The European Union has adopted a strengthened AI liability framework focused on enterprise automation, particularly impacting banks and IT service management (ITSM) platforms. The new rules impose strict liability for non-compliant AI systems under amendments to the EU Product Liability Directive and form part of the Digital Omnibus "simplification" package, approved by the Council in March 2026. The framework increases requirements for governance, explainability, and cross-border risk management, intensifying compliance considerations for vendor contracts and incident reporting.
Background
The AI Liability Directive, proposed in 2022, was withdrawn in early 2025 following insufficient consensus. Liability risks are instead addressed through existing national tort law and the revised Product Liability Directive, which treats non-compliant AI as defective products under strict liability 1EU AI Act: What US Enterprises Must Do Before August 2026 - Ajith Vallath Prabhakar. The EU's AI Act (Regulation 2024/1689) entered into force on August 1, 2024, introducing a phased implementation: prohibitions from February 2, 2025, governance and transparency for general-purpose AI from August 2, 2025, and high-risk system requirements beginning August 2, 2026 2Artificial Intelligence Act. The Digital Omnibus package, finalized in March 2026, adjusted deadlines and centralized oversight through the European AI Office, while reinforcing obligations for high-risk systems and data-processing transparency 3Council agrees position to streamline rules on Artificial Intelligence - Consilium.
Details
The updated Product Liability Directive (EU 2024/2853) explicitly categorizes software and AI as products. Non-compliance with the AI Act is regarded as a presumed defect, making providers strictly liable without the need to prove negligence 1EU AI Act: What US Enterprises Must Do Before August 2026 - Ajith Vallath Prabhakar. For banks using high-risk AI systems in credit-scoring and automation, this means exposure to regulatory penalties under the AI Act-up to 7 percent of global turnover for serious breaches-strict liability claims under product law, and potential insurance gaps if AI risks are excluded from existing policies 1EU AI Act: What US Enterprises Must Do Before August 2026 - Ajith Vallath Prabhakar. Banks integrating third-party or bespoke AI tools must adhere to AI "user" obligations, including risk governance, documentation, and human oversight 4The EU AI Act and Respective Regulation.
ITSM vendors and enterprise automation providers must reevaluate contract provisions, especially disclaimers and liability caps. Subject matter experts note that US-style "no warranties" clauses may be unenforceable under German law (AGB), substituting statutory liability with no cap and necessitating detailed legal review 5EU AI Act for SaaS: What Deployers Must Do in 2025. The Council's simplification package further extends deadlines for high-risk obligations and mandates registration of AI systems, including those claimed to be exempt. Centralized AI registry requirements and guidance from the European Commission aim to improve transparency and accountability 3Council agrees position to streamline rules on Artificial Intelligence - Consilium.
Outlook
With the August 2, 2026 deadline for high-risk AI compliance approaching, banks and ITSM providers must review vendor agreements, governance structures, and incident reporting protocols to meet new liability and documentation requirements. The updated framework clarifies the role of national supervisory authorities, supported by the central AI Office, in enforcement-advancing regulatory alignment across sectors.
