The European Union has adopted a strengthened AI liability framework focused on enterprise automation, particularly impacting banks and IT service management (ITSM) platforms. The new rules impose strict liability for non-compliant AI systems under amendments to the EU Product Liability Directive and form part of the Digital Omnibus "simplification" package, approved by the Council in March 2026. The framework increases requirements for governance, explainability, and cross-border risk management, intensifying compliance considerations for vendor contracts and incident reporting.
Background
The AI Liability Directive, proposed in 2022, was withdrawn in early 2025 following insufficient consensus. Liability risks are instead addressed through existing national tort law and the revised Product Liability Directive, which treats non-compliant AI as defective products under strict liability [1]. The EU's AI Act (Regulation 2024/1689) entered into force on August 1, 2024, introducing a phased implementation: prohibitions from February 2, 2025, governance and transparency for general-purpose AI from August 2, 2025, and high-risk system requirements beginning August 2, 2026 [2]. The Digital Omnibus package, finalized in March 2026, adjusted deadlines and centralized oversight through the European AI Office, while reinforcing obligations for high-risk systems and data-processing transparency [3].
Details
The updated Product Liability Directive (EU 2024/2853) explicitly categorizes software and AI as products. Non-compliance with the AI Act is regarded as a presumed defect, making providers strictly liable without the need to prove negligence [1]. For banks using high-risk AI systems in credit-scoring and automation, this means exposure to regulatory penalties under the AI Act-up to 7 percent of global turnover for serious breaches-strict liability claims under product law, and potential insurance gaps if AI risks are excluded from existing policies [1]. Banks integrating third-party or bespoke AI tools must adhere to AI "user" obligations, including risk governance, documentation, and human oversight [4].
ITSM vendors and enterprise automation providers must reevaluate contract provisions, especially disclaimers and liability caps. Subject matter experts note that US-style "no warranties" clauses may be unenforceable under German law (AGB), substituting statutory liability with no cap and necessitating detailed legal review [5]. The Council's simplification package further extends deadlines for high-risk obligations and mandates registration of AI systems, including those claimed to be exempt. Centralized AI registry requirements and guidance from the European Commission aim to improve transparency and accountability [3].
Outlook
With the August 2, 2026 deadline for high-risk AI compliance approaching, banks and ITSM providers must review vendor agreements, governance structures, and incident reporting protocols to meet new liability and documentation requirements. The updated framework clarifies the role of national supervisory authorities, supported by the central AI Office, in enforcement-advancing regulatory alignment across sectors.



