BSA Seeks Streamlined AI Incident Governance

The Business Software Alliance (BSA) is advising legislators to make sure that future incident-reporting regulations are reasonable, unambiguous, and consistent with current legislation while the EU continues to concentrate on the implementation of the AI Act.

BSA stressed that incident reporting should concentrate on truly substantial impacts, such as those that materially affect people’s health or safety, interfere with vital infrastructure, or gravely violate fundamental rights, in its response to the most recent European Commission consultation.

The system must focus regulatory attention and resources where they are most required to stay effective, rather than sweeping routine errors or low-risk incidents into a high-stakes reporting regime.

“We fully support early-warning mechanisms that help authorities detect real risks,”

said Hadrien Valembois, Senior Manager, Policy — EMEA at BSA.

“But if organizations are required to report alerts every time an AI model hiccups, the system will become noisy, costly, and less capable of spotting the serious incidents. Moreover, in line with the ongoing European simplification agenda’s exercise, we urge EU policymakers to avoid duplicative, overlapping reporting for AI and other cybersecurity laws. Europe should maintain the AI Act’s strong risk-based foundation, and make sure reporting obligations follow that same logic.”

Throughout the AI Act’s development, BSA has continuously pushed for a pragmatic, risk-based approach to AI regulation that avoids needless duplication with GDPR, NIS2, the Cyber Resilience Act, and other current frameworks in accordance with the EU Simplification Agenda and offers clear accountability throughout the AI value chain.

We are still prepared to collaborate with legislators to provide supervision that fosters innovation and competitiveness while bolstering trust.