Cross-Regime Interaction (Art. 73(9)) High-risk AI systems in sectors with existing equivalent reporting obligations have simplified AI Act reporting requirements. Under Article 73(9), where the system is subject to NIS2 (critical infrastructure), DORA (financial services), or medical device vigilance regulations, the AI Act reporting obligation is limited to fundamental rights infringements as defined in Article 3(49)©; other serious incidents are reported through the sector-specific regime. Organisations operating under multiple reporting regimes map the overlap, identify which incidents trigger which reporting obligations, and ensure internal processes route incidents to the correct authority through the correct channel within the correct timeline. A single incident may trigger reporting under the AI Act, NIS2, GDPR (data breach notification under Article 33), and sector-specific legislation simultaneously. The incident response plan includes a cross-regime reporting matrix documenting, for each incident category, which regimes are triggered, which authorities receive reports, and the applicable timelines. This matrix prevents the organisation from satisfying one reporting obligation while inadvertently missing another. Key outputs

• Article 73(9) sector-specific simplification applied where eligible
• Cross-regime reporting matrix in the incident response plan
• Parallel reporting obligations identified and mapped
• Module 12 AISDP documentation