v2.4.0 | Report Errata
docs artefact-taxonomy docs artefact-taxonomy

E6. Serious Incident Reports Formal notifications to the market surveillance authority under Article 73 for incidents meeting the Article 3(49) definition. Tiered deadlines: two days (widespread infringement or critical infrastructure disruption), ten days (death), fifteen days (default). An initial incomplete report is permitted under Article 73(5). Uses pre-drafted templates with a shared incident fact sheet and regime-specific annexes for each applicable regulation (AI Act, GDPR, DORA, NIS2, CRA). Evidence is preserved and the system left unaltered per Article 73(6) before authority notification. Responsible party: AI Governance Lead owns. Legal and Regulatory Advisor coordinates with authorities. Regulations addressed: Article 73 (serious incident reporting); Article 3(49) (serious incident definition); GDPR Article 33 (breach notification, 72 hours); DORA Article 19 (major ICT incident, 4 hours); NIS2 Article 23 (significant incident, 24 hours); CRA Article 14 (vulnerability reporting, 24 hours). Key outputs

  • Tiered-deadline incident notification
  • Cross-regime parallel reporting with shared fact sheet
  • Evidence preservation attestation
On This Page