Every incident triage must separately assess the fundamental rights dimension, regardless of whether the incident is also reportable under NIS2, DORA, or the CRA. Article 73(9) may simplify reporting for entities subject to other regimes, but it explicitly preserves the requirement to report fundamental rights infringements under Article 3(49)©.

The fundamental rights assessment evaluates whether the incident has caused or could cause systematic discrimination in the system’s decisions (affecting protected characteristic groups disproportionately), denial of essential services or benefits based on the system’s outputs, or harm to an individual’s health, safety, or other fundamental right as a direct consequence of the system’s operation.

A data poisoning attack on a credit scoring model, for example, may constitute both a DORA-reportable ICT incident and an Article 73-reportable fundamental rights infringement if the poisoned model systematically denies credit to a protected group. The fundamental rights dimension is assessed by the Legal and Regulatory Advisor in consultation with the AI Governance Lead, and the assessment is documented in the incident record.

Key outputs

• Mandatory fundamental rights dimension assessment per incident
• Evaluation of discrimination, denial of services, and individual harm
• Legal and Regulatory Advisor assessment with documentation
• Module 9 and Module 6 AISDP evidence