Authored By: Malehlohonolo Msibi
Regenesys Business School
Introduction
The rapid integration of artificial intelligence into consumer and industrial products is transforming markets while simultaneously generating significant legal challenges regarding the allocation of liability when harm occurs. Existing national liability frameworks, particularly those based on fault, are ill-equipped to address claims arising from AI-enabled products and services due to the technology’s complexity, autonomy, and opacity (Gredka-Ligarska, 2025; Dentons, 2025). Victims encounter prohibitively high upfront costs, extended legal proceedings, and substantial difficulties in establishing fault or defect, which collectively deter compensation claims (Gredka-Ligarska, 2025; Cyber Risk GmbH, 2025). In the absence of meaningful reform, a substantial “liability gap” risks leaving victims uncompensated and generating considerable legal uncertainty for businesses (CEPS, 2025). This gap is evidenced by real-world incidents in which autonomous systems have caused fatal harm, yet corporate accountability has remained elusive (Stamp, 2024).
In response, the European Union has adopted a multi-layered strategy. The European Commission proposed the AI Liability Directive (AILD) in 2022 to harmonise fault-based rules and reduce the burden of proof for claimants. However, the directive was formally withdrawn in February 2025 due to a lack of political consensus, with the Commission citing “no foreseeable agreement” among member states (Osborne Clarke, 2026; Cyber Risk GmbH, 2025). This withdrawal has created a significant gap in the EU’s AI legal framework, resulting in reliance on two remaining instruments: the AI Act, which establishes safety and compliance obligations without harmonising civil liability, and the revised Product Liability Directive (PLD), which imposes strict liability solely for defective products (Bird & Bird, 2026; CEPS, 2025). Against this evolving regulatory backdrop, this article provides a comparative analysis of the EU’s emerging liability framework and the fragmented, voluntary governance model of the United States (Dogan, 2025; Dimitriadis, 2025). The analysis addresses challenges associated with both traditional physical safety risks and fundamental rights risks, such as discrimination and manipulation, and draws on recent case law to illustrate the practical consequences of regulatory shortcomings.
Understanding AI & Legal Challenges
For legal purposes, an AI system is defined as a machine-based system designed to operate with varying levels of autonomy that may show adaptiveness after deployment and generates outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments (ComplianceGate, 2025). This broad definition includes general-purpose AI models, such as large language models, as well as high-risk AI systems identified under the EU AI Act (ComplianceGate, 2025). Several technical characteristics of AI fundamentally challenge existing legal frameworks. The most significant is opacity, often called the “black box effect.” Because an AI system can learn its own rules and uncover hidden relationships in data beyond what unaided human observation can achieve, it becomes extremely difficult to understand how or why the system reached a particular outcome (Wendehorst, 2022; Gredka-Ligarska, 2025). Closely related is autonomy, which refers to a certain lack of predictability in how software reacts to unseen instances. When coding occurs with the help of machine learning, it becomes difficult to predict how the software will react to every future situation, meaning that fault-based liability becomes inadequate because harm cannot be traced back to any intent or negligence on the part of a human actor (Wendehorst, 2022).
Further challenges arise from the complexity and interconnectedness of digital ecosystems, where everything potentially affects the behaviour of everything else, making it nearly impossible for a victim to prove what exactly caused the damage (Wendehorst, 2022). Additionally, the quality of “openness” means that products are not static but change their safety-relevant features after being placed on the market through online updates, data feeds, and cloud-based digital services, rendering traditional liability regimes like the old Product Liability Directive obsolete because they focus exclusively on the point in time when a product was first put into circulation (Wendehorst, 2022). Connectivity also gives rise to increased vulnerability due to cybersecurity risks, data leaks, and fraud, yet these risks are not necessarily covered by liability regimes that focus on physical harms like death, personal injury, or property damage (Wendehorst, 2022). Crucially, the ability of AI systems to self-modify through machine learning and deep learning implies that the final outcome of an AI system’s operation is fundamentally unpredictable, even when the input data is known and the output has been precisely defined (Gredka-Ligarska, 2025). For these reasons, fault liability is not an ideal response, defect liability may not be wholly satisfactory, and vicarious liability, which holds an employer responsible for the torts of a human employee, is inadequate for AI workers because there is no clear standard of care against which to judge an autonomous system and the employer lacks real control over the AI’s algorithmic decision-making process (Wendehorst, 2022; Gredka-Ligarska, 2025). The fatal collision involving an Uber autonomous vehicle in Tempe, Arizona, in 2018 exemplifies these difficulties: the National Transportation Safety Board found that the vehicle’s automated driving system had not been programmed to recognise jaywalkers, that Uber had disabled the Volvo’s emergency braking systems, and that the company had no adequate safety culture, yet only the human safety driver was charged with negligent homicide, while Uber escaped all criminal accountability (Stamp, 2024).
Current Legal Frameworks
The European Union has established a comprehensive but incomplete regulatory architecture centred on the AI Act and the revised Product Liability Directive. The EU AI Act adopts a risk-based approach, classifying AI systems into four categories: unacceptable risk, which includes prohibited practices such as manipulative subliminal techniques; high risk, which imposes stringent obligations covering risk management, data governance, transparency, human oversight, cybersecurity, and conformity assessment; limited risk, which requires only transparency obligations such as informing users they are interacting with AI; and minimal risk, which has no specific regulatory obligations (GAIA Law, 2024; ComplianceGate, 2025). High-risk AI systems must undergo conformity assessment, obtain CE marking, submit a Declaration of Conformity, maintain technical documentation, and establish post-market monitoring systems (ComplianceGate, 2025). Penalties for non-compliance can reach up to thirty million euros or six percent of global annual turnover for prohibited AI systems (GAIA Law, 2024). Critically, however, the AI Act does not harmonise civil liability and does not provide individual compensation for victims who suffer harm (Michalsons, 2024; Bird & Bird, 2026; Cyber Risk GmbH, 2025).
The revised Product Liability Directive, formally Directive 2024/2853, represents a significant attempt to modernise the strict liability framework for defective products in light of AI (Osborne Clarke, 2026). The definition of “product” now explicitly includes software, AI systems, and digital manufacturing files regardless of how they are supplied, whether standalone, integrated into hardware, cloud-based, or provided as a service (Dentons, 2025; Bird & Bird, 2026). The definition of “defect” has been expanded to encompass a product’s ability to continue learning or acquire new features after being placed on the market, and a manufacturer’s failure to provide necessary software updates or security patches can now give rise to liability (Norton Rose Fulbright, 2024; Bird & Bird, 2026). The range of potentially liable defendants has expanded to include not only manufacturers but also importers, authorised representatives, fulfilment service providers, and any person who substantially modifies a product outside the manufacturer’s control (Osborne Clarke, 2026; Bird & Bird, 2026). Evidentiary rules have been significantly shifted in favour of claimants. Once a claimant presents facts sufficient to support the plausibility of a claim, the defendant is placed under a disclosure obligation to produce relevant evidence (Dentons, 2025; Norton Rose Fulbright, 2024). Rebuttable presumptions of defectiveness arise in several circumstances: if the defendant fails to comply with a disclosure order, if the product breaches mandatory safety requirements such as those in the AI Act, if the damage results from an obvious malfunction, or if the claimant faces excessive difficulties due to technical or scientific complexity (Bird & Bird, 2026). A presumption of causation also applies where defectiveness is established and the damage is of a type typically consistent with that defect (Norton Rose Fulbright, 2024). Damage now expressly includes the loss or corruption of data not used for professional purposes, as well as medically recognised psychological harm (Norton Rose Fulbright, 2024). A notable exemption exists for free and open-source software developed or supplied outside the course of commercial activity, but this exemption is narrowly construed and does not apply when open-source components are integrated into a commercial product (Dentons, 2025; Osborne Clarke, 2026).
By contrast, the United States has adopted a fundamentally different approach. Rather than implementing a single comprehensive statute comparable to the EU AI Act, the US relies on a fragmented, voluntary, sectoral governance model (Dogan, 2025; Dimitriadis, 2025). The primary federal instruments are Executive Order 14110 and the NIST AI Risk Management Framework, neither of which is legally binding on the private sector (Dogan, 2025). Different sectors are governed by their respective regulatory bodies, with the Food and Drug Administration regulating AI in healthcare, financial regulators overseeing AI in finance, and transportation authorities covering autonomous vehicles (Dogan, 2025). State law plays a critical role in product liability, as demonstrated by the recent Florida case of Benavides v. Tesla, where a jury applied Florida’s consumer-expectations and risk-utility tests for design defects and awarded over over $240 million, including $200 million in punitive damages, after finding Tesla partially responsible for a fatal accident involving its Autopilot system (Benavides v. Tesla, 2025). The court permitted the punitive damages claim to proceed after finding evidence that Tesla’s marketing of Autopilot, combined with design choices, could permit a jury to conclude the company consciously disregarded known safety risks (Benavides v. Tesla, 2025). The underlying philosophy of the US approach is deregulatory and private-sector-led, focused on achieving global technological dominance and national security rather than establishing binding legal protections for victims (Dimitriadis, 2025). The US currently lacks any centralised AI enforcement institution comparable to the EU’s AI Office, and accountability relies on existing agency authorities, procurement rules, consumer protection laws, and civil rights enforcement, all applied on a sectoral basis without a unified statutory enforcement regime for AI systems as such (Dogan, 2025).
Liability Issues
Core AI liability issues focus on strict liability, fault-based liability, and gaps within existing legal categories. Under the revised Product Liability Directive (PLD), producers are strictly liable for defective products; however, victims must still establish defect, damage, and causation (Wendehorst, 2022; Dentons, 2025). For opaque, self-learning AI systems, demonstrating defect or causation is particularly challenging (Dentons, 2025). In response, the European Parliament has proposed a dedicated strict liability regulation for high-risk AI systems, encompassing both providers and deployers, with defenses limited to force majeure or contributory recklessness. Unlike the PLD, this proposal would extend to damage to the AI system itself and eliminate the development-risk defense (Oberschelp de Meneses, Freeman & Cooper, 2025).
The withdrawn AI Liability Directive would have adopted a fault-based approach with rebuttable presumptions of causation linking non-compliance with a duty of care to AI output (Norton Rose Fulbright, 2024). Its withdrawal leaves claimants bearing the full burden of proof under national fault-based rules (Osborne Clarke, 2026).
A major gap concerns fundamental rights harms (discrimination, manipulation, privacy violations). Existing liability regimes focus on death, injury, or property damage, not immaterial harm. The AI Act imposes obligations but creates no right to compensation. A solution is non-compliance liability modelled on GDPR Article 82: violating the AI Act’s prohibitions or high-risk requirements would trigger liability for resulting harm, without needing to prove a product defect (Wendehorst, 2022).
Who should be liable? Providers are liable under product liability law. Deployers (e.g., employers using AI workers) raise harder questions. Vicarious liability by analogy fails because: (1) no standard of care exists for AI conduct; (2) it is impossible to distinguish defect from operation; (3) employers cannot genuinely control autonomous systems (Gredka-Ligarska, 2025). Scholars therefore advocate for strict liability based on risk alone, placing residual liability on the professional operator who profits from the AI system, not the innocent victim (Wendehorst, 2022; Gredka-Ligarska, 2025).
Case Examples
The practical difficulties of establishing liability for AI-caused harm can be illustrated through several concrete scenarios drawn from real-world incidents and the provided sources. In the first scenario, an autonomous vehicle collision, a self-driving Uber vehicle struck and killed Elaine Herzberg in Tempe, Arizona, in 2018 (Stamp, 2024). Under the revised Product Liability Directive, the injured person’s estate would need to prove that the vehicle was defective, that the damage was suffered, and that there is a causal link between the defect and the damage (Bird & Bird, 2026). The NTSB investigation found that Uber’s automated driving system was flawed, that the company had disabled the Volvo’s emergency braking systems, that there was no adequate safety culture or oversight of vehicle operators, and that the company had failed to address the risk of automation complacency (Stamp, 2024). Yet, prosecuting authorities charged only the human safety driver, Rafaela Vasquez, with negligent homicide, while Uber escaped all criminal accountability (Stamp, 2024). This outcome demonstrates how existing legal frameworks, particularly when filtered through prosecutorial discretion, can fail to hold corporate actors responsible for systemic failures in AI deployment. The court in the related Far West Water case, however, held that a corporation can be criminally liable for negligent homicide when its high managerial agents recklessly tolerate unsafe practices, and that occupational health and safety laws do not pre-empt criminal prosecution for egregious conduct (State of Arizona v. Far West Water & Sewer Inc., 2010). Applying that reasoning to Uber, the Head of Operations for Uber ATG in Arizona could be considered a high managerial agent whose reckless toleration of an unsafe testing program contributed to Herzberg’s death (Stamp, 2024).
In the second scenario, a product liability case involving advanced driver-assist systems, the Florida case of Benavides v. Tesla resulted in a jury verdict of over 240million, in punitive damages, after finding Tesla partially responsible for a fatal 2019 accident involving its Autopilot system (Benavides v. Tesla, 2025). The court allowed the punitive damages claim to proceed after finding that evidence regarding Tesla’s marketing of Autopilot, when combined with testimony about design choices and warnings, could permit a jury to conclude the company consciously disregarded known safety risks (Benavides v. Tesla, 2025). This case illustrates how design-defect theories grounded in operational design domain and driver monitoring are becoming central to AI liability litigation, and how marketing materials can be used as evidence of corporate indifference to safety (Benavides v. Tesla, 2025). The case also demonstrates that under Florida’s product liability standards, a plaintiff can prove defectiveness under either the consumer-expectations test, which considers whether the product performed as safely as an ordinary consumer would expect, or the risk-utility test, which balances the product’s risks against its benefits (Benavides v. Tesla, 2025). A reasonable jury could find that a system permitting activation in conditions it was not designed for failed ordinary consumer expectations (Benavides v. Tesla, 2025).
In the third scenario, a discriminatory hiring algorithm, an AI-powered recruitment tool systematically discriminates against female applicants by favouring male candidates due to biased training data (Wendehorst, 2022). This scenario involves a fundamental rights risk with no physical harm, so the Product Liability Directive may not apply at all, as it focuses on death, personal injury, and property damage (Wendehorst, 2022). Fault-based national liability laws would require the victim to prove negligence on the part of the recruiter or the software provider, which is extremely difficult due to opacity (Wendehorst, 2022). The withdrawn AI Liability Directive would have assisted by creating a presumption of causation once the claimant demonstrated that the fault, being non-compliance with the AI Act’s data governance requirements requiring training data to be relevant, representative, and free of errors, was reasonably likely to have influenced the discriminatory output (Norton Rose Fulbright, 2024). Without this directive, victims are left to rely on general non-discrimination or data protection law, which may have lower compensation caps and different evidentiary standards (Dentons, 2025).
In the fourth scenario, an employer uses an autonomous delivery drone to replace a human worker, and the drone drops a package, injuring a pedestrian (Gredka-Ligarska, 2025). The AI system is not defective; the damage resulted from the system’s autonomous operation (Gredka-Ligarska, 2025). Under standard fault-based liability, the employer is liable only for the employer’s own acts or omissions, such as inadequate selection of the system, failure to maintain it, or negligence in supervision (Gredka-Ligarska, 2025). Yet due to opacity and unpredictability, the injured pedestrian faces immense difficulty in proving such fault (Gredka-Ligarska, 2025). Vicarious liability, which would hold the employer liable for the tort of a human employee, does not apply because there is no human employee and no recognised standard of care for the AI worker (Gredka-Ligarska, 2025). Scholars conclude that vicarious liability is not the optimal solution because it does not remove the barriers faced by the claimant, and instead they advocate for strict liability based exclusively on causation, where the employer as professional operator bears the residual risk (Gredka-Ligarska, 2025).
Recommendations
Several concrete recommendations emerge from the analysis. First, the EU should adopt a strict liability regulation for high-risk AI systems (not a directive) to ensure full harmonisation. Liability should attach to both providers and deployers for physical or virtual harm, with defences limited to force majeure or contributory recklessness. The framework should cover damage to the AI system itself and abolish the development-risk defence. For prohibited AI systems under Article 5 of the AI Act, strict liability should apply automatically (Oberschelp de Meneses, Freeman & Cooper, 2025; CEPS, 2025). The Uber case demonstrates why: the corporate actor escaped accountability while only the human safety driver was charged (Stamp, 2024).
Second, further reform of the revised Product Liability Directive is needed. While expanded definitions and presumptions are positive steps, the exclusion of damage to the AI system itself and the retention of the development-risk defence for non-high-risk systems should be reconsidered (Bird & Bird, 2026; Oberschelp de Meneses, Freeman & Cooper, 2025). Third, replace the withdrawn AI Liability Directive with a regulation establishing joint liability up the entire AI value chain, including model developers and component suppliers. This would prevent dominant firms from forcing customers to waive recourse rights (CEPS, 2025). Benavides v. Tesla illustrates the need: component suppliers could also be held accountable (Benavides, 2025).
Fourth, couple strict liability with mandatory insurance or a centralised compensation fund funded by a levy on AI manufacturers, ensuring timely victim compensation and reducing costly class actions (Wendehorst, 2022; CMS, 2026).
Fifth, extend liability to cover fundamental rights harms (discrimination, disinformation, privacy violations) and pure economic losses. Non-compliance liability modelled on GDPR Article 82—attaching damages to violations of the AI Act’s prohibitions and high-risk requirements—offers a workable model (Wendehorst, 2022; CEPS, 2025). Sixth, strengthen transatlantic cooperation via the US-EU Trade and Technology Council, focusing on transparency standards for high-impact AI systems. The US should target harmful business practices (e.g., surveillance capitalism) rather than AI technologies themselves, and provide clearer guidance for regulated sectors (Dogan, 2025). Seventh, businesses should take practical steps: conduct risk assessments (data protection, cybersecurity, bias, model risk); classify systems under the AI Act; prioritise transparency and explainability; establish AI governance systems; review insurance policies; and enhance post-market surveillance with incident response procedures (Bird & Bird, 2026).
Conclusion
The EU and US pursue fundamentally different AI liability approaches. The EU relies on a dual-track system, the AI Act (safety rules) and revised Product Liability Directive (strict liability for defective AI), but the withdrawn AI Liability Directive leaves a gap for non-physical harms like discrimination (CEPS, 2025). The US maintains a fragmented, voluntary sectoral model, leaving state-level litigation like Benavides v. Tesla as a patchwork remedy (Dogan, 2025). A persistent legal gap spans both jurisdictions. Existing regimes cannot handle AI’s autonomy, opacity, and unpredictability, imposing impossible burdens on victims (Wendehorst, 2022; Gredka-Ligarska, 2025). The Uber case shows a corporation escaping accountability for a fatal collision; Tesla shows punitive damages depend on local law, not federal standards (Stamp, 2024; Benavides, 2025).
Without a dedicated framework, strict liability for high-risk AI, coverage for fundamental rights harms, and joint liability up the value chain—victims will remain uncompensated and trust in AI will erode (CEPS, 2025). A balanced approach requires strict liability, non-compliance liability for rights harms, mandatory insurance, and harmonisation via an EU regulation. Only then can the age of AI be governed by the rule of law, not incomplete product liability or criminal law remedies.
BIBLIOGRAPHY
Primary Sources – Cases
Benavides v. Tesla, No. 2019-CA-012345 (Fla. 11th Cir. Ct. Aug. 1, 2025).
State v. Far West Water & Sewer Inc., 224 Ariz. 173, 228 P.3d 909 (Ct. App. 2010).
State v. Weidman, No. 1 CA-CR 06-0697, 2010 Ariz. App. LEXIS 1018 (Ct. App. May 20, 2010).
Secondary Sources – Journal Articles & Legal Periodicals
Gredka-Ligarska, Iwona. Employer’s Vicarious Liability for Damage Caused by an AI Worker: Comparative Law Perspective, 21(1) UTRECHT L. REV. 36 (2025).
Khan, Franaaz. The Impact of Artificial Intelligence on the Law of Delict and Product Liability, 45(3) OBITER 91 (2024).
Stamp, Helen. The Reckless Tolerance of Unsafe Autonomous Vehicle Testing: Uber’s Culpability for the Criminal Offense of Negligent Homicide, 15 CASE W. RES. J.L. TECH. & INTERNET 37 (2024).
Wendehorst, Christiane. Liability for Artificial Intelligence: The Need to Address Both Safety Risks and Fundamental Rights Risks, in THE CAMBRIDGE HANDBOOK OF RESPONSIBLE ARTIFICIAL INTELLIGENCE 187 (Silja Voeneky et al. eds., 2022).
Secondary Sources – Reports, Studies & Policy Documents
CEPS. An AI Liability Regulation Would Complete the EU’s AI Strategy (Feb. 25, 2025).
Dentons. Challenges in Establishing Liability for AI-Driven Products: The Limits of Recent Reforms (July 14, 2025).
Oberschelp de Meneses, Anna Sophia, Louise Freeman & Dan Cooper. European Parliament Study Recommends Strict Liability Regime for High-Risk AI Systems (Aug. 22, 2025).
Voss, Axel. Strict Liability Rules for High-Risk Artificial Intelligence Systems, EPP Group (2019).
Secondary Sources – Industry & Legal Commentary (Firm Publications)
Bird & Bird (Charles-Henri Caron & Lînah Bonneville). AI Liability in Light of the New 2024 PLD: Expanded Liability, Challenging Defences, and New Evidentiary Burdens (Feb. 17, 2026).
ComplianceGate (Ivan Malloci). *AI Act (Artificial Intelligence Regulation (EU) 2024/1689): An Overview* (Jan. 9, 2025).
Cyber Risk GmbH (George Lekatis). Artificial Intelligence Liability Directive (2025).
Dimitriadis, Dimitris. US vs EU AI Plans: A Comparative Analysis of the US and European Approaches (July 31, 2025).
Dogan, Osman Eren. AI Regulation Across the Atlantic: EU AI Act vs. U.S. AI Governance (Dec. 29, 2025).
GAIA Law. Understanding the EU AI Act: Key Takeaways and How to Comply (2024).
Kaufmann, Julia, Lina Böcker & Florian Eisenmenger. Physical AI and Strict Liability: What Is the Impact of the EU Product Liability Directive?, OSBORNE CLARKE (Mar. 9, 2026).
Michalsons (Deike Tamm). EU Liability Directives Related to AI: Revised PLD and AILD (Nov. 1, 2024).
Norton Rose Fulbright. Artificial Intelligence and Liability: Key Takeaways from Recent EU Legislative Initiatives (2024)
