EU AI Act glossary

Post-Market Monitoring

Post-market monitoring is the continuous process by which AI providers actively collect and analyse data on their deployed systems to identify risks and ensure ongoing compliance with the EU AI Act.

Last updated 17 June 2026

Definition

Post-market monitoring (PMM) is the systematic process through which an AI provider actively collects and reviews information about deployed AI systems to identify risks that were not present or apparent at the time of conformity assessment.

Article 72 of the EU AI Act makes post-market monitoring mandatory for providers of high-risk AI systems. The obligation begins once the system is placed on the market and continues for the system's operational lifetime.

What post-market monitoring requires

Providers must establish and document a PMM plan covering:

  1. Data collection — what data is collected from deployed instances, how, and with what frequency
  2. Analysis procedures — how collected data is reviewed to identify performance degradation, drift, or new risks
  3. Threshold-based escalation — criteria that trigger an incident report to market surveillance authorities
  4. Feedback loops — how insights from monitoring feed into model updates and documentation updates
  5. Retention — how long monitoring logs are kept (minimum ten years after placing on market)

Relationship to Annex IV

Section 5 of the Annex IV technical file requires the provider to describe the system's monitoring capabilities, including:

  • Logging functionality built into the system
  • Metrics tracked during deployment
  • Frequency of performance reviews
  • The post-market monitoring plan itself (or a reference to it)

Reviewers routinely flag missing or vague PMM sections as the most common Annex IV gap in SaaS AI providers.

Serious incident reporting

Article 73 requires providers to report serious incidents to the relevant market surveillance authority without undue delay. A serious incident is defined as an incident that directly or indirectly leads to:

  • Death or serious harm to health
  • Serious and irreversible disruption of critical infrastructure
  • Infringement of obligations under Union law protecting fundamental rights
  • Serious property damage

The PMM system must be capable of detecting and flagging events that may constitute serious incidents before the provider is even aware of harm.

The operational reality for SaaS providers

For SaaS companies deploying high-risk AI, PMM is not an annual audit — it is a continuous operational process. In practice, this means:

  • Model performance dashboards connected to production traffic
  • Automated alerts on metric drift beyond defined thresholds
  • Regular (at minimum quarterly) human review of model outputs against expected ranges
  • A documented escalation path to a named responsible person

modeldocs connects to your existing monitoring infrastructure (Grafana, MLflow, custom dashboards) and maps live metric evidence to the Annex IV §5 requirements automatically.

→ Run the Readiness Check to assess your current monitoring coverage, or read about the complete Annex IV requirements.

Check your Annex IV coverage

Nine questions. Two minutes. See exactly which sections of your technical file are missing evidence.

Run the free readiness check