EU AI Act post-market monitoring obligations
EU AI Act post-market monitoring obligations
Deploying a high-risk AI system is not a one-time event. Under the EU AI Act, providers must keep watching their systems after launch, collecting data, detecting problems, and reporting serious incidents to national authorities. Article 72 sets out this post-market monitoring obligation, and it applies to every provider placing a high-risk AI system on the EU market.
What the EU AI Act says
Article 72 of the EU AI Act requires providers of high-risk AI systems to establish and document a post-market monitoring system before their system goes to market. The system must actively collect, record, and analyse data on the performance of the AI system throughout its entire operational lifetime. This is not passive logging. The obligation is to have a proactive plan that continuously checks whether the system is performing as intended and whether any new risks have emerged.
The post-market monitoring system must be proportionate to the nature of the AI technology and the risks associated with the high-risk AI system. The data gathered must feed back into the provider’s risk management processes, creating a closed loop between real-world performance and ongoing risk controls.
Article 73 adds a separate, urgent obligation: serious incident reporting. When a provider becomes aware of a serious incident, meaning a malfunction or unintended outcome that results in death, serious harm to health, a significant disruption to critical infrastructure, serious property damage, or a violation of fundamental rights obligations, they must report it to the relevant national market surveillance authority. The reporting window is tight: 15 days from when the provider becomes aware of the incident. For incidents that pose an imminent risk, the window is even shorter.
Who this applies to
The post-market monitoring obligation falls primarily on providers: the entities that develop and place high-risk AI systems on the EU market, or put them into service. If you built the system and you carry the CE marking responsibility, you are the provider and these obligations are yours.
Deployers (organisations that use a high-risk AI system in a professional context) have a narrower but still important role. Under Article 26, deployers must monitor the operation of the AI system based on instructions of use provided by the provider. If a deployer identifies a risk, a serious incident, or a near-miss, they must notify the provider promptly. Deployers cannot simply assume the provider is catching everything. They have a duty to report what they observe in their specific operational context.
This division of responsibility matters in practice. A startup building a high-risk AI system and licensing it to enterprise customers is the provider. Those enterprise customers are deployers. Both have monitoring duties, but the provider carries the heavier documentation and reporting burden.
What the obligation requires concretely
A compliant post-market monitoring system must cover several specific areas:
- Performance tracking: Measure whether the system continues to meet its intended purpose. This means defining performance metrics upfront and logging them continuously in production.
- Safety monitoring: Track whether the system produces outputs that could cause harm, including edge cases not encountered during testing.
- Data and model drift: AI systems can degrade when the real-world data they encounter shifts away from their training distribution. Your monitoring system must detect this drift and trigger a review when thresholds are crossed.
- Incident logging: Maintain a record of all anomalies, near-misses, and incidents, regardless of severity. Serious incidents trigger the Article 73 reporting obligation, but all incidents should be logged for internal review.
- Feedback loops from deployers: Establish a structured process for receiving information from deployers and end users about problems encountered in operation.
All of this must be documented. The technical documentation required under Article 11 and Annex IV must include a description of the post-market monitoring plan, including the metrics used, the data collection methods, and the review schedule.
Connecting post-market monitoring to your Article 9 risk management system
Article 9 requires providers to establish, implement, document, and maintain a risk management system throughout the entire lifecycle of the high-risk AI system. Post-market monitoring is the mechanism that keeps Article 9 alive after deployment.
In practice, this means your risk management system and your monitoring system must be linked. When your monitoring detects a new risk or a performance degradation, that finding must feed back into your risk register and trigger a review of your existing risk controls. If a control is no longer effective, you must update it. The risk management system is not a document you write once before launch. It is a living process that post-market monitoring keeps honest.
Similarly, your quality management system under Article 17 must include procedures for acting on post-market monitoring findings, including escalation paths, review cycles, and criteria for triggering corrective action. And all findings that materially affect the system’s risk profile must flow into the logs maintained as part of your Article 9 risk management documentation.
Deployers who use the AI system within their own infrastructure also need to consider how their Article 26 obligations connect to the provider’s monitoring plan, particularly around incident reporting and operational oversight.
Key deadlines
- February 2 2025: Article 5 prohibited AI practices are already in force. If your system falls into a prohibited category, no amount of monitoring makes it compliant.
- August 2 2026: GPAI model obligations and Article 50 transparency requirements apply. Fines for GPAI violations can reach EUR 15 million or 3% of global annual turnover.
- December 2 2027: Annex III high-risk AI system obligations fully apply, including Article 72 post-market monitoring. This is the primary deadline for most high-risk AI providers.
December 2027 may feel distant, but building a compliant post-market monitoring system takes time. You need to define your metrics, instrument your system, set up logging infrastructure, create reporting workflows, and document everything. Starting this in 2027 is starting too late.
What to do now
- Determine if you are a provider or deployer for each AI system you operate. The obligations differ significantly, and misclassifying your role is a common compliance gap.
- Map your high-risk AI systems against Annex III categories. Not every AI system is high-risk. Focus your compliance resources on those that are.
- Define performance metrics now, before deployment if possible. Retrofitting monitoring onto a live system is harder and produces incomplete historical data.
- Establish incident logging immediately. The Article 73 15-day reporting window starts from awareness. If you have no logging, you may miss the trigger entirely.
- Document your monitoring plan as part of your technical documentation. The plan itself is a compliance artefact that auditors and market surveillance authorities will review.
- Assign ownership. Post-market monitoring cannot be a background task. Someone in your organisation needs to own it, review the data, and escalate findings.
- Connect monitoring to your risk management system. Run a review cycle at least annually, or whenever monitoring surfaces a significant finding.
Check your obligations
Use the free ActComply risk screener to check your obligations: https://www.getactcomply.com/check
The screener takes less than five minutes and gives you a clear read on which EU AI Act requirements apply to your specific system, including post-market monitoring and incident reporting.