Summary:
Les fournisseurs d’IA à haut risque doivent signaler tout incident grave “immédiatement, et en tout état de cause, au plus tard dans les 15 jours”. Contrairement à la GDPR qui exige un rapport dans les 72 heures, la loi sur l’IA impose un délai maximal de 15 jours, mais le signalement doit être effectué dès que la cause est établie. Il n’y a pas d’excuse pour un délai, bien qu’un rapport partiel soit possible.
Original Link:
Original Article:
🤖⏰High-risk AI providers must report any serious incident “immediately, and in any event, not later than 15 days”. Yes, the #AIAct has a notification duty too.
Most of you are familiar with the GDPR’s article 33 that demands data breach notifications. Within 72 hours, as it’s commonly said. But the article is slightly more nuanced: “without undue delay and, where feasible, not later than 72 hours”. The Cyber Resilience Act has one for security vulnerabilities: “without undue delay and in any event within 72 hours” (art. 14(2)(b)). The same phrase occurs in NIS2 art. 23(4)(b).
I have no idea why it’s always 72 hours. But in the AI Act, it’s 15 days. Or rather: it is 𝘢𝘵 𝘮𝘰𝘴𝘵 15 days. If you establish what’s going on earlier, you must report it immediately after that.
In finance law, the European Court of Justice just issued its decision C-665/23 on how to interpret “without undue delay on becoming aware … no later than 13 months after the debit date”. The problem here was that a payment provider notified the customer within 13 months, but appeared to have sat on the information for quite some time. The ECJ confirmed that’s not the intent: the 13 months is the 𝘭𝘢𝘵𝘦𝘴𝘵 you could have reported, not the time you can fiddle your thumbs before hitting ‘Send’.
The same would apply to the AI Act’s incident notification. As soon as you’ve established the cause, you must notify. You don’t get to wait what’s left of your 15 days after the incident occurred. You do it immediately, without delay (same thing: ECLI:EU:C:2019:676).
The GDPR is unique in that it has a “where feasible” qualifier, meaning that if you can’t make the 72 hours, you report later with an excuse note why you can’t. The AI Act has no such excuse. But under article 73(5), you can do a partial report on day 15 and send the rest later.