Skip to main content
AI Standard of Care
  1. AI Legal Resources/

EU AI Act Liability Guide: Compliance, Enforcement & Professional Standards

·13 mins
Resources EU AI Act AI Liability European Union AI Compliance Extraterritorial Product Liability Directive AI Liability Directive High-Risk AI GPAI AI Regulation
Table of Contents

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive AI law, and it applies to companies worldwide. If your AI system is used in the European Union, you’re subject to EU jurisdiction regardless of where your headquarters is located. For US companies serving European markets, this creates significant compliance obligations and liability exposure that cannot be ignored.

This guide provides a liability-focused analysis of the EU AI Act, covering enforcement mechanisms, penalty structures, the implications of the AI Liability Directive’s withdrawal, and sector-specific compliance considerations for healthcare, legal services, financial services, and robotics.

Extraterritorial Scope: Why US Companies Must Comply
#

The AI Act Applies to US Companies

Like GDPR before it, the EU AI Act has extraterritorial reach. You must comply if:

  • You place AI systems on the EU market
  • Your AI system’s outputs are used within the EU
  • You deploy AI affecting EU users, even from US servers
  • EU-based clients use your AI tools

Geographic location provides no exemption. Non-EU providers must appoint an EU-based authorized representative.

Who Falls Under the AI Act?
#

Providers (Article 3(3)): Companies that develop or have AI systems developed and place them on the EU market under their name or trademark.

Deployers (Article 3(4)): Organizations using AI systems under their authority, distinct from personal, non-professional use.

Importers and Distributors (Articles 3(6), 3(7)): Companies bringing third-party AI systems into the EU market.

Authorized Representatives (Article 22): Non-EU providers must designate an EU-based representative before placing high-risk AI on the market. Representatives bear compliance responsibility and face direct enforcement action.

Practical Implications for US Companies
#

Business ScenarioAI Act Applies?Key Obligations
SaaS product with EU customersYesConformity assessment, documentation, EU representative
AI tool accessed by EU employees of US companyLikely yesRisk assessment, transparency obligations
AI service for EU-based clientsYesFull compliance based on risk tier
Internal AI for US operations onlyNoNo EU obligations (unless outputs reach EU)

Risk-Based Classification System
#

The AI Act categorizes AI systems into four risk tiers, with obligations escalating by risk level.

Tier 1: Prohibited AI Practices
#

These AI applications are banned outright, effective February 2, 2025:

Cognitive Manipulation:

  • AI exploiting vulnerabilities of specific groups (age, disability)
  • Subliminal techniques causing physical or psychological harm

Social Scoring:

  • Government evaluation of individuals based on social behavior or personality characteristics
  • Systematic classification leading to detrimental treatment

Predictive Policing (individual-level):

  • AI predicting criminal behavior based solely on profiling or personality traits

Biometric Systems:

  • Real-time remote biometric identification in public spaces (limited law enforcement exceptions)
  • Emotion recognition in workplaces and educational institutions
  • Biometric categorization inferring race, political opinions, religion, or sexual orientation

Facial Recognition:

  • Untargeted scraping of facial images from internet or CCTV for database creation

Penalties for Prohibited Practices: Up to €35 million or 7% of global annual turnover, whichever is higher.

Tier 2: High-Risk AI Systems
#

High-risk AI faces the most extensive obligations, fully applicable August 2, 2026 (extended to August 2, 2027 for AI in regulated products).

Annex I Systems (AI in regulated products):

  • Medical devices (EU Regulation 2017/745)
  • In vitro diagnostic devices
  • Machinery and equipment
  • Radio equipment
  • Civil aviation
  • Motor vehicles and components
  • Marine equipment

Annex III Systems (standalone high-risk):

CategoryExamples
Biometric identificationRemote identification systems (non-real-time)
Critical infrastructureAI in energy, water, transport networks
EducationAI determining access to education, student assessment
EmploymentRecruitment tools, performance evaluation, termination decisions
Essential servicesCredit scoring, insurance pricing, emergency dispatch
Law enforcementEvidence evaluation, polygraph alternatives, profiling
Migration/asylumApplication assessment, border control
JusticeSentencing assistance, legal research

High-Risk Obligations:

  1. Risk management system, Continuous identification and mitigation of risks
  2. Data governance, Training data quality, bias testing, documentation
  3. Technical documentation, Comprehensive records before market placement
  4. Record-keeping, Automatic logging of AI operations
  5. Transparency, Clear instructions for deployers
  6. Human oversight, Mechanisms for human intervention
  7. Accuracy, robustness, cybersecurity, Performance standards
  8. Conformity assessment, Third-party or self-assessment depending on category
  9. EU database registration, Public registration before deployment
  10. Post-market monitoring, Ongoing performance surveillance

Tier 3: Limited Risk AI
#

Requires transparency obligations only:

  • Chatbots: Users must be informed they’re interacting with AI
  • Emotion recognition: Subjects must be notified
  • Biometric categorization: Notification required
  • Deep fakes/synthetic media: Must be labeled as AI-generated

Effective August 2, 2025.

Tier 4: Minimal Risk AI
#

Largely unregulated:

  • Spam filters
  • AI-enabled video games
  • Basic recommendation systems
  • Consumer applications without high-risk characteristics

General-Purpose AI (GPAI) Requirements
#

Foundation models and large language models face dedicated requirements effective August 2, 2025.

All GPAI Models
#

Documentation Requirements:

  • Technical documentation describing capabilities and limitations
  • Training data summary (sufficiently detailed for understanding)
  • Copyright compliance documentation
  • Energy consumption metrics

Transparency:

  • Clear labeling of AI-generated content
  • Disclosure of training methodologies
  • Cooperation with downstream deployers on compliance

Systemic Risk GPAI
#

Models with “systemic risk”, determined by computational power thresholds (10^25 FLOPs) or European Commission designation, face additional requirements:

  • Model evaluation with standardized protocols
  • Adversarial testing (red-teaming)
  • Serious incident reporting to EU AI Office
  • Cybersecurity protections for model weights
  • Energy efficiency documentation

Current threshold: Approximately GPT-4 class models and above.

Liability Framework and Enforcement
#

The AI Liability Directive Withdrawal
#

February 2025: AI Liability Directive Withdrawn

On February 11, 2025, the European Commission withdrew its proposed AI Liability Directive from the 2025 Work Programme, citing “no foreseeable agreement” among Member States.

What the Directive Would Have Provided:

  • Presumption of causation when AI non-compliance caused harm
  • Court-ordered disclosure of AI training and operational data
  • Lowered burden of proof for victims of AI harm

Without It: Victims must prove AI caused harm under existing national tort laws, often requiring expensive expert testimony and facing information asymmetry against AI developers.

The withdrawal was formally confirmed in October 2025. Executive Vice-President Henna Virkkunen defended the decision, arguing the directive would have created fragmented rules across Member States and that new liability frameworks should wait until the AI Act is fully implemented.

Critics’ Response: MEP Axel Voss warned of a “Wild West” approach to AI liability. The Center for Democracy and Technology expressed concern that victims of AI harm now lack adequate legal recourse.

The Product Liability Directive (December 2026)
#

While the AI Liability Directive failed, the revised Product Liability Directive (Directive (EU) 2024/2853) succeeds, and it explicitly covers AI.

Key Changes Effective December 9, 2026:

Old DirectiveNew Directive
“Products” = tangible goodsSoftware and AI systems are products
Manufacturing defects focusDesign, manufacturing, and algorithmic defects
Producer liability onlyImporter and authorized representative liability
No disclosure mechanismsCourt-ordered disclosure of technical data
€500 damage thresholdThreshold eliminated

What This Means:

  • AI developers face strict liability for defective AI systems causing harm
  • Victims don’t need to prove fault, only defect and causation
  • Software updates that introduce defects create new liability
  • Failure to update known vulnerabilities can constitute defect

Penalty Structure
#

The AI Act establishes three penalty tiers:

Violation CategoryMaximum Penalty
Prohibited AI practices€35M or 7% global turnover
High-risk system violations€15M or 3% global turnover
Incorrect information to authorities€7.5M or 1.5% global turnover

For SMEs and startups, penalties are calculated at the lower absolute amount or percentage.

Enforcement Architecture
#

National Level:

  • Each Member State designates Market Surveillance Authorities
  • Authorities can order withdrawal from market, impose fines, require modifications

EU Level:

  • European AI Office (established 2024) coordinates enforcement
  • Directly supervises GPAI providers
  • Develops guidelines, codes of practice, and technical standards

Private Enforcement:

  • Product Liability Directive enables civil claims
  • National courts hear cases under Member State law
  • Cross-border claims possible under Brussels Regulation

Sector-Specific Compliance
#

Healthcare AI
#

AI in healthcare faces some of the strictest requirements under both the AI Act and EU medical device regulations.

Classification:

  • Most diagnostic/therapeutic AI: High-risk (Annex I via Medical Device Regulation)
  • Administrative AI (scheduling, billing): Lower risk unless affecting care decisions

Key Obligations:

  • Clinical evaluation and post-market clinical follow-up
  • CE marking under MDR plus AI Act conformity
  • Integration with existing medical device quality management systems
  • Enhanced cybersecurity for connected devices

Liability Exposure:

  • Product liability for defective medical AI
  • Professional negligence if clinicians over-rely on AI
  • Hospital liability for inadequate AI governance

Professional Standard Implications: Healthcare providers deploying AI must establish:

  • Clinical validation protocols before use
  • Human oversight requirements
  • Documentation of AI-assisted decisions
  • Training for clinical staff on AI limitations

Legal Services AI#

AI in legal practice triggers both high-risk classification and professional responsibility concerns.

Classification:

  • AI for legal research/document drafting: Limited risk (transparency required)
  • AI assisting judicial decisions: High-risk (Annex III)
  • AI in access to justice contexts: High-risk

Professional Implications: EU Member States impose professional obligations on lawyers using AI:

  • Duty to verify AI-generated legal content
  • Prohibition on delegating professional judgment to AI
  • Client disclosure requirements for AI use
  • Competence requirements for AI tool selection

Liability Exposure:

  • Malpractice if AI hallucinations go unchecked
  • Breach of confidentiality if AI processes client data improperly
  • Regulatory discipline for inadequate AI oversight

See: Legal AI Hallucination Cases for documented disciplinary actions.

Financial Services AI
#

Financial AI faces layered regulation under the AI Act and sectoral financial regulations.

Classification:

  • Credit scoring: High-risk (Annex III)
  • Insurance risk assessment: High-risk
  • Fraud detection: Varies by implementation
  • Robo-advisors: High-risk if affecting significant financial decisions

Regulatory Overlay:

  • European Banking Authority (EBA) guidelines on AI in credit
  • EIOPA guidance on AI in insurance
  • MiFID II suitability requirements for AI investment advice
  • DORA (Digital Operational Resilience Act) cybersecurity requirements

Liability Exposure:

  • Discrimination claims for biased lending/insurance AI
  • Consumer protection violations for opaque AI decisions
  • Regulatory fines for DORA non-compliance
  • Professional liability for unsuitable AI-driven advice

Robotics and Autonomous Systems
#

Physical AI systems, including industrial robots, autonomous vehicles, and service robots, face overlapping product safety and AI Act requirements.

Classification:

  • Industrial robots: High-risk (Annex I via Machinery Regulation)
  • Autonomous vehicles: High-risk (Annex I via vehicle type approval)
  • Service robots: Varies by function and risk profile
  • Drones: High-risk if in critical infrastructure

Key Regulatory Overlap:

  • Machinery Regulation (EU) 2023/1230 (replacing Machinery Directive)
  • General Product Safety Regulation 2023/988
  • Motor Vehicle Type Approval regulations
  • AI Act conformity for AI components

Liability Exposure:

  • Product liability for physical harm from robotic systems
  • Strict liability under Product Liability Directive
  • Potential criminal liability for serious safety violations
  • Workers’ compensation implications for workplace robot injuries

See: Agentic AI Liability for autonomous system liability analysis.

Employment and HR AI
#

AI in employment decisions faces some of the AI Act’s most prescriptive requirements.

Classification: All of the following are high-risk:

  • AI for job advertisement targeting
  • Recruitment and applicant screening
  • Candidate assessment and selection
  • Performance monitoring and evaluation
  • Promotion and termination decisions

Key Obligations:

  • Bias testing and documentation
  • Human review of AI-influenced decisions
  • Transparency to job applicants about AI use
  • Record retention for audit purposes

Liability Exposure:

  • Employment discrimination claims
  • GDPR violations for automated decision-making (Article 22)
  • Works council/union challenges in jurisdictions with co-determination
  • Individual complaints to data protection authorities

Implementation Timeline
#

DateMilestoneKey Actions Required
August 1, 2024AI Act enters into forceBegin compliance planning
February 2, 2025Prohibited practices banned; AI literacy requiredEnsure no prohibited AI; train staff
August 2, 2025GPAI rules apply; governance operationalFoundation model documentation
December 9, 2026Product Liability Directive effectiveProduct liability readiness
August 2, 2026High-risk requirements fully applicableConformity assessments complete
August 2, 2027Extended deadline for regulated productsAnnex I system compliance

Compliance Recommendations for US Companies
#

Immediate Actions (2025)
#

  1. Inventory AI systems, Map all AI deployments with EU market exposure
  2. Classify by risk tier, Determine which systems are high-risk, limited risk, or minimal risk
  3. Assess prohibited practices, Ensure no prohibited AI applications
  4. GPAI evaluation, If deploying foundation models, prepare documentation requirements
  5. Appoint EU representative, Required for non-EU providers of high-risk systems

Medium-Term Actions (2025-2026)
#

  1. Technical documentation, Develop comprehensive documentation for high-risk systems
  2. Conformity assessment planning, Determine self-assessment vs. third-party assessment needs
  3. Bias testing protocols, Implement and document bias testing for applicable systems
  4. Human oversight mechanisms, Design intervention capabilities into AI workflows
  5. Incident response procedures, Prepare for AI Office incident reporting

Governance Structure
#

AI Governance Framework

Organizations should establish:

  • AI Governance Committee with board-level oversight
  • AI Risk Officer or designated compliance function
  • Technical Documentation Repository for regulatory access
  • Incident Response Team for AI-related events
  • Training Program for AI literacy across the organization

Frequently Asked Questions
#

Does the EU AI Act apply to my US company?

If your AI system is placed on the EU market or your AI system’s outputs are used within the EU, yes, the AI Act applies regardless of where your company is headquartered. You must appoint an EU-based authorized representative before placing high-risk AI systems on the market. SaaS products accessed by EU users, AI tools used by EU-based clients, and AI services with EU-accessible outputs all trigger compliance obligations.

What happened to the EU AI Liability Directive?

The European Commission withdrew the AI Liability Directive proposal in February 2025, formally confirming withdrawal in October 2025. The directive would have created a presumption of causation when AI non-compliance caused harm and enabled court-ordered disclosure of AI training data. Without it, victims of AI harm must prove causation under existing national tort laws, a significantly higher burden. The revised Product Liability Directive (effective December 2026) partially fills this gap by treating AI as a product subject to strict liability.

When do high-risk AI requirements take effect?

High-risk AI system requirements become fully applicable August 2, 2026. For high-risk AI that is a safety component of products already covered by EU product safety legislation (Annex I systems like medical devices, machinery, vehicles), the deadline is extended to August 2, 2027. However, prohibited AI practices were banned February 2, 2025, and GPAI requirements apply from August 2, 2025.

What are the maximum penalties under the AI Act?

Penalties reach up to €35 million or 7% of global annual turnover for prohibited AI practices, €15 million or 3% for other high-risk system violations, and €7.5 million or 1.5% for providing incorrect information to authorities. For SMEs and startups, the lower of the absolute amount or percentage applies. These penalties can be imposed by national Market Surveillance Authorities.

How does the Product Liability Directive affect AI liability?

The revised Product Liability Directive (effective December 9, 2026) explicitly classifies software and AI systems as “products” subject to strict liability. This means AI developers can be held liable for defective AI causing harm without the victim needing to prove fault, only defect and causation. The directive also enables court-ordered disclosure of technical information from AI providers, addressing information asymmetry that previously benefited defendants.

Can my company face liability for AI hallucinations under EU law?

Yes. If AI-generated content causes harm, such as false medical information, fabricated legal citations, or defamatory statements, your company may face liability under the Product Liability Directive (for defective AI products), consumer protection laws, national tort law (for negligence), and professional liability frameworks (for regulated professions). The AI Act also requires transparency about AI limitations, and failure to adequately warn users could support liability claims.

Related Resources#

AI Standard of Care Resources:

Sector-Specific Guidance:

Need EU AI Act Compliance Guidance?

The EU AI Act creates binding obligations for companies worldwide. From risk classification to conformity assessment to liability exposure, understanding your compliance requirements is essential. Our resources help you navigate AI regulation across jurisdictions.

Explore AI Compliance Resources

Related

International AI Regulation: A Global Comparison

··10 mins
Resources EU AI Act UK AI Regulation China AI Canada AIDA International AI Bletchley Declaration AI Governance AI Compliance
As AI systems become integral to commerce, healthcare, and daily life, jurisdictions worldwide are racing to establish regulatory frameworks. The approaches vary dramatically, from the EU’s comprehensive risk-based legislation to the UK’s sector-specific principles, from China’s content-focused rules to Canada’s failed attempt at comprehensive AI law. Understanding these frameworks is essential for any organization deploying AI across borders.

US State AI Laws: Comprehensive Guide to State-Level AI Regulation

·19 mins
Resources State AI Laws Colorado AI Act Illinois BIPA NYC Local Law 144 California CCPA Texas AI Laws Utah AI Policy Act Tennessee ELVIS Act Algorithmic Discrimination Biometric Privacy AI Compliance
While federal AI legislation remains in development, US states have moved aggressively to regulate artificial intelligence. From Colorado’s comprehensive AI discrimination law to Illinois’ biometric privacy statute generating hundreds of lawsuits annually, state-level AI regulation creates a complex patchwork of compliance obligations that varies dramatically by jurisdiction, industry, and use case.

AI Regulatory Agency Guide: Federal Agencies, Enforcement Authority, and Engagement Strategies

·15 mins
Resources AI Regulation FTC FDA EEOC CFPB Federal Agencies Regulatory Compliance Enforcement
Introduction: The Fragmented AI Regulatory Landscape # The United States has no single AI regulatory agency. Instead, AI oversight is fragmented across dozens of federal agencies, each applying its existing statutory authority to AI systems within its jurisdiction. The Federal Trade Commission addresses AI in consumer protection and competition. The Food and Drug Administration regulates AI medical devices. The Equal Employment Opportunity Commission enforces civil rights laws against discriminatory AI. The Consumer Financial Protection Bureau oversees AI in financial services.

Negligence Per Se: When AI Regulatory Violations Create Automatic Liability

·13 mins
Resources Negligence per Se Statutory Violations HIPAA FCRA ECOA AI Regulation Regulatory Compliance Automatic Liability
The Doctrine That Changes Everything # When an AI system violates a federal or state statute designed to protect a class of persons, injured plaintiffs may not need to prove that the defendant breached the standard of care. Under the doctrine of negligence per se, the statutory violation itself establishes negligence, transforming regulatory non-compliance into a powerful litigation weapon.

Res Ipsa Loquitur: When AI Failures Speak for Themselves

·15 mins
Resources Res Ipsa Loquitur Burden Shifting Black Box AI Explainability Negligence AI Liability Circumstantial Evidence
The Doctrine That Solves AI’s Black Box Problem # Artificial intelligence systems are often described as “black boxes”, systems where inputs go in and outputs emerge, but the internal reasoning remains opaque even to their creators. This opacity creates a fundamental litigation problem: how can an injured plaintiff prove what went wrong inside a system that nobody can fully explain?

AI Product Liability: From Negligence to Strict Liability

·15 mins
Resources Product Liability AI LEAD Act Strict Liability Design Defect Software as Product AI Regulation
The Paradigm Shift # For decades, software developers enjoyed a shield that manufacturers of physical products never had: software was generally not considered a “product” subject to strict liability under U.S. law. If software caused harm, plaintiffs typically had to prove negligence, that the developer failed to exercise reasonable care.