Your first Art. 73 incident¶

Art. 73 of the EU AI Act requires providers of high-risk systems to file serious incidents with the national Market Surveillance Authority within a short SLA (10 days for death/serious harm, 2 days for critical-infrastructure disruption, 15 days default, 72 hours for widespread fundamental-rights breach).

Lex Custis ships the full workflow end-to-end.

Step 1 — file from a message¶

In a chat, find a response that shouldn't have happened. Click Report as incident in the oversight bar.

A form opens inline:

Classification — the Art. 3(49) category:
- Death or serious harm to health (§49(a))
- Critical-infrastructure disruption (§49(b))
- Fundamental rights breach (§49(c))
- Property or environment harm (§49(d))
Severity — low / medium / high / critical.
Description — free text (min 10 chars, max 8 k).

Submit. The API call (POST /api/v1/incidents/):

Creates an incidents row with detection_ts = now.
Computes sla_target_ts = detection_ts + N days, where N is the classification-specific window.
Links the incident to audit_log_id so the specific message is part of the record forever.
Returns an IncidentResponse with an sla_status of within.

Step 2 — see it in the incidents dashboard¶

Open Incidents in the sidebar. The new incident is at the top with:

A status badge: Open (red).
An SLA traffic light: Within SLA (green) / At risk (amber, T-72h) / Breached (red).
The time remaining or over-run, calculated per classification.
Severity, classification, description preview.
Detection timestamp + SLA target.

Step 3 — work it through status¶

Click the incident to open the detail modal. The status machine:

open → under_review → reported_to_authority → resolved → closed
  │       │                                      │
  └───────┴──────────────────────────────────────┘
  (all of these can jump straight to closed if filed in error)

Transitions:

→ Under review. Your team is investigating.
→ Reported to authority. Submit to the MSA. You'll fill Authority (e.g. "Autoriteit Persoonsgegevens (NL MSA)") and optionally Submission reference (a ticket number from the MSA's portal). This freezes the SLA clock — status becomes met.
→ Resolved. Root cause identified, fix shipped, mitigation verified. You'll enter Resolution notes.
→ Closed. Final state. No further transitions allowed.

Each transition is recorded with the updating user + timestamp.

Step 4 — export the regulator JSON¶

On the detail modal, Export regulator JSON downloads a file named incident_<uuid>.json containing:

{
  "incident_id": "…",
  "organization_id": "…",
  "classification": "fundamental_rights_breach",
  "severity": "high",
  "description": "…",
  "detection_ts": "2026-04-19T10:15:00+00:00",
  "sla_target_ts": "2026-05-04T10:15:00+00:00",
  "sla_status": "within",
  "status": "under_review",
  "authority": null,
  "submission_ts": null,
  "submission_reference": null,
  "resolved_ts": null,
  "resolution_notes": null,
  "audit_log_id": "…",
  "_format": "lex-custis/incident-export/v1",
  "_regulation": "EU AI Act (Regulation 2024/1689), Art. 73"
}

Attach this JSON as an attachment to your regulator notification. It's the structured form the MSA's intake team can reference.

The same JSON also lands in the Annex IV dossier's incidents.json automatically, so quarterly filings have the full picture.

Step 5 — SLA alerts¶

Every time a user opens the Incidents list, the SLA traffic light is recalculated:

within — more than 72 hours until the deadline.
at_risk — 72 hours or less remaining. Visual warning.
breached — deadline passed. Persistent red badge.
met — status is reported_to_authority / resolved / closed.

At T-72h an email alert is queued to org admins (commercial — in OSS v0.1 you'll just watch the badge).

Edge cases¶

What if we file prematurely, before all facts are clear? That's fine and expected — Art. 73 obliges you to file promptly after awareness, not after fully investigating. You can add detail via status transitions and resolution notes.

Who has access to file an incident? Any authenticated user in the org. This is intentional — the reporter may not be an admin, and delay is the worst enemy.

Can an incident be deleted? No. The audit_log_id FK uses ON DELETE RESTRICT. Incidents can only move to closed with resolution notes. This is deliberate, to match the Art. 73 record- retention spirit.

What if the MSA doesn't have an online portal? You still need a submission reference. Use an email reference or a physical-letter reference. The Commission is expected to standardise submission APIs in an implementing act; Lex Custis will add direct-submission integrations in the commercial edition as they come online.

Reality check¶

The biggest risk is not filing at all — you can't retroactively claim compliance if the MSA shows up with its own intake records and asks why they heard about the incident from a newspaper first.

File early, file often, file in the product. If an incident turns out to be below the Art. 73 threshold after investigation, close it with a note. That's still better than missing one that mattered.