AI Incident Notification
The AI Act establishes specific procedures for notifying authorities about serious incidents and anomalies in high-risk AI systems, which requires dedicated coverage distinct from general information duties and incident reporting.
serious incident notification incident reporting anomaly notification notification timeline notification requirements incident disclosure authority notification incident documentation
Overview
Legal Framework
The AI Act establishes a dedicated AI incident notification regime distinct from general information duties. Article 73 mandates that providers of high-risk AI systems immediately notify the relevant market surveillance authority of any serious incident. This notification must occur no later than 15 days after the provider becomes aware of the incident. The law defines a "serious incident" as one that directly or indirectly leads to death, serious harm to health, serious damage to property, or a serious disruption of critical infrastructure. The rationale is to ensure swift regulatory oversight and mitigation of risks posed by high-risk AI systems, moving beyond the abolished general notification obligations criticized under prior frameworks like the GDPR's predecessor (Recital 89 GDPR).
Practical Application
The notification is not a general alert but a targeted procedure focused on significant risks. The 15-day clock starts when the provider has sufficient reason to believe a serious incident has occurred; waiting for full internal investigation is not permitted. The initial notification must include available details on the AI system, the nature of the incident, and any corrective measures taken. This is followed by a final report after a root-cause analysis. This regime operates alongside, but is separate from, sector-specific incident reporting rules like those under NIS2 for ICT-related incidents (Recital 28 NIS2). The European Commission may specify detailed formats and procedures via implementing acts.
Key Considerations
- Trigger & Timeline: Establish internal processes to identify "serious incidents" as defined and to trigger the notification procedure immediately, ensuring the initial report is submitted within the strict 15-day deadline.
- Content & Follow-up: Prepare to provide an initial notification with all readily available information, followed by a comprehensive final report detailing root causes and corrective actions, as required by Article 73(3).
- Coordination of Regimes: Map how the AI Act notification obligation interacts with other applicable incident reporting duties (e.g., under GDPR, NIS2, or sectoral laws) to ensure coordinated compliance without duplication or delay.
Laws (9)
Guidance (6)
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Guidelines on the concepts of controller and processor in the GDPR
The concepts of controller, joint controller and processor play a crucial role in the application of the General Data Protection Regulation 2016/679 (GDPR), since they determine who shall be responsible for compliance with different data protection rules, and how data subjects can exercise their rights in practice. The precise meaning of these concepts and the criteria for their correct interpretation must be sufficiently clear and consistent throughout the European Economic Area (EEA). The conc...
Richtsnoeren 4/2019 inzake artikel 25 Gegevensbescherming door ontwerp en door standaardinstellingen
guidelines privacy by design en default
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Enforcement (53)
View all 53Gynecological Center: Insufficient fulfilment of data breach notification obligations
€9,450 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 9,450 on a Gynecological Center. The controller sufferd a data breach and failed to report this to the DPO.
Court Bailiff: Insufficient fulfilment of data breach notification obligations
€5,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has imposed a fine of EUR 5,000 on a court bailiff. The controller forwarded a letter containing personal data to the wrong person, failing to inform either the affected data subjects or the DPA.
Company: Insufficient fulfilment of data breach notification obligations
€870 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA has imposed a fine of EUR 870 on a company. After being informed of a data breach, the controller took adequate measures to close it but failed to inform the DPA.
ADMINISTRACIONES BENIPON, S.L.: Insufficient fulfilment of data breach notification obligations
€1,100 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine of EUR 1,100 on ADMINISTRACIONES BENIPON, S.L. The processor failed to notify the controller of a data breach and also used a sub-processor without prior consent and without an legal agreement.
Hospital: Insufficient fulfilment of data breach notification obligations
€6,900 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a district hospital in Września EUR 6,900 for failing to report a data breach to the DPA and data subjects in a timely manner. A patient had accidentally received another individual's medical records and was able to access their personal data.
mBank: Insufficient fulfilment of data breach notification obligations
€940,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined mBank EUR 940,000. The bank had suffered a data breach in which an employee of the controller sent documents containing customer data to the wrong recipient. The documents contained information such as names, account numbers, dates of birth and ID card numbers. Although the documents were returned to mBank, the envelope had been opened , meaning that third parties may have had access to the documents. During its investigation, the DPA found that, although the controller
Association: Insufficient fulfilment of data breach notification obligations
€210 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an association EUR 210 for failing to report a data breach to the DPA in a timely manner.
Azienda sanitaria locale Roma 3: Insufficient fulfilment of data breach notification obligations
€10,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has fined Azienda sanitaria locale Roma 3 EUR 10,000 for failing to report a data breach to the DPA in a timely manner and to properly document the data breach.
Toyota Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€18,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Toyota Bank Polska S.A. EUR 18,000 for failing to report a data breach to the DPA in a timely manner.
Santander Bank Polska S.A.: Insufficient fulfilment of data breach notification obligations
€326,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Santander Bank Polska S.A. EUR 326,000 for failing to report a data breach to the DPA and data subjects in a timely manner.
NTT Data Italia S.P.A: Insufficient fulfilment of data breach notification obligations
€800,000 fine - Italian Data Protection Authority (Garante)
The Italian DPA has imposed a fine of EUR 800,000 on NTT Data Italia S.P.A. The fine is related to the fine imposed on UniCredit (ETid-2227). UniCredit had contracted NTT to carry out vulnerability analyses and penetration tests. During its investigation, the DPA found that NTT had not notified UniCredit of a data breach in a timely manner. In addition, NTT had contracted another company to carry out vulnerability assessments and penetration tests without prior authorization from the bank as the
HISPAPOST, S.A.: Insufficient fulfilment of data breach notification obligations
€36,000 fine - Spanish Data Protection Authority (aepd)
The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.
POLAND DPA: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a data controller EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
Online retailer: Insufficient fulfilment of data breach notification obligations
€6,000 fine - Data Protection Authority of Hamburg
The DPA of Hamburg has imposed a fine of EUR 6,000 on an online retailer for failing to report a data breach in a timely manner.
District Court Krakow: Insufficient fulfilment of data breach notification obligations
€2,300 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined the District Court in Krakow EUR 2,300 for failing to report a data breach to the DPA and data subjects in a timely manner.
AUSTRIA DPA: Insufficient fulfilment of data breach notification obligations
€5,900 fine - Austrian Data Protection Authority (dsb)
The Austrian DPA fined a controller EUR 5,900 for failing to report a data breach in a timely manner and for not cooperating with the DPA.
Insurance company: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined an insurance company EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Link4 Towarzystwo Ubezpieczeń S. A.: Insufficient fulfilment of data breach notification obligations
€24,000 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined Link4 Towarzystwo Ubezpieczeń S. A. EUR 24,000 for failing to report a data breach to the DPA in a timely manner.
Company: Insufficient fulfilment of data breach notification obligations
€2,500 fine - Polish National Personal Data Protection Office (UODO)
The Polish DPA has fined a company EUR 2,500 for failing to report a data breach to the DPA and data subjects.
Argon Medical Devices: Insufficient fulfilment of data breach notification obligations
€220,000 fine - Norwegian Supervisory Authority (Datatilsynet)
The Norwegian DPA has fined Argon Medical Devices EUR 220,000. The controller failed to notify the DPA of a data breach that involved personal data of all its European employees within 72 hours. ---UPDATE--- The controller appealed against the decision to the DPA, but the appeal was dismissed.
News (2)
Decision to amend the "Decision on Notification Procedures and Data Processing in the Shipping Sector" in connection with the implementation of the Maritime National Single Window.
Legislation.
Decision to amend the "Decision on Notification Procedures and Data Processing in Shipping" in connection with the implementation of the Maritime National Single Window.
Europese Commissie presenteert nieuwe regels om seksueel misbruik van kinderen op internet te voorkomen en te bestrijden
The proposed rules would require online service providers to detect, report and remove child sexual abuse material on their services. Those providers must also assess the risk of their services being used to distribute child sexual abuse material. A new European Center on Child Sexual Abuse will provide support to providers, law enforcement and victims.