When a high-risk AI system malfunctions or produces an incident, deployers must notify the relevant authority within 72 hours. Most organisations are not ready.
When a high-risk AI system malfunctions or produces an incident, deployers must notify the relevant authority within 72 hours. Most organisations do not yet have the detection, escalation, and reporting infrastructure to meet this obligation reliably.
The 72-hour notification requirement is one of the EU AI Act's most operationally demanding obligations for deployers. It requires not just incident response procedures, but the human capacity to detect, assess, and report incidents within a timeframe that leaves no room for organisational hesitation.
The 72-hour clock starts when the deployer becomes aware — or should reasonably have become aware — of an incident. This creates a detection obligation that most organisations have not addressed.
If the people operating AI systems cannot recognise when an output is anomalous, incorrect, or harmful, the organisation may be in breach without knowing it. Detection requires not just monitoring systems, but human operators who understand what constitutes an incident and have the confidence to flag it.
This is where automation bias becomes operationally dangerous. If operators habitually accept AI outputs without scrutiny, anomalous outputs will not be detected — and the 72-hour clock will never start. The organisation will be non-compliant by default.
Once an incident is detected, it must be escalated through the appropriate channels to the person or function responsible for notification. In most organisations, this escalation path has not been designed, tested, or practised.
Effective escalation requires clear protocols, designated responsibilities, and — critically — the psychological safety to escalate without fear of blame. In organisations where reporting bad news carries career risk, incidents will be suppressed, delayed, or minimised. The 72-hour window will close before the notification is made.
Meeting the 72-hour notification requirement requires investment in three areas: detection capability (ensuring operators can identify incidents), escalation infrastructure (ensuring incidents reach the right people quickly), and reporting readiness (ensuring the organisation can compile and submit the required notification within the timeframe).
Each of these areas has a human dimension that cannot be addressed through technology or documentation alone. Detection requires trained, alert operators. Escalation requires psychological safety and clear authority. Reporting requires pre-prepared templates, designated responsibilities, and rehearsed procedures.
The Responsible AI Center's Deployer Readiness service includes assessment of notification readiness as part of the broader deployer compliance programme. We identify where the human and organisational conditions for timely notification are not in place — and design the interventions that address them.
Every engagement begins with a Discovery Conversation. Just an honest exchange about where your organisation stands and whether we are the right fit to help.
Book a Discovery Conversation