Critical System Down: AI Incident Law When Everything is at Stake

When AI fails in aerospace, energy, or financial infrastructure, legal exposure does not wait for you to determine which framework applies. The EU AI Act's Article 73 incident reporting, GDPR's 72-hour breach clock and NIS2's cybersecurity obligations activate simultaneously against the same facts, with different triggers, different timelines and different supervisory authorities, each expecting to hear from you first. Most practitioners have a framework for one. Almost none have a framework for all three at once, under pressure, with regulators already watching. This session closes that gap. A senior strategic advisor in AI law at the Dutch Data Protection Authority and a U.S. aerospace AI general counsel and military judge advocate built their incident response frameworks the hard way: before the rules were codified, inside real companies, under real stakes. Here, they open both playbooks simultaneously, running the same critical infrastructure AI incident live from opposite sides of the enforcement relationship.

What you will learn:

• Which EU AI Act, GDPR and NIS2 obligations activate when critical infrastructure AI fails and which authority leads when all three claim jurisdiction at once. 
• The documentation gaps, notification errors and organizational failures that decide outcomes before lawyers finish their first draft. 
• A practitioner-tested framework for triaging AI failures across three regimes, demonstrated live from both sides of the enforcement relations