AI liability risk is distributed across providers, deployers, and users through the revised Product Liability Directive (Directive 2024/2853), the proposed AI Liability Directive, and contractual allocations, with the EU establishing a disclosure mechanism that shifts the burden of proof toward AI providers and deployers in fault-based claims.
Legal Liability Risk in AI: Allocation, Insurance, and Contractual Protections
The AI Liability Landscape
Determining who is liable when an AI system causes harm is one of the most complex legal questions in the technology sector. The EU has responded with two legislative instruments: the revised Product Liability Directive (Directive 2024/2853, adopted November 2024) and the proposed AI Liability Directive (COM/2022/496), which adapts fault-based liability rules for AI. Together with the EU AI Act's obligation framework, these instruments distribute liability across the AI value chain.
Liability Framework Comparison
| Instrument | Liability Type | Who Is Liable | Key Mechanism |
|---|---|---|---|
| Revised Product Liability Directive | Strict (no-fault) | Manufacturer/importer/AI provider | AI software is a product; defect presumption for complex systems |
| Proposed AI Liability Directive | Fault-based | Provider/deployer who breached duty of care | Disclosure of evidence; rebuttable presumption of causation |
| EU AI Act | Regulatory (administrative) | Provider/deployer per role-based obligations | Fines up to 7% global turnover; compliance as liability shield |
| GDPR | Administrative + civil | Controller/processor | Article 82 right to compensation for damages |
| National tort law | Varies (fault/strict) | Varies by jurisdiction | Residual national rules apply where EU instruments do not cover |
Revised Product Liability Directive and AI
The revised Product Liability Directive (Directive 2024/2853), applicable from December 2026, explicitly includes software and AI systems within the definition of product. This means providers of AI systems that cause damage (death, personal injury, property damage, data loss) face strict liability without requiring proof of fault. The Directive introduces a presumption of defectiveness where the claimant demonstrates non-compliance with mandatory safety requirements, including EU AI Act obligations.
The Directive also addresses the opacity challenge: where a product's complexity makes it excessively difficult for the claimant to prove defectiveness or causation, courts may presume defectiveness based on circumstantial evidence. This is particularly relevant for AI systems where internal decision-making is not fully explainable.
Proposed AI Liability Directive
The proposed AI Liability Directive addresses fault-based civil liability. Its core mechanism is a right of disclosure: courts can order AI providers or deployers to disclose evidence about the AI system where the claimant has presented facts and evidence sufficient to support the plausibility of a claim. Where a provider or deployer fails to comply with a disclosure order, the court may presume non-compliance with the relevant duty of care.
A rebuttable presumption of causation applies where the court has established fault (including non-compliance with EU AI Act obligations) and it is reasonably likely that the fault influenced the AI output that caused the damage.
Contractual Liability Allocation
Beyond statutory liability, contractual frameworks distribute AI risk between parties. Key contractual provisions include indemnification clauses specifying which party bears liability for AI-related harm, liability caps that may limit but cannot eliminate statutory liability, warranty provisions regarding AI system performance and compliance, insurance requirements mandating minimum coverage levels, and audit rights enabling verification of AI system compliance.
Insurance Considerations
Traditional product liability and professional indemnity insurance policies may not adequately cover AI-specific risks. Insurers are developing AI-specific coverage addressing algorithmic errors and omissions, data bias claims, IP infringement from AI-generated outputs, and regulatory defense costs under the EU AI Act. Organisations should review existing coverage with insurers to identify gaps and obtain endorsements or standalone AI liability policies where necessary.
Risk Mitigation Through Compliance
- EU AI Act compliance creates a partial liability shield: compliance with harmonised standards creates a presumption of conformity that strengthens defensive positions
- Maintain comprehensive documentation of AI system design, testing, and monitoring as evidence of reasonable care
- Implement robust post-market monitoring to detect and address issues before they cause harm
- Establish clear contractual liability allocation with AI vendors, customers, and partners
- Obtain appropriate insurance coverage that explicitly addresses AI-specific risks
- Conduct regular fundamental rights impact assessments as required by Article 27 for deployers
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.