The Liability Handover: Strict Liability for Software and AI Arrives as Europe's Rulebooks Retreat
As the EU's Omnibus VII defers the AI Act's high-risk rules to 2027 and 2028, the new Product Liability Directive brings strict, presumption-assisted liability for software and AI from 9 December 2026, converting compliance risk into litigation risk for every firm selling digital products into Europe.
The consensus on European regulation in 2026 is deregulation: the Council gave final approval to the AI Act simplification package in June, the seventh in a rolling simplification agenda, and the high-risk rules due this August now arrive in 2027 and 2028. Beneath the retreat sits a quieter move in the opposite direction. The new Product Liability Directive takes effect for products placed on the EU market after 9 December 2026, extending strict liability to software and AI with disclosure duties and claimant-friendly presumptions. Enforcement is changing venue rather than disappearing. For at least a year, the sharpest constraint on AI in Europe will be a courtroom, not a regulator.
Signal Identification
A regulatory pivot in the enforcement mechanism itself. The weak signal is two timelines diverging: ex-ante obligations receding under simplification while ex-post liability arrives on schedule, moving the policing of digital products to courts armed with presumptions, disclosure powers and collective redress.
What's Changing
The retreat is now law: the Council's final green light on 29 June deferred the AI Act's high-risk obligations to 2 December 2027 for stand-alone systems and 2 August 2028 for AI embedded in products (Council of the EU, 29/06/2026). Doctrine is following: Bruegel recommends the EU trade lower ex-ante burden for robust ex-post monitoring, judicial review and liability, including an AI-specific ex-post liability system (Bruegel, 11/06/2026). The ex-post shift is a design choice, not an accident.
The liability leg is arriving on schedule. For products placed on the market after 9 December 2026, strict liability covers stand-alone software and AI; claimants gain disclosure rights and rebuttable presumptions of defect and causation where technical complexity makes proof excessively difficult; online platforms and importers join the defendant pool; and the old EUR 500 damage threshold and liability caps are gone (Gibson Dunn, 23/03/2026). Products can become defective through missed updates or security patches, and courts may order disclosure of source code and training records (Lawyer Monthly, 07/06/2026).
Transposition is a contested patchwork. Germany's bill drew a split expert hearing: industry alleged the draft extends scope beyond what EU law requires, professors described fundamental expansions of liability (Deutscher Bundestag, 13/04/2026). Across Central and Eastern Europe most member states remain in the pre-implementation phase; Hungary has transposed, and Bulgaria expects parliamentary approval in November 2026 (Wolf Theiss, 21/04/2026). The collective machinery is already in place: every member state must offer representative actions, with opt-out options and third-party funding permitted (European Commission, accessed 06/07/2026).
Two timelines crossing: liability arrives before the rules it replaces
Source basis: Council of the EU press release, 29 June 2026; Gibson Dunn analysis of Directive (EU) 2024/2853, 23 March 2026.
Disruption Pathway
The pathway runs in three stages. To 9 December 2026, transposition splits front-runners from laggards, but products placed after that date fall under the new regime wherever the claim is heard. Through 2027 and 2028, the first disclosure orders and presumption-based claims land; funded representative actions test update failures, cybersecurity gaps and black-box systems while the deferred AI Act stays dormant. From 2028, references to the CJEU begin harmonising what defect means for learning systems, and insurers reprice product and technology lines.
Stresses concentrate at compliance functions built for regulators rather than litigation, where documentation now decides cases; at supply chains with non-EU manufacturers, where importers, fulfilment providers and platforms become the reachable defendants; and at the member-state patchwork, making venue and timing strategic. Two adaptations follow. Operational: documentation, update governance and supply-chain mapping rebuilt as legal defence rather than regulatory filing. Financial: insurance repricing and the renegotiation of indemnities between developers, integrators and distributors.
Why This Matters
For general counsel and boards of any firm selling software-enabled products into the EU, the deregulation headline is a trap. Simplification invites lower compliance investment just as disclosure duties and defect presumptions make technical records the decisive asset; the firm that trimmed its documentation to match the lighter rulebook meets the new claims regime with an empty file. The decision-architecture needing revision spans product governance, update management, supply-chain mapping, contractual risk allocation and insurance. For non-EU manufacturers, liability reaches their importers and platforms first, and recourse travels up the chain.
Decision-action posture for this signal: Prepare — exposure crystallises with products placed on the market after 9 December 2026, so the work is documentation, contracts and insurance now, with national transposition laws and the first new-regime claims as the commitment triggers.
Counter-Argument
The strongest objection: Europe's litigation channel is too weak to carry the load. Most member states have not transposed the directive and several have published no draft at all (Wolf Theiss, 21/04/2026); European courts award modest damages, without punitive multipliers, under cost rules that deter speculative claims. The same politics that deferred the AI Act can blunt liability too: the Commission has already withdrawn its separate AI Liability Directive, and Germany's hearing shows industry pressing to trim national implementation back to the minimum (Deutscher Bundestag, 13/04/2026). On this reading the handover is theoretical: a slow, fragmented claims regime replacing a paused rulebook is deregulation twice over.
The objection undercounts what has already happened. The directive is adopted law with a fixed application date; late transposition delays procedure, not exposure, for products placed after December 2026. The presumptions and disclosure rights attack precisely the evidential barriers that kept European product claims rare, and collective redress with third-party funding supplies the economics (European Commission, accessed 06/07/2026). And the policy logic runs the other way: because simplification is cutting ex-ante rules, policymakers need the liability channel to carry the protective load, which Bruegel proposes making explicit (Bruegel, 11/06/2026).
Implications
This is a durable rebalancing of European enforcement toward courts: once claimant-side economics, funding infrastructure and case law exist, they do not un-build, and the doctrine that emerges by 2029 will define what defect means for learning systems before any regulator does (Gibson Dunn, 23/03/2026). The inflection window is 2026 to 2029. Positioned to gain are litigation funders and plaintiff firms, insurers able to price the new exposure, and well-documented incumbents for whom records become a moat. Exposed are firms reading simplification as permission to under-invest, and non-EU sellers whose importers and platforms carry the first-line liability.
Early Indicators to Monitor
- Member states with transposition laws in force by 9 December 2026, and the Bundestag's vote on the German bill.
- First disclosure orders and representative actions invoking the new regime in 2027, and the sectors they target.
- Commission infringement letters to late transposers in the first half of 2027.
- Product-liability and technology insurance renewals introducing AI or software-defect exclusions or repricing.
- Any Commission move to revive an AI-specific liability instrument, as Bruegel recommends.
Disconfirming Signals
- An omnibus-style proposal deferring the Product Liability Directive's application date.
- National implementations that narrow the software scope or presumption rules and survive Commission scrutiny.
- Negligible new-regime claim volumes through 2028.
- Courts reading the technical-complexity presumption narrowly, restoring the claimant's full burden of proof.
- Insurers holding pricing and wordings flat, signalling markets see no material change in expected loss.
Strategic Questions
- Would the firm's technical documentation survive a disclosure order and rebut a defect presumption in 2027?
- Which EU product lines need re-pricing or re-scoping once strict liability attaches to software updates?
- Should contracts, indemnities and insurance be renegotiated now, before national transposition fixes the liability map?
Keywords
EU Product Liability Directive; Directive (EU) 2024/2853; strict liability; software liability; AI liability; ex-post enforcement; Digital Omnibus; AI Act simplification; representative actions; evidence disclosure; litigation risk.
Bibliography
Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.
- Tier 1 Artificial intelligence: Council gives final green light to simplify and streamline rules. Council of the European Union (29/06/2026).
- Tier 1 Novelle des Produkthaftungsrechts unterschiedlich bewertet (hearing on the Product Liability Modernisation Act). Deutscher Bundestag (13/04/2026).
- Tier 1 Representative Actions Directive policy page. European Commission (evergreen reference page, accessed 06/07/2026).
- Tier 2 The right balance: how to fix European Union artificial intelligence regulation, Policy Brief 12/2026. Bruegel (11/06/2026).
- Tier 3 EU Product Liability Directive: Responding to Software, AI and Complex Supply Chains. Gibson Dunn (23/03/2026).
- Tier 3 EU Product Liability Directive Tracker 2026. Wolf Theiss (21/04/2026).
- Tier 3 EU Product Liability Directive Creates New AI and Software Liability Risks. Lawyer Monthly (07/06/2026).