EU AI Act Article Explainer

Article 72 of the EU AI Act: Post-Market Monitoring

Article 72 is the provider's lifetime-monitoring duty for high-risk AI systems. It requires an active, documented, plan-based surveillance system that feeds back into the continuous-compliance evaluation under Chapter III Section 2. This explainer covers what the duty requires, how the plan sits inside the Annex IV technical documentation, and how the monitoring feeds the Article 73 serious-incident reporting flow.

What Article 72 requires

Providers of high-risk AI systems must establish and document a post-market monitoring system that is proportionate to the technology and the system's risks, and must operate it actively and systematically across the system's lifetime.

The four moving parts of Article 72

  • Art 72(1) — Proportionate system. Establish and document a monitoring system sized to the technology and the system's risks. One size does not fit all high-risk AI products.
  • Art 72(2) — Active collection and analysis. Actively and systematically collect, document, and analyse relevant data (deployer-provided or otherwise) on performance across the lifetime, to evaluate continuous compliance with the statutory requirements for high-risk AI systems. Where relevant, this includes analysis of interaction with other AI systems. A carve-out excludes sensitive operational data of law-enforcement deployers.
  • Art 72(3) — Post-market monitoring plan. The monitoring system must be based on a written plan, filed inside the technical documentation (Annex IV). A Commission implementing act establishing a template for the plan is due by 2 February 2026.
  • Art 72(4) — Sectoral integration. Providers of systems already covered by Annex I Section A Union harmonisation legislation — and financial-institution providers of Annex III point 5 systems — may integrate Art 72 elements into the existing sectoral monitoring rather than running a parallel AI-Act system.

The monitoring is not a one-off product-safety check. It is a continuous-evaluation system that feeds back into the provider's Chapter III Section 2 compliance posture for the full market life of the system.

"Actively and systematically" — why a dormant pipeline fails

The statute's wording is load-bearing. Passive collection (logs piling up in a bucket that nobody reviews) does not satisfy the duty. "Actively" means a named owner and a review cadence. "Systematically" means a documented method and defined metrics against defined thresholds.

Three data sources the monitoring is expected to cover

  • Deployer-supplied signals — the richest source of real-world performance data. Providers are expected to have a deployer-reporting channel wired in; ignoring this stream breaks the "relevant data which may be provided by deployers" limb of the duty.
  • Telemetry from deployed systems — where technically available under the provider's control, subject to Article 19 log-retention rules and the data-protection overlay.
  • Independent sources — press, civil society, complaints, regulator inquiries. Monitoring cannot be self-referential; external signals must enter the pipeline.

Law-enforcement operational data is excluded

Art 72(2) explicitly carves out "sensitive operational data of deployers which are law-enforcement authorities." Ingesting that stream is a data-protection breach regardless of Art 72; scope it out of the pipeline from day one.

The monitoring plan — Annex IV, not a separate tracker

The plan is part of the technical documentation referred to in Annex IV — not a separate sectoral-quality tracker or a marketing-ops dashboard. Filing the plan outside Annex IV triggers duplicate retention and drift between the two surfaces over time.

A Commission implementing act establishing the plan template is due by 2 February 2026. Until it publishes, providers structure the plan around the Art 72(1)–(2) elements: data sources, metrics watched, thresholds for investigation, escalation paths, and review cadence. Once the template publishes, mapping the existing plan to the template is mechanical if you built it structurally to begin with.

Post-market monitoring feeds serious-incident reporting

Article 72 and Article 73 are the two ends of the same pipeline. Art 72 is the continuous surveillance; Art 73 is the reporting duty that fires when the surveillance detects a serious incident [src]. A monitoring system with no wired escalation to Art 73 reporting is incomplete.

Concretely: the incident trigger runbook names the metric thresholds, the investigation path, and the Art 73 notification deadlines. Providers that sever the two obligations end up with monitoring that finds nothing worth reporting or reporting that has no monitoring to feed it — both are audit red flags.

Sectoral integration: medical devices, machinery, and financial services

For high-risk AI systems covered by the Union harmonisation legislation in Annex I Section A (medical devices, in vitro diagnostics, machinery, radio equipment, and others), Article 72(4) allows providers to integrate the AI-Act monitoring elements into the existing sectoral post-market surveillance system, provided the combined system provides an equivalent level of protection. The same option applies to financial-institution providers of Annex III point 5 (creditworthiness, life/health insurance) systems.

The integration path is the intended route for sectoral providers: running a separate AI-Act monitoring parallel to a MDR/IVDR/MiFID monitoring duplicates cost, creates consistency risk, and misses the statute's explicit invitation to unify them.

When does Article 72 apply?

Under the current Regulation, Article 72 applies from 2 August 2026 with the rest of the high-risk regime [src]. For any high-risk AI system placed on the Union market on or after that date, the monitoring system and plan must exist — and the first review cycle should ideally run before the date, so the inaugural review log and corrective-action tracker exist at the compliance point. A Commission Omnibus proposal may shift selected Annex III high-risk application dates; track status before finalising your compliance timeline.

The plan template (Commission implementing act due 2 February 2026) will publish ahead of the general-application date, giving providers roughly six months to map an existing structured plan onto the template.

Penalties for inadequate monitoring

Failing to establish or operate a compliant post-market monitoring system is a provider-obligation breach. Fines fall under the operator-obligations tier: up to EUR 15 million or 3% of worldwide annual turnover, whichever is higher [src]. SMEs and start-ups benefit from the inverted SME cap — the lower of the absolute figure or the percentage applies.

The audit pattern is predictable: a market surveillance authority that receives an Art 73 serious-incident report and asks for the monitoring plan and review cycles that surfaced it. A provider that produces neither has two breaches stacked, not one.

Check whether Article 72 applies to your AI stack

Scan your AI stack to see whether you are a provider of a high-risk AI system — if so, see the full provider obligation set including post-market monitoring. Free, no signup.

Scan Your AI Stack Free

Related Guides

This article explains Article 72 of the EU AI Act (Regulation 2024/1689). It is not legal advice. The "proportionate" scope test in Art 72(1) and the "equivalent level of protection" test for sectoral integration in Art 72(4) are interpretive and depend on the specific technology and the sectoral regime. The Commission implementing act establishing the monitoring plan template is due 2 February 2026 and will further specify the plan structure. Consult qualified counsel for formal compliance assessment.