Regulatory Reporting API
The Regulatory Reporting API supports EU AI Act Article 62 serious-incident workflows. It adds authority follow-up entries to issue tickets, generates structured incident reports, exports report PDFs, and returns a space-level regulatory incident dashboard.
All paths below are under /api/v1.0/regulatory. Ticket endpoints require ticket view or edit permissions. The dashboard requires access to the target space.
Endpoints Overview
| Method | Endpoint | Description |
|---|---|---|
POST | /tickets/{ticket_id}/regulatory-follow-ups | Add an authority or investigation follow-up to a ticket. |
GET | /tickets/{ticket_id}/regulatory-follow-ups | List follow-ups for a ticket. |
GET | /tickets/{ticket_id}/regulatory-report | Generate a structured incident report. |
GET | /tickets/{ticket_id}/regulatory-report/pdf | Download the report as a PDF response. |
GET | /spaces/{slug}/regulatory-dashboard | Get dashboard counts for classified regulatory incidents. |
Classification Scope
Dashboard counts include tickets whose regulatory_classification is present and not none. Open, overdue, and approaching counts exclude tickets with status resolved or closed; resolved count includes both resolved and closed classified tickets.
Current serious-incident classifications are health_safety, infrastructure, and fundamental_rights. Legacy severity classifications such as severe, high, and medium may appear in older tickets and dashboard breakdowns.
Add Follow-Up
POST /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-follow-ups
{
"submitted_at": "2026-06-29T10:30:00Z",
"authority_name": "National competent authority",
"reference_number": "NCA-2026-001",
"summary": "Submitted initial notification and received acknowledgement."
}
submitted_at, authority_name, and reference_number are optional. If submitted_at is omitted, Qarion uses the current time. Creating a follow-up emits an audit event with resource type regulatory_follow_up.
List Follow-Ups
GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-follow-ups
Follow-ups are returned in ascending submitted_at order.
Structured Report
GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-report
The response combines issue data, authority notification fields, root cause and corrective-action fields, linked AI system metadata, follow-up history, and reporter/assignee names.
Key response fields include:
| Field | Description |
|---|---|
ticket_id, title, description | Source issue identity and description. |
classification, deadline | Regulatory classification and deadline from the ticket. |
authority_notified_at, authority_name, authority_reference_number | Authority notification tracking. |
created_at, resolved_at | Ticket timeline fields. |
root_cause, resolution_summary, preventive_measures | Investigation and corrective-action details. |
ai_systems | Linked product and AI model metadata such as provider, EU registration ID, architecture, and deployment status. |
follow_ups | Follow-up entries in chronological order. |
reporter_name, assignee_name | Human context from the issue ticket. |
PDF Export
GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-report/pdf
Returns a streamed response with Content-Type: application/pdf and a filename of regulatory_report_{ticket_id}.pdf. If the PDF renderer is unavailable in the runtime, the service falls back to rendering the report HTML into the response buffer.
Regulatory Dashboard
GET /api/v1.0/regulatory/spaces/{slug}/regulatory-dashboard
{
"total_open": 4,
"total_overdue": 1,
"total_approaching": 2,
"total_resolved": 8,
"by_classification": [
{ "classification": "health_safety", "count": 3 },
{ "classification": "fundamental_rights", "count": 2 }
]
}
total_approaching counts non-resolved classified tickets with a regulatory deadline within the next seven days and not already overdue.
Error Responses
| Status | Description |
|---|---|
403 | User lacks ticket or space access. |
404 | Ticket or generated report not found. |
422 | Invalid UUID or request payload. |