From 2 August 2026, any deployer of a chatbot or conversational agent in the European Union must tell people they are talking to an AI under Article 50 of the EU AI Act. From 9 December 2026, the revised Product Liability Directive treats AI software as a product under strict liability, so a claimant no longer has to prove negligence and an operator without documentation faces a presumption that its product was defective. This Index maps the obligations, the deadlines, the liability cases, the seven dimension agent risk taxonomy, and the European insurance gap in one reference.
Published by Future Proof Intelligence. Every claim is anchored to a named article, a named instrument, or a decided case. Last updated 13 June 2026.
Regulation (EU) 2024/1689 entered into force on 1 August 2024 and switches on in stages. Two instruments matter most for operators of AI agents: the AI Act itself, and the revised Product Liability Directive. The dates below are the legally operative ones. Where the Digital Omnibus provisionally moves a date, both are shown.
The EU AI Act becomes law. The staged application calendar below begins to run.
Eight prohibited categories become enforceable, including untargeted facial-image scraping, social scoring, and emotion recognition in workplaces and schools. Breach carries up to EUR 35 million or 7% of worldwide turnover. All staff using AI must have a sufficient level of AI literacy.
GPAI model providers must hold Annex XI technical documentation, provide Annex XII downstream documentation, run a copyright policy, and publish a training-data summary. Models above 10^25 FLOPs of training compute carry systemic-risk duties including adversarial testing. The AI Office published the final GPAI Code of Practice on 10 July 2025.
Deployers of chatbots and conversational agents must disclose AI interaction. Providers of synthetic content must watermark or machine-readable mark outputs where technically feasible. This date is not affected by the Digital Omnibus.
Risk management, data governance, technical documentation, logging, human oversight, accuracy, deployer duties, and the fundamental rights impact assessment. The Digital Omnibus provisional agreement of 7 May 2026 proposes to move these to 2 December 2027. As of June 2026 it has not been adopted or published in the Official Journal, so 2 August 2026 remains legally binding until adoption.
AI software, including SaaS and cloud AI, becomes a product under strict liability for products placed on the market after this date. The claimant does not prove negligence. Under Article 10 a failure to disclose evidence presumes the product defective. Damage now includes data corruption and medically recognised psychological harm.
The provisional new date for use-based high-risk obligations under the 7 May 2026 political agreement. It has not been adopted or published in the Official Journal as of June 2026, so it is not yet legally binding.
AI embedded as a safety component in products under Union harmonisation legislation (medical devices, machinery, vehicles). Original date 2 August 2027, provisional Omnibus date 2 August 2028.
Who must do what, by article, by date. The EU AI Act allocates duties by role. A provider places a system on the market under its own name. A deployer uses a system under its own authority in a professional context. The Act calls the operator a deployer; the two words mean the same figure. Under Article 25, a deployer that rebrands, substantially modifies, or repurposes a system into a high-risk use case becomes a provider and inherits the full provider stack.
| Obligation | Binds | Article | Applies from | Evidence an assessor or underwriter needs |
|---|---|---|---|---|
| Prohibited practices | Both | Art. 5 | 2 Feb 2025 | Product and deployment inventory confirming no system falls in the eight prohibited categories; documented screening before any new AI procurement. |
| AI literacy | Both | Art. 4 | 2 Feb 2025 | Training log by role; coverage of contractors and service providers; evidence of periodic refresh as systems change. |
| Risk management system | Provider | Art. 9 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Lifecycle risk management plan; risk register with likelihood and mitigation per risk; records showing review after any material change. |
| Technical documentation | Provider | Art. 11, Annex IV | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Complete Annex IV package per system; version control; confirmation it was prepared before deployment, not retrospectively. |
| Transparency to deployers | Provider | Art. 13 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Instructions for use covering each Art. 13(3) element; audit trail showing deployers received and acknowledged it. Generic model cards do not satisfy this. |
| Human oversight by design | Provider | Art. 14 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Design documentation showing the oversight interface; test results demonstrating it works; confirmation of a halt or override mechanism. |
| Accuracy, robustness, cybersecurity | Provider | Art. 15 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Accuracy and robustness benchmarks; adversarial or red-team results; cybersecurity or penetration testing report; fallback plan; retest records after updates. |
| Conformity assessment and CE marking | Provider | Art. 43, 47 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Completed conformity assessment file; signed EU Declaration of Conformity; CE marking; notified body certificate where the third-party route applies. |
| Deployer operational duties (seven sub-obligations) | Deployer | Art. 26 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Deployment policy referencing provider instructions; named human overseer with training and authority; input-data checks; incident log; log retention of at least six months; worker notice; EU database registration for public authorities. None delegable by contract. |
| Reclassification as provider | Deployer becomes provider | Art. 25 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Change-management policy that triggers a reclassification check before any significant modification; legal assessment that intended use stays within the original conformity scope. Fine-tuning, retrieval augmentation, or rebranding can quietly trigger this. |
| Fundamental rights impact assessment | Deployer (public bodies and specified Annex III uses) | Art. 27 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Completed FRIA per in-scope deployment; version history; evidence it was done before first deployment. National DPAs have signalled this is the first document they request. |
| Transparency to natural persons | Both | Art. 50 | 2 Aug 2026 not deferred |
A disclosure notice in every chatbot or agent interface; technical proof that AI-generated outputs are watermarked or marked; a deepfake and synthetic-media policy. |
| Post-market monitoring | Provider | Art. 72 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Monitoring plan inside the Annex IV documentation; evidence data is collected on a schedule; records showing findings feed back into risk management. |
| Serious incident reporting | Provider reports; Deployer notifies provider | Art. 73 | 2 Aug 2026 (Omnibus: 2 Dec 2027) |
Incident policy with an escalation path to the market surveillance authority; incident log assessed against the serious-incident definition; notification within 15 days of establishing a causal link. |
| GPAI documentation and copyright | GPAI provider | Art. 53 | 2 Aug 2025 | Annex XI technical documentation; Annex XII downstream package; copyright policy honouring the Directive (EU) 2019/790 opt-out; published training-data summary; Code of Practice sign-on. |
| GPAI systemic-risk duties | GPAI provider above 10^25 FLOPs | Art. 55 | 2 Aug 2025 | Model evaluation with red-team records; systemic-risk assessment and mitigation plan; serious-incident notifications to the AI Office; cybersecurity assessment for the model and its infrastructure. |
| Product liability (strict, no-fault) | Manufacturers, importers, modifying deployers | Dir. 2024/2853 | 9 Dec 2026 | Product safety documentation for every AI product; evidence security updates are planned and delivered; a retention policy keeping technical records for the duration of potential claims. |
The AI Act allocates regulatory duties. It does not create a civil right of action. Civil liability runs through decided cases, national tort law, and from 9 December 2026 the revised Product Liability Directive. Three things define the terrain: cases that already turned an AI output into a financial loss, a strict-liability instrument that reverses the burden of proof, and a value chain in which the party who suffers harm cannot tell who caused it.
Air Canada's website chatbot told a bereaved customer he could claim a retroactive bereavement fare. The policy did not allow it. Air Canada argued the chatbot was a separate legal entity.
Holding. The British Columbia Civil Resolution Tribunal rejected the separate-entity defence. An operator owes a duty of care for its chatbot's outputs and cannot make a consumer cross-check one part of a website against another. Award CAD 650.88 plus interest and fees. The loss was small; the principle is not.
Two attorneys filed a brief citing six court decisions generated by ChatGPT. None existed, including the lead citation Varghese v. China South Airlines. When challenged, counsel affirmed the cases were real.
Holding. Judge P. Kevin Castel imposed USD 5,000 in sanctions and required corrective letters to every judge named in a fabricated opinion. AI tools are not impermissible, but the gatekeeping duty over accuracy cannot be delegated. The canonical hallucination-causes-professional-harm case.
A class action alleging Workday's AI applicant-screening software discriminated by age, race, and disability. In July 2024 the court let an agency-theory claim against the AI vendor proceed; in May 2025 it certified a preliminary nationwide ADEA collective of applicants over 40 rejected since 24 September 2020.
Why it matters. No merits ruling yet, but the agency-theory survival means an AI vendor could bear direct liability for discriminatory outcomes across its whole customer base at once. This is the multi-client systemic loss that insurers have not yet priced.
Published 18 November 2024, replacing the 1985 regime. Software, including SaaS and cloud AI, is explicitly a product. Strict liability applies: no need to prove negligence.
The mechanism. Article 10 presumes a product defective where the operator fails to disclose evidence under Article 8, breaches mandatory safety rules, or where damage occurred during obvious malfunction. AI Act non-compliance triggers the regulatory-breach presumption directly. Documentation posture becomes load-bearing.
A deployed agent in 2026 typically involves at least four parties. The Act decides who holds which documentation, and that documentation is what civil courts and insurers examine after an incident. The party who suffers harm usually cannot tell which link failed. Article 25 lets the duty shift down the chain when a downstream party rebrands or substantially modifies a system.
Trains and publishes the base model. Contributed the core capability but does not control deployment. May have no contract with the deployer.
GPAI: Art. 53, 55Adapts the model through fine-tuning, retrieval pipelines, or agentic scaffolding. Shapes behaviour but may not be traceable to the end user.
May become provider: Art. 25Puts the system into use with real users and bears day-to-day responsibility. Controls the interface and the operational context.
Deployer duties: Art. 26The natural person or organisation that interacts with the system and sustains any harm, typically unable to identify which party caused the failure.
PLD claimant: Dir. 2024/2853Which party maintains which documentation. The provider holds Articles 8 to 17. The deployer holds Article 26. GPAI providers hold Articles 53 to 55. Article 25 moves the provider role to whoever rebrands or substantially modifies a high-risk system.
It does not create a direct civil right of action, does not apportion liability between parties when several contributed, and does not set a causation presumption. The proposed AI Liability Directive that would have done so was withdrawn by the Commission on 11 February 2025. The PLD and national tort law fill the space.
Compliance asks whether an organisation meets the Act. Insurability asks a narrower question: can this specific agent be left running without causing a loss, and is there evidence to prove it. Seven weighted dimensions answer that question, scored 0 to 10 each, normalised to 100. Each dimension names its dominant failure modes and the single artifact that proves it is controlled. The weights concentrate where AI incidents and accountability gaps actually cluster.
The measurable prevention of unsafe, unauthorised, or harmful actions by the agent in production, and the discipline with which unsafe outputs are detected, contained, and remediated.
The institutional scaffolding around the agent: evidence that it is known to the board, owned by a named accountable senior role, policed by documented policy, and logged in a way that survives an audit.
The quality of the information the agent reasons over: provenance, freshness, lineage, and the controls that keep poisoned, stale, or unauthorised data out of the retrieval pipeline.
The degree to which the agent behaves as a production-grade system rather than a prototype: reliability, regression discipline, evaluation coverage, and the engineering practices that keep behaviour predictable over time.
The explicit, documented boundary between what the agent may do without human confirmation and what requires a human in the loop. The single clearest determinant of operational risk, and the first thing insurers and regulators examine.
The controls that determine who can invoke the agent, under what authority, and how its downstream actions are bounded. Where identity, authorisation, and blast radius meet.
How the agent sits inside the organisation's existing systems of record, identity, approval, and escalation. Whether it extends institutional memory or bypasses it.
The category did not exist as a standalone product before 2024. Between July 2025 and February 2026 the US and Canadian market built certification-plus-insurance stacks. The first live AI agent policy is four months old. Coverage reaches European buyers through Lloyd's and Munich Re, but no European-native product, built within the EU regulatory and legal context, exists.
A European business deploying AI agents has no certification pathway that assesses actual agent behaviour under adversarial conditions, translates that into evidence an insurer can price, and is built within the EU regulatory and legal context. AIUC-1 does the first two for US deployments. ISO 42001 does neither. The AI Act does neither. There is no European actuarial table for agent failure yet, which is why the seven-dimension evidence base matters: each scored agent adds a row of structured European deployment intelligence that no US-built model contains.
Readiness is not a certificate on a wall. It is a set of artifacts that does three jobs at once: it satisfies the AI Act obligations on the calendar, it forms the factual record that rebuts a presumption of defect under the Product Liability Directive, and it gives an underwriter the evidence to price a policy. The same documents serve all three. Building them is the work.
Establish whether each system makes you a provider or a deployer, and run an Article 25 check before any fine-tuning, retrieval augmentation, or rebranding that could reclassify you. The duty stack you carry depends on the answer.
A risk register, Annex IV documentation, instructions for use, a named human overseer with authority to halt, logs retained for at least six months, and a fundamental rights impact assessment where Article 27 applies. Each maps to a specific article and a specific date.
Tested guardrails and a verified kill switch, data lineage, prompt and model versioning, a quantified blast radius, a named owner with board awareness, an end-to-end audit trail, and a written Autonomy Envelope enforced in code. The score names the gaps and the path to close them.
Start with a structured read of where your agents sit against these obligations, or open a conversation about translating that read into evidence an insurer and a regulator will both accept.
The questions people and AI assistants actually ask about AI Act obligations, AI agent liability, and AI insurance in Europe. Answers are self-contained and cite the article or instrument.
Regulation (EU) 2024/1689 applies in stages. Article 5 prohibited practices and Article 4 AI literacy applied from 2 February 2025. Article 53 and Article 55 general purpose AI obligations applied from 2 August 2025. Article 50 transparency to natural persons applies from 2 August 2026 and is not deferred. The Annex III high-risk obligations (Articles 9 to 15, 26 and 27) carried an original date of 2 August 2026, which the Digital Omnibus political agreement of 7 May 2026 provisionally moves to 2 December 2027. Until that text is published in the Official Journal, the 2 August 2026 date remains legally binding.
Yes. In Moffatt v. Air Canada (2024 BCCRT 149, 14 February 2024) the British Columbia Civil Resolution Tribunal held Air Canada liable for negligent misrepresentation by its website chatbot and rejected the argument that the chatbot was a separate legal entity. The principle that an operator cannot disclaim its AI's outputs maps onto the deployer duties in Article 26 of the EU AI Act and onto strict liability under the revised Product Liability Directive from 9 December 2026.
A provider develops an AI system and places it on the market or puts it into service under its own name. Providers of high-risk systems carry Articles 8 to 17: risk management, data governance, technical documentation, logging, human oversight design, accuracy, and a quality management system. A deployer uses an AI system under its own authority in a professional context. Deployers carry Article 26: use within instructions, named human oversight, input data checks, log retention for at least six months, and serious incident reporting. Under Article 25 a deployer that rebrands, substantially modifies, or repurposes a system into a high-risk use case becomes a provider and assumes the full provider stack.
Yes. Directive (EU) 2024/2853 applies from 9 December 2026 and explicitly treats software, including SaaS and cloud AI, as a product subject to strict liability. The claimant does not need to prove negligence. Under Article 10 a rebuttable presumption of defect applies where the defendant fails to disclose evidence under Article 8, where the product breaches mandatory safety rules, or where damage occurred during an obvious malfunction. Expanded damage categories include destruction or corruption of data and medically recognised psychological harm.
Article 99 sets three tiers. Breach of the Article 5 prohibited practices carries up to EUR 35 million or 7 percent of worldwide annual turnover, whichever is higher. Breach of high-risk and general purpose AI obligations, including Article 26 deployer duties, carries up to EUR 15 million or 3 percent of turnover. Supplying incorrect or misleading information to authorities carries up to EUR 7.5 million or 1 percent of turnover. Article 99(6) requires supervisors to set penalties with regard to the economic viability of SMEs and start-ups.
Coverage reaches European buyers but no European-native product exists. ElevenLabs took the first AIUC-1 backed AI agent policy on 11 February 2026. Armilla writes a standalone AI liability policy at Lloyd's with limits up to USD 25 million as of January 2026. Munich Re aiSure, paired with Mosaic Insurance from February 2026, provides up to USD 15 million (also in EUR and CAD) on measurable performance thresholds. AIUC-1 is US-built and US-governed, ISO/IEC 42001 is a management system standard with no insurer link, and the EU AI Act creates obligations but no certification body with insurance relationships. Allianz, AXA, and Zurich have announced no standalone AI liability product as of June 2026.
Yes, from 2 August 2026. Article 50 of the EU AI Act requires deployers of chatbots and conversational AI to disclose to natural persons, clearly and distinguishably, that they are interacting with an AI system unless it is obvious from the context. Providers generating synthetic content must mark outputs as machine-readable or watermark them where technically feasible. Article 50 is not deferred by the Digital Omnibus.
A fundamental rights impact assessment (FRIA) is required under Article 27 before first deployment of certain high-risk systems. It binds public bodies, private operators providing public services, and deployers of systems in Annex III points 1, 2, 3, 5(a), 6, 7 and 8. It describes the use case, the people affected, the specific risks, the human oversight measures, and a mitigation plan. It is a living document, and several national data protection authorities have signalled it is the first document they will request in an enforcement inquiry.
Germany and Italy lead as of June 2026. Italy enacted Law No. 132/2025 on 10 October 2025, designating AgID as notifying authority and ACN as supervisory authority. Germany approved the KI-MIG draft in cabinet on 11 February 2026, with the Bundesnetzagentur set as market surveillance authority, notifying authority, and single point of contact. The Netherlands published a consultation draft on 20 April 2026 with enactment expected in Q4 2026. France has not formally designated any authority; the designation provisions were withdrawn from the DDADUE bill before Parliament.
The agent risk taxonomy used here scores seven weighted dimensions out of 100: Trust and Safety (18), Governance (16), Context Integrity (14), Product Maturity (14), Autonomy Envelope (14), Distribution Control (12), and AI Integration (12). Each dimension is scored 0 to 10 against named evidence artifacts, such as a dated red team report, a data lineage diagram, or a written Autonomy Envelope policy enforced in code. A floor rule caps a lopsided agent below the tier its average suggests, so no single dimension can sit unaddressed. The Autonomy Envelope is the closest available proxy for probable maximum loss, which is the figure an underwriter needs before writing a policy.
Frequency and severity intuitions in the taxonomy are qualitative priors, not actuarial rates. No European actuarial table for autonomous agent failure exists yet. Items marked provisional require independent confirmation against the primary source before any onward citation.