Post-Market Monitoring Under the EU AI Act: What Providers and Deployers Must Track After Launch
The EU AI Act doesn't end at deployment. Articles 72 and 73 impose ongoing post-market monitoring and incident reporting obligations on providers and deployers of high-risk AI. Here is what you must track, log, and report — and when.
Post-Market Monitoring Under the EU AI Act: What Providers and Deployers Must Track After Launch
Last updated: June 2026 · Reading time: 8 minutes
Most compliance discussions focus on getting an AI system to market: technical documentation, conformity assessments, CE marking, EU database registration. These are real and demanding obligations — but they are not the end of the story.
Once a high-risk AI system is deployed, the EU AI Act imposes a second layer of obligations: continuous post-market monitoring, serious incident reporting, and — in some cases — mandatory withdrawal of the system from service. These obligations sit primarily in Articles 72 and 73 of Regulation (EU) 2024/1689, with additional provisions in Articles 26 and 61.
Understanding what you must track, and when you must act, is critical for any provider or deployer operating in the EU.
The Logic Behind Post-Market Monitoring
AI systems do not behave the same after deployment as they did during testing. Training data distributions shift. The operational environment introduces variables that were not present during development. Users interact with systems in unexpected ways. Risks that appeared theoretical become real.
The AI Act recognises this dynamic. Article 9 requires a risk management system that operates "throughout the lifecycle" of a high-risk AI system — not just during development. Post-market monitoring is the mechanism that makes lifecycle-based risk management operational.
The framework draws explicitly from pharmaceutical regulation and product safety law, where post-market vigilance is already a mature discipline. The AI Act applies the same logic to algorithmic decision-making.
Article 72: Post-Market Monitoring System
Who Must Comply
Article 72 imposes post-market monitoring obligations on providers of high-risk AI systems — the entity that develops or places the system on the market or puts it into service under their own name or trademark.
Deployers have separate obligations, addressed below, but the primary responsibility for establishing and running the post-market monitoring system sits with the provider.
What the System Must Do
Under Article 72(1), providers must "actively and systematically collect, document and analyse relevant data on the performance of high-risk AI systems throughout their lifetime."
The scope of "relevant data" is broad. It includes:
- Data provided by deployers through their feedback mechanisms
- Data on near-misses and actual incidents reported by deployers or users
- Quantitative performance metrics against the accuracy and robustness specifications defined in the technical documentation
- Data indicating distributional shift — cases where the system's operational data diverges significantly from the training distribution
- Information about societal or contextual changes that may affect the system's risk profile
The Post-Market Monitoring Plan
Providers must establish a post-market monitoring plan as part of their technical documentation (Article 11 and Annex IV). The plan must specify:
- The data collection methodology
- The frequency of performance reviews
- The thresholds that trigger corrective action
- The procedures for updating the system when issues are identified
- The communication chain with deployers
For high-risk AI systems that are also medical devices or safety components, the post-market monitoring plan must align with the requirements of the relevant sectoral legislation (e.g. MDR Regulation (EU) 2017/745).
Updating Technical Documentation
When post-market monitoring data reveals that the system no longer meets the accuracy, robustness, or safety specifications set out in the technical documentation, the provider must update the documentation and, where required, resubmit to a notified body for reassessment (Article 72(2)).
Article 73: Serious Incident Reporting
Post-market monitoring feeds directly into the serious incident reporting regime under Article 73 — one of the more operationally demanding aspects of the AI Act for providers.
What Counts as a "Serious Incident"
Article 3(49) defines a serious incident as "any incident or malfunctioning of an AI system that directly or indirectly leads to" any of the following:
- The death of a person or serious harm to a person's health
- Serious and irreversible disruption of critical infrastructure
- Infringement of obligations under EU law intended to protect fundamental rights
- Serious harm to property or the environment
The definition is deliberately broad. It includes both direct harms (the AI system's output causes injury) and indirect harms (the system's failure enables a human decision that causes injury).
Reporting Timelines
When a provider becomes aware of a serious incident, Article 73 requires reporting to the relevant national market surveillance authority within the following deadlines:
| Incident type | Reporting deadline |
|---|---|
| Death or unexpected serious deterioration of health | 15 days |
| Other serious incidents | 30 days |
| Serious incidents that become known post-remediation | As soon as the information is available |
These timelines run from the date the provider "becomes aware" of the incident — not from the date the incident occurred. Providers must therefore build internal escalation and triage processes that ensure awareness is formalised quickly.
Reporting to the European AI Office
For general-purpose AI models with systemic risk (Articles 51–56), serious incident reporting follows a parallel track to the European AI Office rather than national authorities. This distinction matters for providers of large foundation models whose systems underpin many downstream applications.
What Happens After Reporting
Following a serious incident report, national market surveillance authorities may order:
- Corrective measures to bring the system back into compliance
- Restrictions on use or access
- Withdrawal from the market under Article 79
- In severe cases, prohibition of use
Providers that have a functioning post-market monitoring system and can demonstrate documented awareness of the issue, along with active corrective measures, are in a significantly stronger position during any investigation.
Deployers: Obligations Under Articles 26 and 73
Deployers are not passive observers in the post-market monitoring framework. Article 26(5) requires deployers to monitor the operation of the high-risk AI system and, where relevant, inform the provider and the relevant market surveillance authority of serious incidents.
More specifically, deployers must:
- Keep logs generated automatically by the system (to the extent technically feasible and in line with GDPR) for at least six months (Article 26(6))
- Inform the provider immediately upon discovering a serious incident
- Co-operate with investigations by market surveillance authorities
Deployers who discover that a high-risk AI system no longer meets the conditions set out in the technical documentation must suspend use and notify the provider (Article 26(5)).
Practical Example: An HR System Deployed by a Recruitment Agency
A recruitment agency deploys a third-party AI screening tool — a high-risk system under Annex III, Point 4. The agency notices that the system has started ranking candidates from a particular university significantly lower, with no explanation linked to the role's requirements. This constitutes a performance anomaly that must be escalated to the provider immediately. If the pattern causes demonstrable discrimination in hiring decisions, it may qualify as a serious incident under Article 3(49) as an infringement of fundamental rights obligations. The agency must log the issue, inform the provider, and may need to notify the market surveillance authority.
Building Your Post-Market Monitoring Infrastructure
For providers and deployers approaching this for the first time, the minimum viable monitoring infrastructure includes:
- A formal post-market monitoring plan integrated into technical documentation — not a policy document sitting in a shared drive, but a live operational plan with named owners and thresholds.
- Logging infrastructure that captures the inputs, outputs, and decision-relevant factors for each AI inference (Article 12).
- An internal incident triage process that defines what constitutes a serious incident, who assesses it, and within what timeframe.
- A deployer feedback channel — a structured way for deployers to report performance anomalies back to the provider.
- A corrective action procedure linked to the risk management system under Article 9.
The post-market monitoring plan is one of the four documents generated by DILAIG's automated audit. Run the 50-question audit to produce your monitoring plan alongside your risk assessment, technical documentation, and conformity declaration. Contact us for guidance on deployer-specific obligations.
FAQ: Post-Market Monitoring Under the EU AI Act
Does post-market monitoring apply to all AI systems or only high-risk ones? The formal obligations in Articles 72 and 73 apply to high-risk AI systems under Annex III and Article 6. General-purpose AI models with systemic risk have parallel obligations under Article 55. Minimal-risk systems face no mandatory post-market monitoring requirements.
When do these obligations apply? Most high-risk AI obligations, including post-market monitoring, apply from 2 August 2026. For high-risk systems that are components of products covered by Annex I sectoral legislation, the deadline extends to 2 August 2027.
What if we use a third-party AI provider? If you are a deployer using a third-party high-risk AI system, your obligations under Article 26 apply regardless of who built the system. You must maintain logs, report serious incidents to the provider, and suspend use if the system is non-compliant.
How long must monitoring data be retained? Article 12 requires that logs be automatically generated and retained for the period defined in the technical documentation, with a minimum of six months for deployers under Article 26(6). Providers' full monitoring records should be retained for the ten-year period specified in Article 18 for technical documentation.
Can the provider delegate post-market monitoring to the deployer? The provider retains primary responsibility under Article 72. Contractual arrangements can allocate operational monitoring tasks to deployers, but the provider cannot contract away its legal obligations.
Key Takeaways
- Article 72 requires providers to maintain an active, systematic post-market monitoring system for high-risk AI throughout its operational lifetime.
- The monitoring plan must be part of the technical documentation and must specify data collection, performance thresholds, and corrective action procedures.
- Article 73 requires serious incident reporting to national market surveillance authorities within 15 days (death or serious health deterioration) or 30 days (other serious incidents).
- Deployers have independent obligations: maintain logs, report incidents to providers, and suspend non-compliant systems.
- The post-market monitoring plan is one of the four mandatory documents DILAIG generates from its 50-question audit.
Sources
- Regulation (EU) 2024/1689 — Full text, Official Journal of the EU, 12 July 2024
- Article 72 — Post-Market Monitoring by Providers
- Article 73 — Reporting of Serious Incidents
- Article 26 — Obligations of Deployers of High-Risk AI Systems
- Annex IV — Technical Documentation
- European AI Office — Post-Market Surveillance Guidance
Take action
Is your AI system compliant?
Free audit in 20 minutes. Detailed report, no commitment.
Start the audit →Keep reading
Practical guides, regulatory analysis, DILAIG news.