How does EchelonGraph detect EU AI Act ART72-INCIDENT violations?

EchelonGraph automatically detects EU AI Act ART72-INCIDENT violations using scanner rule EUAIA-72-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for EU AI Act ART72-INCIDENT?

Show me your incident classification matrix — what is 'serious'? What is the 15-day / 2-day timeline trigger? Who has authority to file the Article 72 report? When was the last Article 72 report filed?

🇪🇺EU AI Act ART72-INCIDENTRule: EUAIA-72-001critical

Serious incident reporting

Description

Article 72 — Providers report serious incidents to market-surveillance authorities within 15 days (or 2 days for widespread infringement / fatality / critical infrastructure disruption).

⚠️ Risk Impact

Late or absent incident reporting compounds the original incident with a separate regulatory violation. Article 72 timelines are short and unforgiving.

🔍 How EchelonGraph Detects This

EUAIA-72-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.

🔧 Remediation

Document incident classification (serious vs minor), 15-day vs 2-day timeline triggers, and the notification template per national authority. Maintain a 'go-bag' for incident reports — fields pre-populated where possible.

💀 Real-World Attack Scenario

A facial-recognition vendor's product mis-identified a person at a border-crossing as a suspect; the person was detained for 7 hours. The incident met Article 72 'serious incident' criteria but wasn't reported. When the EU AI Office's market-surveillance team learned via press, the vendor faced both Article 14 (oversight) and Article 72 (reporting) violations.

💰 Cost of Non-Compliance

Article 72 reporting failure: up to €15M / 3% revenue + reg-probe escalation.

📋 Audit Questions

1.Show me your incident classification matrix — what is 'serious'?
2.What is the 15-day / 2-day timeline trigger?
3.Who has authority to file the Article 72 report?
4.When was the last Article 72 report filed?

🎯 MITRE ATT&CK Mapping

T1078 — Valid Accounts

⚡ Common Pitfalls

⛔Classifying incidents as 'minor' to avoid the reporting burden
⛔Missing the 2-day timeline because the classification path is slow
⛔No pre-populated notification template — drafting from scratch under pressure produces errors

📈 Business Value

Article 72 readiness is a routine operational capability — pre-built templates + classification matrix reduce time-to-report from hours to minutes.

⏱️ Effort Estimate

Manual

1-2 weeks for matrix + templates + designated authorities

With EchelonGraph

EchelonGraph auto-classifies incidents; pre-populates Article 72 report templates

🔗 Cross-Framework References

AIRMF-MANAGE-2.1GDPR-Art33

Automate EU AI Act ART72-INCIDENT compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →