← All guides
EU AI Act9 min read14 July 2026

EU AI Liability Directive: Strict Liability, Rebuttable Presumption, and What It Means for AI Companies (2026)

COM(2022) 496 — the proposed EU AI Liability Directive — introduces two liability tracks for AI: strict liability for high-risk AI systems and fault-based liability with a rebuttable presumption for all other AI. With EU AI Act reaching full applicability in August 2026, here's what AI companies need to know.

What is the EU AI Liability Directive?

The EU AI Liability Directive (COM(2022) 496) is the European Commission's proposed civil liability framework for AI systems. It sits alongside the EU AI Act (Reg. 2024/1689) — the Act is public law regulation; the Directive is private law, determining when victims can sue and recover damages when AI systems cause harm.

The Directive has been progressing through the EU legislative process alongside the AI Act. With the EU AI Act reaching full applicability on 2 August 2026, the liability framework has become a critical concern for any company deploying AI in or affecting EU markets.

This guide explains the two liability tracks, who is exposed, and what practical steps reduce your risk.

The two liability tracks

The Directive proposes two distinct liability mechanisms depending on the AI system type:

Track 1: Strict liability (no-fault) — high-risk AI systems

Under Article 4 of the proposed Directive, providers of high-risk AI systems (as defined in EU AI Act Annex III) face strict liability — meaning they can be held liable for damage caused by their AI systems regardless of fault. The claimant does not need to prove negligence; they only need to show:

  • The AI system is high-risk under EU AI Act Annex III
  • The AI system caused damage (death, personal injury, property damage, or psychological harm meeting the threshold)

This mirrors the strict liability framework that already applies to product defects under the revised EU Product Liability Directive (Directive 2024/2853), which was updated specifically to cover embedded AI in physical products.

EU AI Act Annex III high-risk categories include: biometric identification systems; AI in critical infrastructure; education/training systems; employment and workers management; access to essential private services (credit scoring, insurance risk assessment); law enforcement; migration/asylum; administration of justice. If your AI system falls into any of these categories, strict liability exposure is real and insurance is not optional.

Track 2: Fault-based liability with rebuttable presumption — all other AI

For AI systems that are not high-risk, Article 3 introduces a rebuttable presumption of causal link. A claimant who can demonstrate:

  1. The AI provider or deployer was at fault (breached a duty of care, or failed to comply with EU AI Act obligations)
  2. It is reasonably likely that the AI output caused the damage (plausible causation)

...will benefit from a legal presumption that the causal link is established. The defendant (AI company) must then prove the causal link does not exist to escape liability.

This lowers the evidentiary burden on claimants significantly. Historically, the opacity of AI systems made causation very hard to prove. The Directive flips the burden once the claimant establishes a plausible link.

Evidence disclosure obligations

Article 3 of the Directive includes a critical evidence mechanism: courts can order AI providers and deployers to disclose relevant evidence about their AI system when a claim is filed. This covers training data documentation, model cards, system logs, test results, and post-market monitoring records.

Crucially, refusal to comply with a disclosure order can itself trigger a presumption of non-compliance — making the defendant's position significantly worse. This means that AI companies without proper logging, documentation, and audit trails face compounded exposure: both the underlying liability claim and an adverse inference from poor documentation.

The GPAI model liability chain

General-purpose AI (GPAI) models add a layer of complexity. Under the EU AI Act, GPAI model providers (e.g., companies training and releasing large language models) have documentation, transparency, and copyright compliance obligations. For GPAI models meeting the systemic risk threshold (10^25 FLOPs training compute or equivalent capability), additional obligations apply including red-team testing and incident reporting.

From a liability perspective, the chain runs: GPAI model provider → fine-tuner / integrator → deployer → end user. When a GPAI-powered application causes harm, the Directive liability can attach at multiple points in the chain. Companies that build on top of GPAI models (foundation models like GPT, Claude, Gemini, Mistral) need to contractually allocate liability up the supply chain and ensure their own obligations under the AI Act are met — because partial non-compliance can satisfy the fault element of Track 2.

Intersection with the revised EU Product Liability Directive

Directive 2024/2853 — the revised EU Product Liability Directive — was specifically amended to cover AI systems embedded in physical products (autonomous vehicles, medical devices, industrial robots). For these systems, the revised PLD and the AI Liability Directive operate in parallel. The revised PLD covers defective products; the AILD covers AI-specific damage pathways.

Companies in medtech, automotive, industrial automation, and consumer electronics deploying AI components need to assess exposure under both frameworks simultaneously.

Practical steps to reduce AI liability exposure

1. Classify your AI systems immediately

Run a formal EU AI Act Annex III classification. High-risk classification triggers strict liability under the Directive. If you're borderline, get a legal opinion — the classification decision will affect your insurance, contractual terms, and corporate governance.

2. Build audit trails now

The evidence disclosure mechanism makes logging critical infrastructure, not nice-to-have. For every AI system: log inputs, outputs, and key decision parameters at sufficient granularity to reconstruct the decision chain. Establish legal hold procedures for AI system artefacts when a claim is threatened.

3. Review insurance coverage

Most standard technology E&O and product liability policies were not written with strict AI liability in mind. Review your coverage with a broker experienced in AI risk. For high-risk AI systems, named AI liability cover is increasingly available from specialist insurers.

4. Renegotiate supply chain contracts

Ensure liability allocation between your company, upstream model providers, and downstream deployers is explicitly addressed. Indemnification provisions for AI-caused harm, DORA-style incident reporting obligations, and audit rights are all essential. Many standard SaaS vendor contracts do not address these issues adequately.

5. Implement post-market monitoring (EU AI Act Art. 72)

Post-market monitoring isn't just an EU AI Act obligation — it's a key liability defence. A robust monitoring system demonstrates that you were actively tracking performance and taking corrective action, which can help rebut the fault presumption under Track 2.

6. Use the EU AI Liability Directive Gap Assessment

ComplyKit's free EU AI Liability Directive Gap Assessment covers all 42 liability readiness items across 6 categories: scope and coverage, strict liability readiness, fault-based liability defences, transparency and evidence obligations, AI governance, and claims readiness. The generated report references specific COM(2022) 496 articles, EU AI Act provisions, and practical mitigation actions.

Key timelines in 2026

  • 2 August 2026 — EU AI Act full applicability. All high-risk AI obligations now live. GPAI systemic risk measures fully applicable. Non-compliance now feeds directly into the Directive's fault element.
  • Directive ratification — The AILD is progressing through EU legislative process. Member states will have a transposition period (typically 2 years) after final adoption. Companies should prepare now — particularly on documentation and supply chain contracts — as these take 12–18 months to implement properly.

Bottom line

The EU AI Liability Directive changes the civil liability landscape for AI companies operating in or affecting the EU. Strict liability for high-risk AI, rebuttable presumption for all other AI, and court-ordered evidence disclosure are not theoretical risks — they are the framework being built. August 2026 is not a finish line; it's the start of the enforcement era.

Assess your exposure now. Use ComplyKit's EU AI Liability Directive Gap Assessment to map your critical gaps across all 42 readiness items and generate a professional assessment report.