Skip to main content

Regulatory Reporting API

The Regulatory Reporting API supports EU AI Act Article 62 serious-incident workflows. It adds authority follow-up entries to issue tickets, generates structured incident reports, exports report PDFs, and returns a space-level regulatory incident dashboard.

All paths below are under /api/v1.0/regulatory. Ticket endpoints require ticket view or edit permissions. The dashboard requires access to the target space.

Endpoints Overview

MethodEndpointDescription
POST/tickets/{ticket_id}/regulatory-follow-upsAdd an authority or investigation follow-up to a ticket.
GET/tickets/{ticket_id}/regulatory-follow-upsList follow-ups for a ticket.
GET/tickets/{ticket_id}/regulatory-reportGenerate a structured incident report.
GET/tickets/{ticket_id}/regulatory-report/pdfDownload the report as a PDF response.
GET/spaces/{slug}/regulatory-dashboardGet dashboard counts for classified regulatory incidents.

Classification Scope

Dashboard counts include tickets whose regulatory_classification is present and not none. Open, overdue, and approaching counts exclude tickets with status resolved or closed; resolved count includes both resolved and closed classified tickets.

Current serious-incident classifications are health_safety, infrastructure, and fundamental_rights. Legacy severity classifications such as severe, high, and medium may appear in older tickets and dashboard breakdowns.

Add Follow-Up

POST /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-follow-ups
{
"submitted_at": "2026-06-29T10:30:00Z",
"authority_name": "National competent authority",
"reference_number": "NCA-2026-001",
"summary": "Submitted initial notification and received acknowledgement."
}

submitted_at, authority_name, and reference_number are optional. If submitted_at is omitted, Qarion uses the current time. Creating a follow-up emits an audit event with resource type regulatory_follow_up.

List Follow-Ups

GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-follow-ups

Follow-ups are returned in ascending submitted_at order.

Structured Report

GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-report

The response combines issue data, authority notification fields, root cause and corrective-action fields, linked AI system metadata, follow-up history, and reporter/assignee names.

Key response fields include:

FieldDescription
ticket_id, title, descriptionSource issue identity and description.
classification, deadlineRegulatory classification and deadline from the ticket.
authority_notified_at, authority_name, authority_reference_numberAuthority notification tracking.
created_at, resolved_atTicket timeline fields.
root_cause, resolution_summary, preventive_measuresInvestigation and corrective-action details.
ai_systemsLinked product and AI model metadata such as provider, EU registration ID, architecture, and deployment status.
follow_upsFollow-up entries in chronological order.
reporter_name, assignee_nameHuman context from the issue ticket.

PDF Export

GET /api/v1.0/regulatory/tickets/{ticket_id}/regulatory-report/pdf

Returns a streamed response with Content-Type: application/pdf and a filename of regulatory_report_{ticket_id}.pdf. If the PDF renderer is unavailable in the runtime, the service falls back to rendering the report HTML into the response buffer.

Regulatory Dashboard

GET /api/v1.0/regulatory/spaces/{slug}/regulatory-dashboard
{
"total_open": 4,
"total_overdue": 1,
"total_approaching": 2,
"total_resolved": 8,
"by_classification": [
{ "classification": "health_safety", "count": 3 },
{ "classification": "fundamental_rights", "count": 2 }
]
}

total_approaching counts non-resolved classified tickets with a regulatory deadline within the next seven days and not already overdue.

Error Responses

StatusDescription
403User lacks ticket or space access.
404Ticket or generated report not found.
422Invalid UUID or request payload.