Type: Corrective Control Frequency: Per serious incident, within 2, 10, or 15 days depending on incident type Risk Level: Critical

Control Objective

Submit serious incident report to the market surveillance authority of the Member State where the incident occurred (Article 73(1)) within the applicable statutory deadline per Article 73 to comply with regulatory reporting obligations.

Incident Reporting Timelines (Article 73):

Incident TypeDeadlineArticle
General serious incidentsNot later than 15 days after becoming awareArt. 73(2)
Widespread infringement or critical infrastructure disruption (Art. 3(49)(b))Not later than 2 days after becoming awareArt. 73(3)
Death of a personNot later than 10 days after becoming aware (or suspecting causal link)Art. 73(4)

Control Requirements

CR-004.1: Regulatory Submission

Submit serious incident report to competent authority.

Submission Requirements (apply applicable deadline: 2, 10, or 15 days):

RequirementDescriptionTimelineOwner
Determine Applicable DeadlineIdentify which timeline applies (2, 10, or 15 days) based on incident typeImmediateAI Risk Manager
Report FinalizationFinalize reportPer applicable deadlineAI Risk Manager
Submission PreparationPrepare for submissionPer applicable deadlineAI Risk Manager
Regulatory SubmissionSubmit to market surveillance authority (Art. 73(1))Per applicable deadlineLegal
ConfirmationObtain confirmation of receiptPer applicable deadlineLegal
Follow-UpRespond to follow-up questionsAs neededLegal + AI Risk Manager

Submission Process:

StepDescriptionOwnerTimeline
Identify Market Surveillance AuthorityIdentify the market surveillance authority of the Member State where the incident occurred (Art. 73(1)). Do not submit to notifying authority or other competent authority types.LegalImmediate
Determine DeadlineDetermine applicable reporting deadline: 2 days (Art. 73(3) — widespread/critical infrastructure); 10 days (Art. 73(4) — death); 15 days (Art. 73(2) — general)Legal + AI Risk ManagerImmediate
Access Reporting ChannelAccess official reporting channelLegalPer applicable deadline
Submit ReportSubmit complete reportLegalPer applicable deadline
Obtain ConfirmationObtain confirmation of receiptLegalPer applicable deadline
Track SubmissionTrack submission statusLegalOngoing

Mandatory Actions:

  • Submit to competent authority
  • Use official reporting channel
  • Provide all required information
  • Obtain confirmation of receipt
  • Respond to follow-up questions
  • Document submission

Evidence Required:

  • Submission records
  • Confirmation receipts
  • Authority correspondence
  • Follow-up responses

Audit Verification:

  • Verify report submitted within applicable statutory deadline (2, 10, or 15 days depending on incident type)
  • Confirm report submitted to market surveillance authority of the Member State where incident occurred (Art. 73(1))
  • Confirm official channel used
  • Check all required information provided
  • Validate confirmation obtained
  • Verify follow-up questions responded to

Control INC-005: Incident Follow-Up and Corrective Actions

Control ID: INC-005
Control Name: Incident Follow-Up and Corrective Actions
Control Type: Corrective
Control Frequency: Per incident, ongoing
Risk Level: Medium

Control Objective

Follow up on incidents and implement corrective actions to prevent recurrence and improve AI system safety.

Control Requirements

CR-005.1: Corrective Actions

Implement corrective actions based on incident investigation.

Corrective Action Requirements:

RequirementDescriptionTimelineOwner
Action PlanningPlan corrective actionsDay 10-20AI System Owner
Action ImplementationImplement corrective actionsDay 20-50AI System Owner
Effectiveness VerificationVerify action effectivenessDay 50-60Quality Director
Documentation UpdateUpdate documentationDay 60-70AI System Owner
Stakeholder CommunicationCommunicate to stakeholdersOngoingAI Risk Manager

Corrective Action Types:

Action TypeDescriptionWhen to UseExample
Immediate FixFix immediate issueUrgent issuesBug fix, configuration change
System UpdateUpdate AI systemSystem issuesModel update, architecture change
Process ImprovementImprove processesProcess issuesProcess redesign
TrainingProvide trainingHuman errorStaff training
Monitoring EnhancementEnhance monitoringDetection issuesMonitoring improvements

Mandatory Actions:

  • Plan corrective actions
  • Implement actions
  • Verify effectiveness
  • Update documentation
  • Communicate to stakeholders
  • Track to closure

CR-005.2: Lessons Learned

Document and share lessons learned from incidents.

Lessons Learned Process:

StepDescriptionTimelineOwner
Lessons Learned SessionConduct lessons learned sessionDay 30-40AI Risk Manager
DocumentationDocument lessons learnedDay 40-45AI Risk Manager
SharingShare with organizationDay 45-50AI Risk Manager
Process UpdatesUpdate processesDay 50-60Process Owners
PreventionImplement preventive measuresOngoingAI System Owner

Mandatory Actions:

  • Conduct lessons learned session
  • Document findings
  • Share learnings
  • Update procedures
  • Implement preventive measures

Evidence Required:

  • Corrective action plans
  • Implementation records
  • Verification results
  • Documentation updates
  • Lessons learned reports
  • Process updates
  • Communication records

Audit Verification:

  • Verify corrective actions planned
  • Confirm actions implemented
  • Check effectiveness verified
  • Validate documentation updated
  • Verify lessons learned documented and shared

SUPPORTING PROCEDURES

This standard is implemented through the following detailed procedures:

Procedure PROC-AI-INC-001: Incident Detection and Classification Procedure

Purpose: Define step-by-step process for detecting and classifying incidents
Owner: AI Risk Manager
Implements: Control INC-001

Procedure Steps:

  1. Monitor for incidents
  2. Detect incidents
  3. Assess severity
  4. Classify as serious or not
  5. Escalate serious incidents
  6. Document incidents

Outputs:

  • Incident detection logs
  • Severity assessments
  • Classification records

Procedure PROC-AI-INC-002: Serious Incident Reporting Procedure

Purpose: Define process for reporting serious incidents per Article 73
Owner: AI Risk Manager
Implements: Controls INC-002, INC-003, INC-004

Procedure Steps:

  1. Immediate response - Control INC-002
  2. Incident investigation - Control INC-003
  3. Report preparation - Control INC-003
  4. Regulatory submission - Control INC-004
  5. Follow-up

Outputs:

  • Incident response records
  • Investigation reports
  • Serious incident reports
  • Submission records

Procedure PROC-AI-INC-003: Incident Investigation Procedure

Purpose: Define process for investigating incidents
Owner: AI Risk Manager
Implements: Control INC-003

Procedure Steps:

  1. Initiate investigation
  2. Gather information
  3. Conduct root cause analysis
  4. Assess impact
  5. Document findings
  6. Prepare report

Outputs:

  • Investigation reports
  • Root cause analysis
  • Impact assessments

COMPLIANCE

5.1 Compliance Monitoring

Monitoring Approach: Continuous automated monitoring supplemented by monthly manual reviews and quarterly comprehensive audits.

Compliance Metrics:

MetricTargetMeasurement MethodFrequencyOwner
Serious Incident Reporting Timeliness100% within applicable deadline (2, 10, or 15 days by incident type)% of incidents reported within applicable statutory deadlinePer incidentAI Risk Manager
Incident Detection Time<1 hourAverage time to detect incidentsPer incidentAI Risk Manager
Investigation Completion<10 daysAverage days to complete investigationPer incidentAI Risk Manager
Corrective Action Closure<30 daysAverage days to close actionsPer actionAI Risk Manager
Lessons Learned Documentation100%% of incidents with lessons learnedPer incidentAI Risk Manager

Monitoring Tools:

  • Incident Management Dashboard
  • Compliance Reports
  • Monthly compliance reports
  • Quarterly AI Governance Committee reviews

5.2 Internal Audit Requirements

Audit Frequency: Annually (minimum)

Audit Scope:

  • Incident detection effectiveness
  • Incident classification accuracy
  • Reporting timeliness
  • Investigation quality
  • Corrective action effectiveness
  • Controls effectiveness (INC-001 through INC-005)

Audit Activities:

  • Review 100% of serious incidents for reporting
  • Sample 20% of incidents for quality review
  • Test incident detection process
  • Review investigation reports
  • Review corrective actions
  • Interview key personnel

Audit Outputs:

  • Annual Incident Management Audit Report
  • Findings and recommendations
  • Corrective action plans for deficiencies

5.3 External Audit / Regulatory Inspection

Preparation:

  • Maintain audit-ready incident documentation at all times
  • Designate AI Risk Manager and Legal as regulatory liaisons
  • Prepare standard response procedures for authority requests

Provide to Auditors/Regulators:

  • Incident reports
  • Investigation reports
  • Corrective action records
  • Lessons learned reports
  • Internal audit reports
  • Evidence of controls execution

Authority Request Response:

  • Acknowledge request within 1 business day
  • Provide requested documentation within 5 business days
  • Coordinate through Legal and AI Risk Manager
  • Document all interactions with authorities

ROLES AND RESPONSIBILITIES

6.1 RACI Matrix

ActivityAI Risk ManagerAI System OwnerLegalIncident Response TeamQuality Director
Incident DetectionR/ACIRI
Incident ClassificationRCCCI
Immediate ResponseRACRI
InvestigationRACRC
Report PreparationRARCI
Regulatory SubmissionRIR/AII
Corrective ActionsRAICR
Lessons LearnedRCICI

RACI Legend:

  • R = Responsible (does the work)
  • A = Accountable (ultimately answerable)
  • C = Consulted (provides input)
  • I = Informed (kept up-to-date)

6.2 Role Descriptions

AI Risk Manager

  • Primary Responsibility: Owns incident management framework, ensures compliance
  • Key Activities:
    • Manages incident detection
    • Coordinates incident response
    • Ensures regulatory reporting
    • Reports to management
  • Required Competencies: EU AI Act Article 73, incident management, regulatory reporting

AI System Owner

  • Primary Responsibility: Accountable for incidents of their AI system
  • Key Activities:
    • Supports incident response
    • Implements corrective actions
    • Updates documentation
  • Required Competencies: AI system knowledge, incident awareness

Legal

  • Primary Responsibility: Ensures legal compliance in reporting
  • Key Activities:
    • Reviews incident reports
    • Submits to authorities
    • Responds to authority questions
  • Required Competencies: EU AI Act Article 73, regulatory reporting

Incident Response Team

  • Primary Responsibility: Responds to incidents
  • Key Activities:
    • Detects incidents
    • Responds to incidents
    • Investigates incidents
  • Required Competencies: Incident response, investigation

Quality Director

  • Primary Responsibility: Supports corrective actions
  • Key Activities:
    • Verifies corrective actions
    • Supports CAPA process
  • Required Competencies: Quality management, CAPA

EXCEPTIONS

7.1 Exception Philosophy

Serious incident reporting is a mandatory regulatory requirement for high-risk AI systems. Exceptions are granted restrictively and only where compensating controls adequately mitigate risks.

7.2 Allowed Exceptions

The following exceptions may be granted with proper justification and approval:

Exception TypeJustification RequiredMaximum DurationApproval AuthorityCompensating Controls
Extended Investigation TimelineComplex incident requiring extended investigation5 daysAI Risk Manager + LegalInterim report; Accelerated plan

7.3 Prohibited Exceptions

The following exceptions cannot be granted under any circumstances:

Skipping serious incident reporting - Mandatory per Article 73, no exceptions ❌ Reporting beyond the applicable statutory deadline (2, 10, or 15 days depending on incident type) - Mandatory timeline, no exceptions ❌ Skipping incident investigation - Required for complete reporting
Skipping corrective actions - Required to prevent recurrence

7.4 Exception Request Process

Step 1: Submit Exception Request

  • Complete Exception Request Form (FORM-AI-EXCEPTION-001)
  • Include business justification
  • Propose compensating controls
  • Specify duration requested
  • Attach risk assessment

Step 2: Risk Assessment

  • AI Risk Manager assesses risk of granting exception
  • Evaluates adequacy of compensating controls
  • Documents residual risk

Step 3: Approval

  • Route to appropriate approval authority based on exception type
  • AI Risk Manager approval: Minor exceptions
  • AI Risk Manager + AI Governance Committee: Significant exceptions
  • AI Governance Committee: Critical exceptions

Step 4: Documentation and Monitoring

  • Document exception in Exception Register
  • Assign exception owner
  • Set review date
  • Monitor compensating controls
  • Report exceptions quarterly to AI Governance Committee

Step 5: Exception Review and Closure

  • Review exception at specified review date
  • Assess if exception still needed
  • Close exception when normal reporting completed
  • Document lessons learned

ENFORCEMENT

8.1 Non-Compliance Consequences

ViolationSeverityConsequenceRemediation Required
Serious incident not reportedCriticalImmediate escalation; Legal investigationReport immediately; Root cause analysis
Reporting beyond applicable statutory deadline (15 days general)CriticalImmediate escalation; Compliance gap assessmentReport immediately; Process improvement
Reporting beyond 10-day deadline (death incidents)CriticalImmediate escalation; Legal investigationReport immediately; Process improvement
Reporting beyond 2-day deadline (widespread infringement/critical infrastructure)CriticalImmediate escalation; Legal investigationReport immediately; Process improvement
Incomplete incident investigationHighEscalation to AI Governance CommitteeComplete investigation within 5 business days
Missing corrective actionsHighEscalation to managementImplement actions within 10 business days
Incomplete incident reportMediumWritten warningComplete report within 5 business days

8.2 Escalation Procedures

Level 1: AI Risk Manager

  • Minor procedural violations
  • Documentation deficiencies
  • Timeline delays < 2 days
  • Action: Written warning, corrective action required

Level 2: AI Risk Manager + AI Governance Committee

  • Repeated violations
  • Incomplete investigations
  • Missing corrective actions
  • Action: Formal review, corrective action plan, management notification

Level 3: AI Governance Committee

  • Serious incident not reported
  • Reporting beyond applicable statutory deadline (2, 10, or 15 days depending on incident type)
  • Critical compliance failures
  • Action: Immediate investigation, disciplinary action

Level 4: Executive Management + Legal

  • Potential regulatory enforcement action
  • Significant legal liability
  • Reputational risk
  • Action: Executive crisis management, legal strategy, regulatory engagement

8.3 Immediate Escalation Triggers

Escalate immediately to AI Governance Committee + Legal if:

  • ⚠️ Serious incident not reported within the applicable statutory deadline (2 days for widespread/critical infrastructure, 10 days for death, 15 days for general)
  • ⚠️ Regulatory inquiry or inspection related to incident reporting
  • ⚠️ Critical incident affecting safety or fundamental rights
  • ⚠️ Authority enforcement action

8.4 Disciplinary Actions

Individuals responsible for incident management violations may be subject to:

  • Verbal or written warning
  • Mandatory retraining
  • Performance improvement plan
  • Reassignment of responsibilities
  • Suspension (with pay during investigation)
  • Termination (for egregious violations, e.g., knowingly not reporting serious incident)

Factors Considered:

  • Intent (knowing violation vs. honest mistake)
  • Severity of violation
  • Impact (actual or potential)
  • Cooperation with remediation
  • Prior violation history

KEY PERFORMANCE INDICATORS (KPIs)

9.1 Incident Management KPIs

KPI IDKPI NameDefinitionTargetMeasurement MethodFrequencyOwnerReporting To
KPI-INC-001Serious Incident Reporting Timeliness% of serious incidents reported within the applicable statutory deadline (2, 10, or 15 days by incident type)100%(# reported within applicable deadline / # total serious incidents) × 100Per incidentAI Risk ManagerAI Governance Committee
KPI-INC-002Incident Detection TimeAverage time to detect incidents<1 hourΣ (detection time) / # incidentsPer incidentAI Risk ManagerManagement
KPI-INC-003Investigation CompletionAverage days to complete investigation<10 daysΣ (investigation days) / # investigationsPer incidentAI Risk ManagerManagement
KPI-INC-004Corrective Action ClosureAverage days to close corrective actions<30 daysΣ (closure days) / # actionsPer actionAI Risk ManagerManagement
KPI-INC-005Lessons Learned Documentation% of incidents with lessons learned100%(# with lessons learned / # total incidents) × 100Per incidentAI Risk ManagerManagement
KPI-INC-006Incident Report Completeness% of reports with all required elements100%(# complete / # total reports) × 100Per reportAI Risk ManagerManagement
KPI-INC-007Regulatory Submission Confirmation% of submissions with confirmation100%(# with confirmation / # total submissions) × 100Per submissionLegalAI Risk Manager

9.2 KPI Dashboards and Reporting

Real-Time Dashboard (AI Risk Manager access)

  • Current incident status
  • Incident detection time
  • Investigation status
  • Reporting status
  • Corrective action status

Monthly Management Report

  • KPI-INC-001, 002, 003, 004, 005, 006, 007
  • Trend analysis (vs. previous month)
  • Issues and risks
  • Planned actions

Quarterly AI Governance Committee Report

  • All KPIs
  • Incident management effectiveness assessment
  • Internal audit findings (if conducted)
  • Exception register review

Annual Executive Report

  • Full-year KPI performance
  • Incident management maturity assessment
  • Strategic recommendations
  • Regulatory outlook

9.3 KPI Thresholds and Alerts

KPIGreen (Good)Yellow (Warning)Red (Critical)Alert Action
Serious Incident Reporting Timeliness100%95-99%< 95%Red: Immediate escalation to AI Governance Committee Chair
Incident Detection Time<1 hour1-2 hours> 2 hoursRed: Escalate to AI Governance Committee
Investigation Completion<10 days10-12 days> 12 daysRed: Escalate to AI Governance Committee
Corrective Action Closure<30 days30-45 days> 45 daysRed: Escalate to AI Governance Committee

TRAINING REQUIREMENTS

10.1 Training Program Overview

All personnel involved in incident management must complete role-specific training to ensure competency in EU AI Act Article 73 requirements, incident management procedures, and regulatory reporting.

10.2 Role-Based Training Requirements

RoleTraining CourseDurationContentFrequencyAssessment Required
AI Risk ManagerIncident Management Expert Training16 hoursEU AI Act Article 73; Incident detection; Investigation; ReportingInitial + annuallyYes - Written exam (≥90%)
Incident Response TeamIncident Response Training12 hoursIncident detection; Response; InvestigationInitial + annuallyYes - Practical exercise
Legal StaffRegulatory Reporting Training8 hoursEU AI Act Article 73; Reporting procedures; Authority communicationInitial + annuallyYes - Written exam (≥90%)
AI System OwnersIncident Management Overview4 hoursIncident requirements; Responsibilities; SupportAt onboarding + annuallyYes - Knowledge check (≥80%)
All AI Development StaffIncident Awareness2 hoursIncident basics; Reporting requirements; AwarenessAt onboarding + annuallyYes - Knowledge check (≥80%)

10.3 Training Content by Topic

EU AI Act Article 73 Requirements

  • Serious incident definition (Article 73(1))
  • Reporting obligation (Article 73(1))
  • Reporting timeline (Article 73(2))
  • Compliance obligations

Incident Management

  • Incident detection
  • Incident classification
  • Incident investigation
  • Incident reporting
  • Corrective actions

Regulatory Reporting

  • Report preparation
  • Regulatory submission
  • Authority communication
  • Follow-up

10.4 Training Delivery Methods

Initial Training:

  • Instructor-led classroom or virtual training
  • Includes interactive exercises and case studies
  • Hands-on practice with incident management tools
  • Group discussions of complex scenarios

Annual Refresher:

  • E-learning modules for core content review
  • Live update sessions for regulatory changes
  • Case study reviews of recent incidents
  • Knowledge assessment

On-the-Job Training:

  • Mentoring for new incident management staff
  • Job shadowing during incident response
  • Supervised incident management for first 3 incidents

Just-in-Time Training:

  • Quick reference guides and job aids
  • Video tutorials on specific topics
  • Help desk support from experienced staff

10.5 Training Effectiveness Measurement

Assessment Methods:

  • Written exams for knowledge retention
  • Practical exercises for skill application
  • On-the-job observations for competency validation
  • Feedback surveys for training quality

Competency Validation:

  • AI Risk Managers: Must demonstrate ability to manage 1 sample serious incident with 100% compliance before independent work
  • All staff: Must pass knowledge assessments with minimum required scores

Training Metrics:

MetricTargetFrequency
Training completion rate100%Quarterly
Assessment pass rate (first attempt)≥ 90%Per training
Training effectiveness score (survey)≥ 4.0/5.0Per training
Time to competency (AI Risk Managers)< 45 daysPer person

10.6 Training Records

Records Maintained:

  • Training attendance records
  • Assessment scores
  • Competency validations
  • Refresher training completion
  • Individual training transcripts

Retention: 10 years (to align with EU AI Act documentation retention)

Access: HR, AI Risk Manager, Internal Audit, Competent Authorities (upon request)

DEFINITIONS

TermDefinitionSource
Serious IncidentIncident or malfunctioning that directly or indirectly leads to death, serious health damage, serious and irreversible disruption of critical infrastructure management/operation, infringement of obligations under Union law intended to protect fundamental rights, or serious harm to property or the environmentEU AI Act Article 3(49)
MalfunctioningFailure of AI system to perform as intendedEU AI Act Article 3
Market Surveillance AuthorityThe market surveillance authority of the Member State where the serious incident occurred, as required by Article 73(1) of the EU AI Act. This is the authority to which incident reports must be submitted; reports must not be submitted to notifying authorities or other competent authority types.EU AI Act Article 73(1)
Corrective ActionAction to eliminate cause of incidentThis Standard
Preventive ActionAction to prevent recurrenceThis Standard

LINK WITH AI ACT AND ISO42001

12.1 EU AI Act Regulatory Mapping

This standard implements the following EU AI Act requirements:

EU AI Act ProvisionArticleRequirement SummaryImplemented By (Controls)
Serious Incident ReportingArticle 73Reporting of serious incidentsAll controls (INC-001 through INC-005)
Reporting ObligationArticle 73(1)Obligation to report to market surveillance authorityINC-001, INC-004
General Reporting TimelineArticle 73(2)15-day reporting deadline (general serious incidents)INC-004
Accelerated Timeline — Critical Infrastructure/WidespreadArticle 73(3)2-day reporting deadline (widespread infringement or critical infrastructure disruption)INC-004
Accelerated Timeline — DeathArticle 73(4)10-day reporting deadline (death of a person)INC-004
Serious Incident DefinitionArticle 3(49)Definition of serious incident including property/environment harmINC-001

12.2 ISO/IEC 42001:2023 Alignment

This standard aligns with ISO/IEC 42001:2023 as follows:

ISO 42001 ClauseRequirementImplementation in This Standard
Clause 10.1: Nonconformity and corrective actionAddress nonconformitiesINC-005
Clause 9.1: Monitoring, measurement, analysis, and evaluationMonitor and measureINC-001

12.3 Relationship to Other Standards

This incident management standard integrates with other AI Act standards:

Related StandardIntegration PointRationale
STD-AI-001: ClassificationClassification determines if reporting requiredHigh-risk AI requires Article 73 reporting
STD-AI-002: Risk ManagementIncidents feed into risk managementIncident data updates risk assessments
STD-AI-012: Post-Market MonitoringPMM may identify incidentsPMM data feeds incident detection

12.4 References and Related Documents

EU AI Act (Regulation (EU) 2024/1689):

  • Article 73: Reporting of Serious Incidents
  • Article 73(1): Reporting Obligation (to market surveillance authority)
  • Article 73(2): General 15-day Reporting Timeline
  • Article 73(3): Accelerated 2-day Timeline (widespread infringement/critical infrastructure)
  • Article 73(4): Accelerated 10-day Timeline (death)
  • Article 3(49): Definition of Serious Incident

ISO/IEC Standards:

  • ISO/IEC 42001:2023: Information technology — Artificial intelligence — Management system

Internal Documents:

  • POL-AI-001: Artificial Intelligence Policy (parent policy)
  • STD-AI-001: AI System Classification Standard
  • STD-AI-002: AI Risk Management Standard
  • STD-AI-012: AI Post-Market Monitoring Standard
  • PROC-AI-INC-001, -002, -003: Incident management procedures

APPROVAL AND AUTHORIZATION

RoleNameTitleSignatureDate
Prepared ByAI Risk ManagerAI Risk Manager_________________________
Reviewed BySarah JohnsonAI Act Program Manager_________________________
Reviewed ByMichael BrownChief Legal Officer_________________________
Reviewed ByJane DoeChief Strategy & Risk Officer_________________________
Approved ByJane DoeAI Governance Committee Chair_________________________

Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change

END OF STANDARD STD-AI-013

This standard is a living document. Feedback and improvement suggestions should be directed to the AI Risk Manager.

Standard Details

Standard ID

STD-AI-013

Version

1.0

Status

draft

Owner

AI Risk Manager

Effective Date

2025-08-01

Applicability

High-risk AI systems

EU AI Act References
Article 73
ISO 42001 Mapping
Clause 10.1
Related Resources
Implementation GuidesEU AI Act Full Text

Previous

Post-Market Monitoring

Next

AI Literacy