The EU AI Liability Directive: Implications for Product Certification

The European Commission published a proposal for a directive for the AI Liability Directive on 28^th September 2022. This directive is a legal framework aimed at addressing the complexities of assigning liability in cases involving AI systems. In the draft, it is proposed to introduce specific new rules which will apply to damage caused by AI/ML systems. It is designed to harmonise rules across member states, enhance consumer protection, and create clear pathways for redress when AI systems cause harm. For companies navigating product certification, the directive brings new challenges.

Key Features of the AI Liability Directive

The AI Liability Directive establishes specific rules for attributing liability in cases where AI systems cause damage, focusing on two main goals:

1. Reducing the burden of proof: Persons harmed by AI/ML systems no longer need to explain the technical complexities of an AI system to demonstrate its malfunction or harmful impact, and will have the same level of protection as for other product liability claims. The Product Liability Directive is also proposed to be revised in parallel.
2. Enabling greater transparency: Companies deploying AI systems may be required to provide detailed documentation to aid investigations, including information used during product certification processes, with national courts having the power to order disclosure of evidence.

The outcome of a study published on the 19^th September 2024 was to propose that the AI Liability Directive be extended in scope to include general purpose AI systems and software.

Impact on Product Certification

Product certification processes are integral to ensuring that products meet specific safety, quality, and performance standards. The AI Liability Directive reshapes these processes in several ways:

1. Heightened Standards for Risk Assessment

Companies will need to conduct more thorough risk assessments during certification, especially for high-risk AI systems. These assessments must now consider the potential legal liabilities associated with the deployment of AI in real-world environments, requiring an intersection of technical, legal, and ethical expertise.

2. Increased Documentation Requirements

Documentation is critical for certification and compliance. Under the directive, companies may be required to maintain detailed records not only about the training data, algorithms, and decision-making processes of their AI systems but also about their lifecycle performance and safety tests. These documents could be requested in liability investigations, incentivising businesses to adopt more robust certification and data retention protocols.

3. Enhanced Post-Market Monitoring

The directive aligns with the AI Act’s emphasis on ongoing monitoring of AI systems after market entry. Certification bodies and manufacturers will need to implement continuous monitoring frameworks to detect and address risks arising from changes in AI performance or new external factors.

4. Shift in Responsibility Across the Supply Chain

Product certification processes will increasingly require coordination across the supply chain. Component suppliers, developers, and integrators must work together to ensure that certified AI systems remain compliant and traceable, as liability could extend to multiple parties. In the case of autonomous vehicles, for instance, insurance companies are likely to require that reimbursement can be claimed from manufacturers should the fault be determined to be with the software or systems of the vehicle, which may in turn be supplied by a third party to the vehicle manufacturer.

The strict control of the software, data and other parameters of an AI/ML system as detailed above is therefore necessary to prove compliance at time of delivery of a product and after subsequent updates. Initiatives such as the TechWorks TAIBOM project can go a long way to ensuring an appropriate level of integrity in the supply chain exists to comply with the directive.

TAIBOM