Home · Synthesis · cl-ai-incident-reporting

AI incident reporting — serious incidents to authorities

DPDPA EU AI Act GDPR MeitY AI NIST AI RMF CERT-In

Primary statement

AI incident reporting per EU AI Act Article 73 (serious incidents — 15 days general / 2 days fundamental-rights infringement / 10 days for fatality) + Article 52 GPAI systemic risk notification + DPDPA Section 8 breach + CERT-In Direction 11. Multiple notification regimes triggered by a single AI incident.

Audit-fatigue payoff

A unified AI incident reporting playbook covering EU AI Act Art 73 timelines + GPAI Art 52 + DPDPA breach + CERT-In 6h satisfies AI-incident requirements across all 6 contributing frameworks.

Strictness matrix

Scope

Scope: SERIOUS incidents involving high-risk AI on EU market — including death/serious harm, fundamental rights infringement, serious property damage, breach of EU law protecting fundamental rights. Ceiling source: eu_ai_act:Art.73 Rationale: EU AI Act Art 73 specifies the most enumerated AI-incident scope.

Threshold

Threshold: 15 days general + 2 days for fundamental-rights infringement + 10 days for fatality. Tiered timelines. The 2-day fundamental-rights window is uniquely strict. Ceiling source: eu_ai_act:Art.73 Rationale: EU AI Act Art 73 tiered timeline is the audit-defensible threshold.

Method

Method: per-Member-State competent authority contact register + tested escalation procedure + parallel DPDPA / CERT-In / GDPR coordination + Article 52 GPAI systemic-risk notification + AI-specific incident classification. Ceiling source: eu_ai_act:Art.73 Rationale: EU AI Act Art 73 + Art 52 form the most prescriptive AI-incident method.

Frequency

Reporting: event-driven within tiered timelines. Escalation procedure review: annual + post-incident. Authority contact register refresh: quarterly. Ceiling source: eu_ai_act:Art.73 Rationale: Event-driven within tiered timelines is the operational specification.

Evidence

Evidence: incident reporting playbook + per-Member-State authority contacts + sample incident submissions (if any) + escalation procedure + multi-regulator coordination matrix + post-incident review. Ceiling source: eu_ai_act:Art.73 Rationale: EU AI Act Art 73 evidence with multi-regulator matrix is comprehensive.

Auditor test pattern

Step 1: Inspect AI incident reporting playbook. Step 2: Verify per-Member-State authority contacts current. Step 3: Verify multi-regulator coordination (EU AI Act + GDPR + DPDPA + CERT-In). Step 4: Sample one historical incident; verify Article 73 tiered timeline compliance. Step 5: For GPAI providers, verify Article 52 systemic-risk procedures.

Common findings

Common findings: (1) Authority contacts outdated; (2) 2-day fundamental-rights timeline not pre-staged; (3) Multi-regulator coordination absent; (4) GPAI systemic-risk procedures absent.