Europe AI & Data Rules Hub

Liability Models for AI-Driven Systems

UpdatedMay 26, 2025

ByIuliia Gorshkova

Allocating responsibility for harm caused by artificial intelligence systems presents one of the most complex legal and engineering challenges facing European regulators and industry stakeholders today. Unlike traditional machinery, AI-driven systems exhibit behaviors that are not entirely predictable, deterministic, or directly attributable to a single human actor. This fundamental shift from direct causation to probabilistic decision-making forces a re-evaluation of established liability frameworks across tort law, contract law, and product safety regimes. As organizations deploy autonomous agents, generative models, and robotic process automation, the question of who pays for the damage—whether physical, financial, or reputational—becomes a critical operational risk that requires a multi-layered understanding of the interplay between the AI Act, the Product Liability Directive, and national civil codes.

The current European legal landscape is undergoing a significant transformation to address these gaps. While the European Union has recently adopted the AI Act, establishing a horizontal regulatory framework for high-risk AI systems, it does not harmonize civil liability. Liability for AI-induced harm remains largely a matter of national law, primarily governed by tort regimes based on fault, negligence, or strict liability. This creates a fragmented environment where a developer in Finland might face a different legal standard than a deployer in Italy for the exact same system failure. Understanding this duality—between harmonized product regulation and divergent civil liability—is essential for any entity operating in the European market.

The Current Legal Framework: A Patchwork of National and EU Rules

Before the advent of specific AI legislation, liability for software and automated systems was typically handled through existing legal categories. In most European jurisdictions, this falls under non-contractual liability (tort) or contractual liability. However, the “black box” nature of AI—where the internal logic is opaque even to its creators—challenges the traditional requirement of proving causation and fault.

General Tort Law and the Burden of Proof

Under general tort law, a victim must typically prove three elements: damage, fault (unlawful conduct), and a causal link between the two. In the context of AI, the fault element is difficult to pinpoint. If a neural network makes a discriminatory hiring decision or an autonomous vehicle causes an accident, attributing fault to a specific human act is often impossible. Was it the developer who failed to curate the training data? The data scientist who chose the wrong model architecture? Or the user who deployed the system in an unforeseen environment?

Most civil law systems in Europe operate on the principle of fault-based liability (e.g., Article 1240 of the French Civil Code, § 823 of the German BGB). However, there is a growing trend toward strict liability for inherently dangerous activities. The question is whether AI systems should be categorized as such. Currently, unless a specific statutory regime applies (like liability for defective products), the burden of proof remains on the victim, creating a significant barrier to compensation.

Contractual Liability and Limitation Clauses

In B2B contexts, liability is often defined by contract. AI providers typically include extensive limitation of liability clauses, attempting to cap their exposure to the cost of the license fee. While generally enforceable, these clauses may be voided if the provider acted with intent or gross negligence. Furthermore, under the European Convention on Human Rights, victims have a right to an effective remedy, which can sometimes override strict contractual limitations when fundamental rights are violated.

The Product Liability Directive (PLD) and the AI Context

For decades, the Product Liability Directive (85/374/EEC) has been the cornerstone of strict liability for physical goods. It allows consumers to claim compensation for damage caused by defective products without proving the manufacturer’s negligence. However, the PLD was drafted in an era of “dumb” hardware. Its application to AI-driven software is fraught with ambiguity.

Defining the “Product”

The PLD applies to “products.” Does software constitute a product? The European Court of Justice (ECJ) has generally treated software as a product if it is supplied on a tangible medium or integrated into hardware. However, the rise of Software-as-a-Service (SaaS) and cloud-based AI models challenges this definition. If an AI model is updated continuously via the cloud, is there a static “product” to be held liable?

Furthermore, the PLD requires a defect. A product is considered defective if it does not provide the safety which a person is entitled to expect. For AI, this standard is fluid. An AI system that is 99% accurate might still be considered defective if the 1% error rate leads to catastrophic harm, or if the system was deployed in a context where 100% accuracy was reasonably expected (e.g., medical diagnostics).

The Knowledge Gap

Strict liability under the PLD is intended to shift the burden of risk to the manufacturer who profits from the product. However, the directive allows for the “development risks” defense (Article 7(e)). This defense protects manufacturers if they can prove that the state of scientific and technical knowledge at the time the product was put into circulation was not such as to enable the existence of the defect to be discovered. In the fast-moving field of AI, this defense is frequently invoked. Developers argue that the unpredictability of deep learning is a known characteristic of the technology, not a defect, and that they could not have foreseen the specific failure mode.

Key Distinction: Under current EU law, software is generally covered by the Product Liability Directive only if it is supplied as part of a hardware product or on a tangible medium. Purely digital services and AI models accessed via the cloud often fall outside the scope of strict product liability, forcing victims back to fault-based claims.

The AI Act: A Regulatory Framework with Indirect Liability Implications

The Artificial Intelligence Act (Regulation 2024/1689) is the world’s first comprehensive AI law. It does not directly define civil liability or compensation mechanisms. Instead, it establishes a framework of obligations for providers, deployers, and distributors. The violation of these obligations serves as a powerful indicator of fault in subsequent civil litigation.

Conformity Assessments and Presumption of Defect

For high-risk AI systems (e.g., critical infrastructure, biometrics, employment), the AI Act mandates strict conformity assessments, risk management systems, and data governance requirements. If a high-risk AI system causes harm and it is found that the provider failed to comply with these mandatory requirements, a court may use this non-compliance as evidence of fault or defectiveness. In practice, this creates a rebuttable presumption of causality. If a provider cannot demonstrate compliance with the AI Act, they will face an uphill battle defending a civil claim.

The Role of Notified Bodies

Notified bodies act as third-party auditors for high-risk AI systems. Their involvement provides a layer of scrutiny. However, the AI Act explicitly states that the involvement of a notified body does not absolve the provider of liability. This is a crucial distinction. A “CE mark” on an AI system is not a shield against liability; it is merely a prerequisite for market entry.

General Purpose AI (GPAI) and Systemic Risk

The AI Act introduces specific rules for General Purpose AI models. Providers of these models must ensure compliance with copyright laws and provide a summary of the content used for training. While the Act focuses on systemic risks (e.g., mass disinformation, loss of control), the obligations placed on GPAI providers will inevitably be used by litigants to establish a standard of care. If a provider of a large language model fails to implement adequate safety mitigations required by the AI Act, and the model generates harmful content, that failure will be a central point of litigation.

The Proposed AI Liability Directive (AILD): Bridging the Gap

Recognizing the inadequacy of existing tort rules, the European Commission proposed the AI Liability Directive (AILD) alongside the AI Act. Although this proposal is currently stalled in the legislative process, its provisions represent the likely future direction of European liability law. It aims to harmonize national rules and make it easier for victims to claim compensation.

Harmonized Non-Contractual Liability

The AILD proposes to harmonize the rules for non-contractual damage caused by AI systems. It focuses on the burden of proof. Currently, the victim must prove the AI system was faulty, that the fault caused the damage, and that the provider was negligent. The AILD seeks to alleviate this burden.

The “Presumption of Causality”

The most significant proposed change is the presumption of causality. If a claimant can demonstrate that an AI system behaved in a way that caused damage, and that the provider failed to meet certain obligations (such as those in the AI Act or data protection laws), the burden of proof would shift. The provider would be presumed to have caused the damage unless they can prove they were not at fault or that the damage was caused by something else.

This reverses the current dynamic. Instead of the victim proving the provider was negligent, the provider must prove they were diligent. This is a profound shift that forces providers to maintain meticulous documentation of their development processes, data curation, and testing protocols to defend against future claims.

Access to Evidence

Another critical aspect of the AILD is the provision for disclosure of evidence. Victims often lack access to the technical details of an AI system (logs, training data, model weights) needed to prove their case. The AILD proposes to allow courts to order the disclosure of relevant evidence, provided the claimant can show a reasonable probability of fault. This prevents providers from hiding behind “trade secrets” to obstruct justice, though it creates tension with intellectual property rights.

National Divergences: A Comparative Look at European Jurisdictions

While the EU works toward harmonization, national laws remain distinct. Understanding these differences is vital for cross-border operations.

Germany: The Strict Liability Tradition

Germany has a strong tradition of strict liability for products and technical systems. The German Civil Code (BGB) § 823 imposes strict liability for “things” (Sachen) if they are defective. German courts have historically been willing to interpret software integrated into hardware as a “thing.” Furthermore, German law regarding Betriebsgefahr (operational risk) suggests that anyone operating a complex system bears a higher responsibility for the risks it creates. In the context of AI, German courts may be more inclined to hold deployers strictly liable for the mere operation of the system, regardless of specific negligence.

France: The Civil Liability Regime

French law relies heavily on Article 1240 of the Civil Code, which requires proof of fault, damage, and causation. However, French jurisprudence has developed the concept of la garde (guardianship). The guardian of a thing is responsible for the damage it causes, regardless of fault. If an AI system is considered under the “guardianship” of a user, that user could be held strictly liable. The debate in France centers on whether an algorithm, being intangible, can be an object of guardianship.

United Kingdom: Post-Brexit Divergence

Since Brexit, the UK is no longer bound by EU directives. The UK government has signaled an intention to maintain a pro-innovation environment. The UK’s approach to AI liability is likely to remain more fault-based, placing a higher burden of proof on the claimant compared to the proposed EU AILD. The UK Law Commission has reviewed tort law and suggested that the existing framework is largely sufficient, relying on judicial interpretation to adapt to new technologies. This creates a regulatory divergence that businesses must monitor if operating in both markets.

Key Challenges in Proving AI Liability

Regardless of the specific legal regime, three technical challenges consistently undermine liability claims for AI-driven systems.

1. The Black Box Problem and Explainability

Deep learning models, particularly those using neural networks, are often opaque. Even their creators cannot fully explain why a specific input resulted in a specific output. This creates a barrier to establishing causation. In a legal context, if you cannot explain how the error occurred, it is difficult to prove that the system was defective rather than just unlucky. The lack of explainability (XAI) is not just a technical limitation; it is a legal vulnerability.

2. Continuous Learning and State Drift

Many AI systems are designed to learn continuously from new data. This means the system that caused harm on Tuesday might be different from the system that was deployed on Monday. This phenomenon, known as “model drift” or “state drift,” makes it incredibly difficult to pinpoint liability. Was the system defective at the time of deployment, or did it degrade over time due to poor maintenance? This blurs the lines between manufacturer liability and operator liability.

3. The “Many Hands” Problem

AI supply chains are complex. A single high-risk system might involve:

A provider of the base model (e.g., a large language model).
A provider of the fine-tuning data.
A system integrator who combines the model with other software.
A deployer who inputs specific operational data.

When harm occurs, all these actors may have contributed to the outcome. Disentangling this web of causation to assign proportional liability is a nightmare for the current legal system.

Insurance and Risk Mitigation Strategies

Given the uncertainty of the legal landscape, insurance has become a critical component of the liability model for AI.

Traditional Insurance Limitations

Standard commercial general liability (CGL) policies are often inadequate for AI risks. They typically exclude “professional services” (which often covers software development) and “failure to perform.” Furthermore, traditional policies are designed for static risks, not dynamic systems that evolve over time. Insurers are hesitant to underwrite risks they cannot quantify.

Specialized AI Insurance

The market is seeing the emergence of specialized AI insurance products. These policies often require rigorous pre-underwriting audits of the AI system, including:

Adversarial robustness testing.
Bias audits.
Review of governance frameworks.

These policies act as a risk management tool. Insurers effectively become the auditors, enforcing best practices before coverage is granted. This market mechanism may prove more effective than regulation in driving safety standards for lower-risk AI applications.

Future Outlook: The Convergence of Regulation and Liability

The trajectory of AI liability in Europe is moving toward a system where regulatory compliance is the primary defense against liability. The AI Act and the proposed AILD are designed to work in tandem. The AI Act sets the standard of care; the AILD provides the mechanism to enforce that standard in civil court.

The Rise of “Compliance as a Shield”

For businesses, the strategy must shift from reactive defense to proactive compliance. Documenting every step of the AI lifecycle—from data sourcing to model deployment and monitoring—is no longer just a regulatory requirement under the AI Act; it is a prerequisite for surviving a liability claim. The ability to produce an audit trail proving adherence to the AI Act’s risk management requirements will likely become the deciding factor in litigation.

Harmonization vs. Innovation

There remains a tension between the desire for harmonized EU liability rules and the need for legal certainty. If the AILD is passed, it will significantly lower the bar for victims to win cases against AI providers. This may drive up costs and stifle innovation, particularly for startups who cannot afford the compliance and insurance overhead. Conversely, maintaining the status quo leaves victims without adequate redress, potentially eroding public trust in AI technologies.

Ultimately, the allocation of liability for AI-driven systems is not just a legal question; it is a societal choice about risk distribution. As AI becomes more autonomous, the European legal framework is slowly evolving to ensure that the benefits of automation do not come at the expense of individual rights to safety and compensation. The models being developed today—blending strict product liability, regulatory compliance presumptions, and specialized insurance—will define the operational boundaries of the European digital economy for decades to come.

Table of Contents

AI in Education: Fundamentals & Tools

Understanding AI Basics

Practical AI Tools for Educators

Integrating AI into Teaching

Case Studies & Success Stories

Ethical AI & Inclusive Practices

Ethical & Legal Frameworks for AI Systems

Equity & Inclusion

Transparency & Trust

Algorithmic Bias, Discrimination & Legal Risk

AI Errors, Accountability & Legal Responsibility

Institutional AI Governance & Policy Design

AI, Security & GDPR Compliance

Data Protection & Privacy

Cybersecurity in AI

EU Regulations & Policies

Engaging Parents & Guardians

Data Protection, Privacy & AI Governance

Additional Resources

Glossary of Terms

Templates & Guides

Webinars & Research

AI for Administrative & Pedagogical Support

AI for Time Management

AI in Student Performance Tracking

AI for Automated Communication

AI for Document Management

AI, Robotics & Biotech Regulation in Europe

EU AI Act Explained: Scope, Risk Levels, Obligations

AI-Enabled Products: Robots, Medical Software, Smart Devices

Machinery Regulation & Safety Standards for Intelligent Systems

AI in Healthcare & Biotech: MDR, IVDR, EMA

Liability & Responsibility for AI-Driven Systems

Compliance in Practice: From Risk Assessment to CE Marking

Country-Specific AI Regulation & Enforcement

How EU AI Law Is Applied at National Level

Different Compliance Models

National AI Sandboxes & Regulatory Experiments

Public Sector AI Rules Across Europe

Cross-Border AI Deployment Challenges

When National Law Overrides EU Guidance

Legal Cases, Enforcement & Real-World Precedents

AI Act, GDPR & Algorithmic Decision-Making Cases

Liability Disputes Involving Automated Systems

Robotics Accidents & Legal Responsibility

Medical & Biotech AI Failures: Lessons Learned

What Enforcement Trends Tell Us About Future Regulation