Europe AI & Data Rules Hub

Liability in AI Systems: A Practical Map

UpdatedSeptember 13, 2025

ByIuliia Gorshkova

Understanding the pathways to liability for artificial intelligence systems in Europe requires a map that is both legal and practical. For professionals deploying or developing AI, robotics, biotech interfaces, or complex data systems, the question of “who pays when it breaks” is not merely a theoretical exercise; it is a fundamental component of risk management and system design. The European legal landscape is currently undergoing a significant transformation, moving from a patchwork of national interpretations to a more harmonized, yet complex, ecosystem driven by the AI Act, the GDPR, and evolving jurisprudence. This article dissects the four primary pillars of liability—Product Liability, Negligence, Contractual Liability, and Professional Duty—analyzing how they interact and how they are being reshaped by new regulatory instruments.

The Evolving Regulatory Substrate

Before diving into specific liability pathways, it is essential to recognize the shifting ground beneath them. Historically, liability for software and automated systems was adjudicated under general principles of tort and contract law. However, the opacity and autonomy of modern AI—specifically systems based on machine learning—have strained these traditional frameworks. The European Commission’s proposal for an AI Liability Directive (AILD) and the final text of the AI Act (Regulation (EU) 2024/1689) aim to address this strain. While the AI Act focuses on regulatory obligations and conformity, the AILD proposes to ease the burden of proof for victims in non-contractual claims. For the practitioner, this means that compliance with the AI Act is necessary but not sufficient to avoid liability; it is a baseline for risk management, not a shield against all claims.

Product Liability: The Strict Regime

Product liability is perhaps the most straightforward, yet most evolving, pathway. It is based on the concept of strict liability, meaning a victim does not need to prove fault or negligence by the manufacturer, only that the product was defective and that the defect caused damage.

The Defective Product Directive (85/374/EEC)

The foundation of product liability in the EU is the Council Directive 85/374/EEC. Under this regime, a “product” includes movables, which has been interpreted to include software and, by extension, AI models. The Directive identifies three types of defects:

Manufacturing Defects: The AI system deviates from its intended design (e.g., a corrupted model file).
Design Defects: The entire product line is inherently unsafe due to a flawed design or algorithm.
Inadequate Instructions/Warnings: Failure to provide proper guidance on the use of the AI, particularly regarding its limitations (e.g., “hallucinations” in Generative AI).

The Challenge of “Defect” in AI

In traditional manufacturing, a defect is usually visible—a crack in a chassis. In AI, a “defect” is often probabilistic. An AI system might perform correctly 99% of the time but fail catastrophically in edge cases. The legal test is whether the AI is “safe” as a layperson might reasonably expect. With the Modernisation of the Product Liability Directive (PLD) (Directive (EU) 2024/2853), which repeals the 1985 directive and applies from late 2026, the definition of product explicitly includes software, including AI systems. Crucially, the revised PLD clarifies that a product is defective if it does not provide the safety which the public is entitled to expect, taking into account all circumstances, including the presentation of the product, the reasonably foreseeable use, and the state of scientific and technical knowledge at the time of putting it into circulation.

Key Interpretation: The “state of scientific and technical knowledge” defense is critical for AI developers. If an AI system fails due to a flaw that was undetectable given the current state of the art, the manufacturer might avoid liability. However, the AI Act introduces strict requirements for “state of the art” risk management. A failure to adhere to the AI Act’s standards effectively destroys this defense, as the “state of the art” now legally includes regulatory compliance.

Who is the “Producer”?

In the AI supply chain, identifying the responsible producer is complex. Under the PLD, the producer is the entity that puts their name or trademark on the product, or the component manufacturer. However, for AI, we often see a separation between the model developer (e.g., a research lab), the deployer (e.g., a company integrating the model), and the hardware provider. The revised PLD introduces the concept of the “product component” provider. If an AI model is embedded in a larger system, the model provider is liable for defects in the model, while the system integrator is liable for the safety of the final assembly. This distinction is vital for B2B contracts where base models are licensed.

Negligence and the Duty of Care

Unlike product liability, negligence focuses on behavior rather than the product itself. It requires proving that a duty of care was owed, that the duty was breached, and that the breach caused damage. This is the domain of tort law, harmonized to some extent by the Product Liability Directive (which covers non-contractual damage) but largely governed by national laws (e.g., § 823 of the German Civil Code or the UK’s Law of Negligence).

The AI Liability Directive (AILD) and the Presumption of Causality

The proposed AILD is a game-changer for negligence claims. Currently, a victim must prove exactly which part of an AI system failed and who was responsible—a near-impossible task with “black box” neural networks. The AILD proposes a presumption of causality. If a claimant can prove that:

The AI system output caused the damage (e.g., a self-driving car swerved).
The AI system was output-focused (i.e., it generated the decision that caused harm).
The claimant can show a lack of conformity with the AI Act or a failure to apply reasonable care (fault).

Then, the burden of proof shifts to the AI provider to prove they were not at fault. This reverses the traditional dynamic and places a heavy burden on developers to document their training data, testing procedures, and risk mitigation measures.

Foreseeability and the “Black Box”

A central tenet of negligence is foreseeability. Did the developer or deployer reasonably foresee the specific failure mode? In high-risk AI systems under the AI Act, the obligation to conduct a Conformity Assessment and maintain a Risk Management System (Annex III of the AI Act) essentially codifies what is “foreseeable.” If a risk was identified in the risk management system but not mitigated, negligence is almost automatic. If a risk was unknown but should have been known through standard testing, negligence follows. This links the regulatory compliance of the AI Act directly to the civil liability standard of negligence.

Contractual Liability: The Private Ordering of Risk

Contractual liability remains the primary mechanism for allocating risk between sophisticated parties in the AI ecosystem. B2B contracts for AI development, licensing, and deployment are where the “rubber meets the road.”

Limitation Clauses and Warranties

Standard software contracts often attempt to limit liability to the value of the contract. However, the nature of AI failures—potentially causing physical harm, massive data breaches, or reputational collapse—often renders these caps insufficient. In many European jurisdictions (particularly Germany and France), gross negligence or intent cannot be contractually excluded. Furthermore, the Consumer Rights Directive and national consumer protection laws strictly limit the ability of B2C providers to disclaim liability for defective goods or services.

Service Level Agreements (SLAs) and “Reasonable” AI

When contracting for AI-as-a-Service (AIaaS), SLAs define performance metrics (e.g., uptime, accuracy rates). However, defining “accuracy” is legally perilous. If a contract guarantees “99% accuracy,” but the 1% failure rate results in catastrophic financial loss, the contract may be interpreted differently depending on the jurisdiction. The concept of fitness for purpose is implied in many European sales laws. If an AI system is sold as a diagnostic tool but fails to detect common anomalies, it may be considered non-conforming regardless of the contract’s fine print.

Indemnification and Supply Chains

As AI systems become more complex, the supply chain lengthens. A company buying an AI solution from a vendor may need to indemnify that vendor if the AI is integrated into a critical infrastructure system. Conversely, vendors are increasingly refusing to indemnify for “unforeseeable” AI behaviors. This tension is driving the need for specialized AI insurance products and more granular contractual terms regarding training data ownership, model updates, and liability for “drift” (where model performance degrades over time).

Professional Duty and Regulatory Obligations

This pathway intersects liability with professional standards and specific regulatory mandates. It is distinct from general negligence because it is tied to a specific status or role, such as a medical professional using AI, a financial institution using credit scoring, or an employer using HR analytics.

The “Human in the Loop” and Oversight

The AI Act emphasizes that high-risk AI systems must be designed to allow for effective human oversight. If a human operator blindly follows an AI recommendation that leads to harm, the liability analysis splits. Is the AI defective? Or did the human fail in their professional duty to exercise judgment? In sectors like healthcare, the Medical Device Regulation (MDR) applies. If an AI is a medical device, the clinician using it has a duty to understand its limitations. Liability here often falls on the institution (hospital) for failing to train staff or for deploying a system that was not suitable for the clinical context.

Professional Indemnity and Sector-Specific Rules

Professionals (lawyers, architects, engineers) carry professional indemnity insurance. The use of AI tools in these professions raises questions about the standard of care. If a lawyer uses an AI to draft a contract and the AI misses a crucial clause, is that professional negligence? The standard of care is evolving. It is likely that in the near future, not using available, safe AI tools to check work might be considered negligence, while using unverified, “black box” AI might also be negligent. The professional duty requires a balance of technological adoption and critical verification.

GDPR and the Right to Explanation

While the GDPR is a data protection regulation, it creates a form of liability for “damage caused by automated decision-making.” Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing if it produces legal effects or similarly significantly affects them. Furthermore, the “right to an explanation” (Articles 13-15) requires meaningful information about the logic involved. Failure to provide this, or the deployment of a system that cannot be explained, can lead to regulatory fines from Data Protection Authorities (DPAs) and compensation claims from affected individuals. This acts as a professional duty for data controllers to ensure their AI is interpretable.

Comparative Perspectives: National Nuances

While EU regulations provide a harmonized floor, national courts interpret liability through their own legal traditions.

Germany: The Cult of Documentation

German law, particularly the Produkthaftungsgesetz, is rigorous about documentation. In a liability dispute, the ability to produce a complete technical file proving conformity with the state of the art is the strongest defense. German courts are generally strict on manufacturers but highly technical in their assessments. The concept of Verkehrssicherungspflicht (duty to ensure traffic/operational safety) is broad and applies heavily to AI deployers in public spaces.

France: The Civil Liability Regime

France operates under a unified civil liability regime (Article 1240 of the Civil Code). The French courts look heavily at the faute (fault). The burden of proof remains on the claimant, but the courts have shown willingness to infer fault from the mere occurrence of an accident in strict liability contexts (like product liability). For AI, the French approach emphasizes the duty of the provider to inform the user of the system’s capabilities and limitations.

United Kingdom: Post-Brexit Divergence

Post-Brexit, the UK is not bound by the AI Act or the AILD. The UK government has signaled a desire to be “pro-innovation.” The UK approach relies on common law negligence and the Consumer Rights Act 2015. There is currently no presumption of causality proposed in UK law. This makes it significantly harder for claimants in the UK to win AI liability cases compared to the EU, potentially creating a “liability gap” for multinational companies operating in both jurisdictions.

Practical Implications for AI Practitioners

For the CTO, the General Counsel, or the Compliance Officer, this landscape dictates a specific set of operational imperatives.

1. The “Regulatory Compliance” Defense

Compliance with the AI Act is becoming the primary shield against liability. If a system is classified as high-risk and the provider has followed the conformity assessment, maintained technical documentation, and implemented a risk management system, they have a strong defense against claims of defect or negligence. Non-compliance is an admission of liability risk.

2. Data Governance as Liability Defense

Since AI liability often stems from biased or poor-quality data (leading to design defects), data governance is no longer just an IT issue—it is a legal defense strategy. Documenting the provenance, cleaning, and balancing of training datasets is essential to rebut claims of negligence or discrimination.

3. Insurance and Contractual Gaps

Standard cyber or professional liability policies often exclude “AI failures” or “algorithmic errors.” Organizations must review their insurance coverage. Furthermore, in B2B contracts, clear allocation of liability regarding model updates, third-party data, and “black box” failures is essential. The contract should specify who is responsible if the model “drifts” or behaves unpredictably after deployment.

4. The End of “As Is” for AI

The era of releasing AI systems “as is” is over, particularly for high-risk applications. The combination of the AI Act’s conformity requirements and the AILD’s proposed evidentiary shifts means that deployers and developers must be able to vouch for the safety and logic of their systems. This requires a shift from “move fast and break things” to “measure twice, document once.”

Conclusion: The Convergence of Compliance and Liability

The pathways to liability in Europe are converging. The strictness of product liability, the evidentiary shifts in negligence, the specificity of contractual terms, and the regulatory duties of the AI Act are weaving a net of accountability. For professionals in the field, the message is clear: technical excellence is no longer enough. Legal engineering—the proactive design of systems to meet regulatory and liability standards—is now a prerequisite for market entry. The AI systems that succeed in Europe will be those that are not only powerful and accurate but also transparent, documented, and robust enough to withstand the scrutiny of a court and a regulator.

Table of Contents

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation