Signal Scanner · REGULATION, STANDARDS & POLICY CHANGE

The Liability Handover: Strict Liability for Software and AI Arrives as Europe's Rulebooks Retreat

As the EU's Omnibus VII defers the AI Act's high-risk rules to 2027 and 2028, the new Product Liability Directive brings strict, presumption-assisted liability for software and AI from 9 December 2026, converting compliance risk into litigation risk for every firm selling digital products into Europe.

The consensus on European regulation in 2026 is deregulation: the Council gave final approval to the AI Act simplification package in June, the seventh in a rolling simplification agenda, and the high-risk rules due this August now arrive in 2027 and 2028. Beneath the retreat sits a quieter move in the opposite direction. The new Product Liability Directive takes effect for products placed on the EU market after 9 December 2026, extending strict liability to software and AI with disclosure duties and claimant-friendly presumptions. Enforcement is changing venue rather than disappearing. For at least a year, the sharpest constraint on AI in Europe will be a courtroom, not a regulator.

Signal Identification

A regulatory pivot in the enforcement mechanism itself. The weak signal is two timelines diverging: ex-ante obligations receding under simplification while ex-post liability arrives on schedule, moving the policing of digital products to courts armed with presumptions, disclosure powers and collective redress.

Time horizon: 1–3 years (transposition deadline 9 December 2026; first new-regime claims and disclosure orders 2027–2028; CJEU shaping from 2028) Plausibility band: Medium–High Geographic / Jurisdictional Scope: EU-27 primary (Germany and the Netherlands lead transposition; CEE lagging); extraterritorial pull on US and Asian manufacturers, importers and platforms selling into the EU Sectors exposed: Software and AI providers; medical devices; automotive and autonomous systems; consumer electronics and IoT; online marketplaces; industrial machinery; insurers

What's Changing

The retreat is now law: the Council's final green light on 29 June deferred the AI Act's high-risk obligations to 2 December 2027 for stand-alone systems and 2 August 2028 for AI embedded in products (Council of the EU, 29/06/2026). Doctrine is following: Bruegel recommends the EU trade lower ex-ante burden for robust ex-post monitoring, judicial review and liability, including an AI-specific ex-post liability system (Bruegel, 11/06/2026). The ex-post shift is a design choice, not an accident.

The liability leg is arriving on schedule. For products placed on the market after 9 December 2026, strict liability covers stand-alone software and AI; claimants gain disclosure rights and rebuttable presumptions of defect and causation where technical complexity makes proof excessively difficult; online platforms and importers join the defendant pool; and the old EUR 500 damage threshold and liability caps are gone (Gibson Dunn, 23/03/2026). Products can become defective through missed updates or security patches, and courts may order disclosure of source code and training records (Lawyer Monthly, 07/06/2026).

Transposition is a contested patchwork. Germany's bill drew a split expert hearing: industry alleged the draft extends scope beyond what EU law requires, professors described fundamental expansions of liability (Deutscher Bundestag, 13/04/2026). Across Central and Eastern Europe most member states remain in the pre-implementation phase; Hungary has transposed, and Bulgaria expects parliamentary approval in November 2026 (Wolf Theiss, 21/04/2026). The collective machinery is already in place: every member state must offer representative actions, with opt-out options and third-party funding permitted (European Commission, accessed 06/07/2026).

Two timelines crossing: liability arrives before the rules it replaces

2026 2027 2028 9 Dec 2026 Strict liability applies to software and AI (PLD) 2 Dec 2027 AI Act high-risk rules (stand-alone) 2 Aug 2028 AI Act high-risk rules (embedded in products)

Source basis: Council of the EU press release, 29 June 2026; Gibson Dunn analysis of Directive (EU) 2024/2853, 23 March 2026.

Disruption Pathway

The pathway runs in three stages. To 9 December 2026, transposition splits front-runners from laggards, but products placed after that date fall under the new regime wherever the claim is heard. Through 2027 and 2028, the first disclosure orders and presumption-based claims land; funded representative actions test update failures, cybersecurity gaps and black-box systems while the deferred AI Act stays dormant. From 2028, references to the CJEU begin harmonising what defect means for learning systems, and insurers reprice product and technology lines.

Stresses concentrate at compliance functions built for regulators rather than litigation, where documentation now decides cases; at supply chains with non-EU manufacturers, where importers, fulfilment providers and platforms become the reachable defendants; and at the member-state patchwork, making venue and timing strategic. Two adaptations follow. Operational: documentation, update governance and supply-chain mapping rebuilt as legal defence rather than regulatory filing. Financial: insurance repricing and the renegotiation of indemnities between developers, integrators and distributors.

Why This Matters

For general counsel and boards of any firm selling software-enabled products into the EU, the deregulation headline is a trap. Simplification invites lower compliance investment just as disclosure duties and defect presumptions make technical records the decisive asset; the firm that trimmed its documentation to match the lighter rulebook meets the new claims regime with an empty file. The decision-architecture needing revision spans product governance, update management, supply-chain mapping, contractual risk allocation and insurance. For non-EU manufacturers, liability reaches their importers and platforms first, and recourse travels up the chain.

Decision-action posture for this signal: Prepare — exposure crystallises with products placed on the market after 9 December 2026, so the work is documentation, contracts and insurance now, with national transposition laws and the first new-regime claims as the commitment triggers.

Counter-Argument

The strongest objection: Europe's litigation channel is too weak to carry the load. Most member states have not transposed the directive and several have published no draft at all (Wolf Theiss, 21/04/2026); European courts award modest damages, without punitive multipliers, under cost rules that deter speculative claims. The same politics that deferred the AI Act can blunt liability too: the Commission has already withdrawn its separate AI Liability Directive, and Germany's hearing shows industry pressing to trim national implementation back to the minimum (Deutscher Bundestag, 13/04/2026). On this reading the handover is theoretical: a slow, fragmented claims regime replacing a paused rulebook is deregulation twice over.

The objection undercounts what has already happened. The directive is adopted law with a fixed application date; late transposition delays procedure, not exposure, for products placed after December 2026. The presumptions and disclosure rights attack precisely the evidential barriers that kept European product claims rare, and collective redress with third-party funding supplies the economics (European Commission, accessed 06/07/2026). And the policy logic runs the other way: because simplification is cutting ex-ante rules, policymakers need the liability channel to carry the protective load, which Bruegel proposes making explicit (Bruegel, 11/06/2026).

Implications

This is a durable rebalancing of European enforcement toward courts: once claimant-side economics, funding infrastructure and case law exist, they do not un-build, and the doctrine that emerges by 2029 will define what defect means for learning systems before any regulator does (Gibson Dunn, 23/03/2026). The inflection window is 2026 to 2029. Positioned to gain are litigation funders and plaintiff firms, insurers able to price the new exposure, and well-documented incumbents for whom records become a moat. Exposed are firms reading simplification as permission to under-invest, and non-EU sellers whose importers and platforms carry the first-line liability.

Early Indicators to Monitor

Disconfirming Signals

Strategic Questions

Keywords

EU Product Liability Directive; Directive (EU) 2024/2853; strict liability; software liability; AI liability; ex-post enforcement; Digital Omnibus; AI Act simplification; representative actions; evidence disclosure; litigation risk.

Bibliography

Source tiers: Tier 1, governments, regulators and intergovernmental bodies. Tier 2, think-tanks, academic institutes, major consultancies and quality data providers. Tier 3, quality journalism and specialist trade press. Tier 4, vendor, company and practitioner sources, used only as directional corroboration.


Prepared by Shaping Tomorrow: 6 July 2026