BRUSSELS - As the EU continues to focus on the implementation of the AI Act, the Business Software Alliance (BSA) is urging policymakers to ensure that upcoming incident-reporting rules remain clear, proportionate, and aligned with existing laws.

In its response to the latest European Commission consultation, BSA emphasized that incident reporting should focus on genuinely serious harms, e.g., those that materially impact people’s health or safety, disrupt critical infrastructure, or seriously infringe fundamental rights. To remain effective, the system must avoid sweeping routine glitches or low-risk events into a high-stakes reporting regime, and instead concentrate regulatory attention and resources where they are needed most.

“We fully support early-warning mechanisms that help authorities detect real risks,” said Hadrien Valembois, Senior Manager, Policy — EMEA at BSA. “But if organizations are required to report alerts every time an AI model hiccups, the system will become noisy, costly, and less capable of spotting the serious incidents. Moreover, in line with the ongoing European simplification agenda’s exercise, we urge EU policymakers to avoid duplicative, overlapping reporting for AI and other cybersecurity laws. Europe should maintain the AI Act’s strong risk-based foundation, and make sure reporting obligations follow that same logic.”

BSA has consistently advocated for a practical, risk-based approach to AI regulation throughout the development of the AI Act, one that provides clear accountability across the AI value chain while avoiding unnecessary duplication with GDPR, NIS2, the Cyber Resilience Act, and other existing frameworks, in line with the EU Simplification Agenda. We remain ready to continue working with policymakers to deliver oversight that strengthens trust while enabling innovation and competitiveness.