Art. 3(49) Definition — Five Categories of Serious Incident Article 3(49) defines a serious incident as an incident or malfunction that directly or indirectly results in one of five outcomes: death of a person, serious harm to a person’s health (including life-threatening illness, temporary or permanent bodily impairment, hospitalisation, or medical intervention required to prevent such outcomes), serious and irreversible disruption to the management or operation of critical infrastructure, infringement of obligations under EU law intended to protect fundamental rights, or serious harm to property or the environment. The Commission’s September 2025 draft guidance clarifies interpretive boundaries. “Serious and irreversible disruption of critical infrastructure” requires both seriousness (imminent threat to life or physical safety) and irreversibility (physical infrastructure requiring reconstruction, essential data irrecoverable, or specialised equipment irreparably damaged). Fundamental rights infringements must “significantly interfere” with Charter-protected rights “on a large scale,” establishing a high threshold intended to prevent trivial reporting. Examples include recruitment systems systematically discriminating based on ethnicity, or credit scoring systems categorically rejecting individuals from specific neighbourhoods. Indirect causation is sufficient. An AI system providing incorrect medical analysis that leads to patient harm through subsequent physician decisions constitutes an indirect serious incident. Key outputs

• Five-category serious incident definition understood across the organisation
• Commission draft guidance interpretive thresholds applied
• Indirect causation included in the assessment scope
• Module 12 AISDP documentation