A Hospital Network Just Asked How Your AI Triage Tool Reports Serious Incidents to Market Surveillance Authorities: Answering the Article 73 Questions
A hospital network procurement team just sent you a 40-question AI governance questionnaire. One section is headed "Serious Incident Reporting and Post-Market Obligations." The first question reads: "Does your AI system have a documented process for identifying and reporting serious incidents under Article 73 of the EU AI Act? Please describe the process and the timeline."
This question is not hypothetical. Under the EU AI Act, providers of high-risk AI systems in clinical or safety-adjacent settings have binding incident reporting obligations. Here is what the question is really asking — and how to answer it with precision.
What Is a Serious Incident Under the EU AI Act?
Article 3(49) of the EU AI Act defines a serious incident as any incident or malfunction of a high-risk AI system that directly or indirectly leads to: the death of a person or serious damage to a person's health; a serious and irreversible disruption of the management or operation of critical infrastructure; infringement of obligations under EU law intended to protect fundamental rights; or serious damage to property or the environment.
For a clinical AI triage tool, the most directly relevant scenario is the first: an output from your system that contributes — directly or as one input among many — to a clinical decision that results in patient harm.
Providers do not bear liability for every bad outcome touched by their system. The threshold is a serious incident that is a result of the AI system functioning — including when the system works as intended but the output is acted on in a harmful way. That nuance matters enormously in HealthTech procurement conversations.
Article 73: What the Provider Must Do
Article 73 requires providers of high-risk AI systems placed on the EU market to report serious incidents to the market surveillance authority of the member state where the incident occurred. The key obligations are:
Notification timeline. Providers must notify the market surveillance authority immediately — and in any case within 15 days of becoming aware of the serious incident. For incidents posing a risk to health or safety, the 15-day period may be shortened. You should document your internal escalation and notification process with specific named responsible roles and time-bound steps.
Content of the notification. The notification must describe the incident, identify the AI system involved (including version), describe the impact on health or safety, describe the corrective actions taken or planned, and indicate whether the system has been temporarily suspended.
Coordination with sectoral law. In HealthTech, EU AI Act incident reporting often overlaps with EU Medical Device Regulation (MDR) serious incident reporting. If your AI triage tool qualifies as a medical device, you are likely already subject to MDR Article 87 reporting obligations to national competent authorities. The two regimes are not identical — timelines and reporting bodies differ — and your questionnaire answer should describe how your process handles both, without conflating them.
How to Answer the Article 73 Questions
"Do you have a documented serious incident process?"
Yes — and name the document. Reference your post-market monitoring plan (required under Article 72, see below), your incident register, and your internal escalation policy. If you have a named Chief Safety Officer or equivalent role who owns the escalation chain, say so. Procurement reviewers weight named human accountability very highly.
"What is your incident identification mechanism?"
This is asking how you detect that a serious incident may have occurred. For a clinical AI tool, the detection pathway typically involves: anomaly detection in the system's output distribution (statistical drift monitoring), reports from the deploying clinical team via a structured incident intake form, and linkage to the deployer's clinical adverse event reporting system. Describe which of these you have implemented and which you rely on the deployer to provide.
"What is your notification timeline?"
State your timeline explicitly: "Upon receiving credible information that a serious incident may have occurred, our internal incident response team initiates an assessment within 24 hours. If the assessment concludes that a serious incident as defined under Article 3(49) is plausible, we notify the market surveillance authority within 15 calendar days of that determination, and no later than the Article 73 maximum. We also notify the deployer concurrently."
"Do you coordinate with the deploying hospital on incident reporting?"
This is the crux of the question. Article 73(4) requires deployers — here, the hospital — to report serious incidents to the provider immediately upon becoming aware of them. Your contract and your deployment documentation should specify this obligation on the deployer explicitly. Your answer: "Our deployment agreement includes an incident notification clause requiring deployers to report any suspected serious incident to Complizo within 48 hours. We also provide deployers with an incident intake form and a named incident response contact."
Article 72: Post-Market Monitoring Plan
Article 72 requires providers to establish, document, and implement a post-market monitoring (PMM) plan. This is the upstream process that feeds Article 73 incident reporting. The PMM plan covers: how performance is tracked after deployment, what metrics trigger an internal review, how user feedback is collected and evaluated, and how the provider determines when an update or recall is necessary.
If the hospital's questionnaire asks about the PMM plan separately from the Article 73 process, treat them as linked: the PMM plan is the early warning system, and Article 73 reporting is what happens when the early warning triggers.
What Makes a Strong Answer Here
The procurement reviewer evaluating this section is typically a clinical risk manager or a procurement compliance officer, not a lawyer. They are asking: "If something goes wrong with this AI tool, will the vendor know about it, and will they tell us and the regulator in time?"
Your answer should leave no ambiguity on three points: you have a named process, you have a documented timeline, and you have a contractual mechanism for the deployer to feed incidents back to you. If you can reference a live test of your incident response process — even a tabletop exercise — that evidence carries significant weight.
Try Complizo free at complizo.com