Investigation & Corrective Action Following the initial report, Article 73(6) requires the provider to investigate, assess the incident’s risk, and take corrective steps. The investigation determines the root cause (data issue, model deficiency, integration error, deployment configuration, human oversight failure, or external factor), the scope of impact (how many persons affected, which subgroups, in which member states), and the appropriate remedy (model fix, data correction, configuration change, deployment limitations, system withdrawal, or enhanced human oversight). The corrective action is documented and communicated to the competent authority as a supplement to the initial report. If the corrective action involves a substantial modification to the system, a new conformity assessment may be required. The investigation timeline depends on the incident’s complexity; the authority may set deadlines for supplementary reports. The investigation findings also feed into the risk register and the PMM feedback loop. A serious incident reveals a risk that the pre-deployment risk assessment did not anticipate; the risk register is updated, and the AISDP is amended to reflect the new understanding. Key outputs

• Root cause determination across six categories
• Impact scope assessment (persons, subgroups, jurisdictions)
• Corrective action communicated to competent authority
• Risk register and AISDP updated with investigation findings