sota.io
2026-06-04·5 min read·sota.io Team

EU AI Act Market Surveillance Operations: Building the Art.72→Art.73→Art.74 Incident-to-NCA Pipeline

Post #3 in the sota.io EU AI Act Market Surveillance Operations Series — EU-AI-ACT-MARKET-SURVEILLANCE-OPS-2026 #3/5

EU AI Act Art.72 to Art.73 to Art.74 incident pipeline diagram

Most high-risk AI providers treat post-market monitoring (Art.72), serious incident reporting (Art.73), and NCA market surveillance (Art.74) as three separate compliance workstreams. They are not. They form a single escalation pipeline: Art.72 monitoring generates the data, Art.73 incident thresholds determine when that data triggers a report, and Art.73 reports automatically open the door to Art.74 NCA inspections.

This guide maps the complete operational pipeline — from monitoring instrumentation through incident classification to NCA access — and shows the infrastructure you need to build before August 2, 2026.

The Three-Stage Pipeline

Art.72 Post-Market Monitoring
        │
        │ monitoring data → anomaly → threshold breach
        ▼
Art.73 Serious Incident Reporting
        │
        │ NCA notification → triggers market surveillance
        ▼
Art.74 NCA Market Surveillance Access
        │
        │ inspection request → documentation demand → system access
        ▼
   NCA Investigation

The pipeline is automatic: once Art.73 is triggered, the NCA has authority under Art.74 to access your system, demand documentation, and conduct inspections. Your Art.72 monitoring data becomes the primary evidence corpus.

Stage 1: Art.72 Post-Market Monitoring — The Data Foundation

What Art.72 Requires

Art.72 obliges providers of high-risk AI systems to establish a post-market monitoring system that:

The Monitoring Data Model

Build your Art.72 monitoring around four data categories that directly feed Art.73 incident classification:

1. Performance metrics

2. Deployment context

3. Harm signals

4. Human oversight events

Infrastructure Requirements

Your Art.72 monitoring infrastructure must be NCA-accessible. Art.74(1) gives NCAs the right to access your AI system and the data it processes. This means:

# Required monitoring infrastructure for NCA access
monitoring:
  data_retention: 10_years_minimum  # Art.12(1) logging requirement
  access_controls:
    nca_read_access: true            # Art.74(1) access right
    audit_log: immutable             # Art.12(2) audit trail
  export_formats:
    - structured_json
    - human_readable_pdf             # For NCA review
  incident_record_schema:
    incident_id: uuid
    detection_timestamp: iso8601
    classification: serious|non_serious|anomaly
    affected_persons_count: integer
    harm_category: health|safety|fundamental_rights|property
    resolution_status: open|reported_to_nca|closed

Stage 2: Art.73 Serious Incident Reporting — The Threshold Logic

Incident Classification Under Art.73

Art.73(1) defines a "serious incident" as any malfunction or unintended use that directly or indirectly causes:

Your Art.72 monitoring system must implement threshold logic that automatically classifies incidents against these four categories.

Classification Decision Tree

def classify_incident(event: MonitoringEvent) -> IncidentClassification:
    # Fatal or mass harm: immediate NCA notification
    if event.fatality_count > 0 or event.serious_harm_count >= 5:
        return IncidentClassification(
            type="serious_incident",
            reporting_timeline_days=2,    # Art.73 immediate notification
            nca_access_triggered=True
        )
    
    # Individual serious harm
    if event.serious_harm_count > 0:
        return IncidentClassification(
            type="serious_incident",
            reporting_timeline_days=15,   # Art.73(6) standard timeline
            nca_access_triggered=True
        )
    
    # Fundamental rights infringement
    if event.fundamental_rights_breach:
        return IncidentClassification(
            type="serious_incident",
            reporting_timeline_days=15,
            nca_access_triggered=True
        )
    
    # Potential escalation — track, do not yet report
    if event.harm_probability > 0.7:
        return IncidentClassification(
            type="potential_serious_incident",
            reporting_timeline_days=None,  # Monitor; may escalate
            nca_access_triggered=False
        )
    
    return IncidentClassification(type="non_serious", ...)

Reporting Timelines

The timeline from detection to NCA notification is specified in implementing acts under Art.73(6):

Incident TypeDeployer → ProviderProvider → NCA
Fatal or mass harmImmediately2 working days (initial)
Standard serious incidentWithout undue delay15 working days
Intermediate report10 working days (after initial)
Final report1 month (after initial)

Critical implementation note: The clock starts when the provider becomes aware of the incident — not when the deployer first observed it. Your Art.72 monitoring system must timestamp awareness events precisely, because NCAs will audit the gap between your monitoring logs and your Art.73 submission.

The Deployer-Provider Notification Chain

Art.73(3) requires deployers to notify providers when they identify a serious incident. Your provider infrastructure needs:

  1. Deployer notification endpoint — a secure channel for deployers to report incidents to you
  2. Acknowledgment receipts — timestamped confirmation you received the deployer's notification
  3. Incident aggregation — logic to combine multiple deployer reports of the same underlying issue into a single Art.73 report

The NCA will examine whether deployer notifications were received and actioned appropriately. Your monitoring logs (Art.72) provide the corroborating evidence.

Stage 3: Art.74 NCA Market Surveillance — The Inspection Trigger

How Art.73 Reports Trigger Art.74 Inspections

Art.73 reports are submitted to the national competent authority responsible for market surveillance in the member state where the provider is established (or, for non-EU providers, where the authorized representative is located). Once the NCA receives an Art.73 report, Art.74 gives them authority to:

What NCAs Examine First

Based on Art.74 inspection scope and the incident that triggered the inspection, NCAs will first examine:

From your Art.72 monitoring system:

From your Art.73 report:

From your Art.11 technical documentation:

The Art.64 Documentation Package

Art.64 gives NCAs the right to access all information and data "necessary for the purpose of market surveillance." When your Art.73 incident report arrives at the NCA, prepare to produce within 48-72 hours:

NCA Documentation Package (Art.64 Access)
├── technical_documentation/          # Art.11 complete package
│   ├── system_description.pdf
│   ├── risk_management_records.pdf   # Art.9
│   ├── training_data_documentation.pdf # Art.10
│   ├── human_oversight_procedures.pdf  # Art.14
│   └── conformity_assessment.pdf
├── monitoring_data/                   # Art.72 records
│   ├── incident_logs_[date_range].json
│   ├── performance_metrics.csv
│   └── anomaly_detection_log.json
├── incident_record/                   # Art.73 record
│   ├── initial_report.pdf
│   ├── intermediate_report.pdf
│   ├── deployer_notifications/        # Timestamped chain
│   └── corrective_actions_taken.pdf
└── source_code/                       # Art.74(2) if requested
    └── inference_pipeline/            # AI inference components

Building the Pipeline: Engineering Checklist

Art.72 Monitoring — Build This First

Art.73 Incident Classification — Build This Second

Art.74 NCA Readiness — Build This Third

Infrastructure on EU-Sovereign Infrastructure

One operational detail that NCAs are starting to examine: where your Art.72 monitoring data lives. Market surveillance authorities have jurisdiction over EU-deployed AI systems — but if your monitoring data is stored on AWS (US-parent, CLOUD Act exposure) or similar US cloud infrastructure, NCAs face a practical access problem. The data is technically in EU servers but legally reachable by US authorities.

For Art.74 compliance, the cleaner architecture stores your monitoring logs on infrastructure without US-parent legal exposure — Hetzner, OVHcloud, or a managed PaaS like sota.io running on Hetzner Germany. This removes the CLOUD Act ambiguity from your Art.72 compliance posture before NCAs inspect it.

Timeline: What to Complete Before August 2, 2026

ByTask
NowDesign Art.72 monitoring data model and instrumentation plan
4 weeksImplement continuous performance metrics collection
6 weeksDeploy incident classification pipeline with Art.73 threshold logic
8 weeksComplete NCA documentation package assembly automation
August 2, 2026Full AI Act enforcement — all Art.72/73/74 obligations active

Key Takeaways

The Art.72→Art.73→Art.74 pipeline is not three separate compliance workstreams. It is one integrated evidence chain:

  1. Art.72 monitoring generates the raw data
  2. Art.73 classification logic determines when that data triggers a report
  3. Art.73 reports automatically open your system to Art.74 NCA inspection
  4. Your monitoring infrastructure becomes the primary evidence corpus NCAs examine

Build the pipeline end-to-end before August 2, 2026. Post #4 in this series covers Art.82 formal non-compliance notifications — what happens when Art.74 inspections identify compliance gaps.

Post #3 in the sota.io EU AI Act Market Surveillance Operations Series. Post #1: Art.74 NCA Inspection Powers | Post #2: Art.72 Post-Market Monitoring System

EU-Native Hosting

Ready to move to EU-sovereign infrastructure?

sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.

Join the waitlistView pricing