EU AI Act: Is my company affected?
The EU AI Act applies in stages. Here is what small and mid-sized companies need to know, which obligations kick in, and why panic is the wrong advisor.
Who is liable if the AI agent makes an error? Contract law, liability exclusion, and escalation model explained for SMEs.

The AI agent answers twenty customer inquiries at night, books appointments, and creates offers. On Monday morning, it becomes apparent: one inquiry was assigned incorrectly, an offer was sent with the wrong price. For many SMEs, the actual question at this moment is not technical, but legal in nature: Who bears the damage—the provider of the automation or the company itself?
The use of AI does not initially change the fundamental principles of contract law: whoever violates a contractual or statutory obligation is liable, regardless of whether a human or an AI system caused the concrete error. This is also confirmed by the classification of the specialist portal Legal Tribune Online on liability in AI use. For an SME, this means in practice: whoever operates and controls the AI agent bears responsibility to their own customers first and foremost, regardless of whether the cause lies in their own process or in the software used. Only in the second step does the question arise whether and to what extent the company can pass on the damage to the automation or software provider internally, and the contract with this provider regulates exactly that.
Whether an automation project is classified as a contract for work or as a service contract significantly determines how strict the liability is. With a contract for work, the provider owes a specific, defect-free result: if the AI agent consistently delivers incorrect results due to a configuration or training error, this is a defect for which remediation, reduction, or damages can be demanded regardless of fault. With a service contract, the provider, on the other hand, only owes diligent effort, not a specific result; liability here typically requires demonstrable fault. In many automation projects, this is not clearly separated contractually, although this classification is decisive in case of dispute.
A liability exclusion for AI errors is only reliable if it reflects technical reality and remains comprehensible to both parties, as the law firm Herfurtner notes in their assessment of AI liability exclusion. Moreover, a complete liability exclusion in terms and conditions is regularly ineffective once gross negligence, intent, or violation of material contractual obligations comes into play. In practice, a liability limitation instead of a total exclusion has proven successful: a maximum liability amount per damage incident, exclusion of indirect consequential damages such as lost profit, and a gradation according to degree of fault. An SME that signs an automation contract should see exactly these three points specifically named, rather than relying on a blanket clause.
An AI agent that automatically escalates to a human when uncertain instead of deciding independently significantly reduces liability risk because the final decision demonstrably remains with a person. We build AI agents for clients at NordFlux following exactly this principle: edge cases, such as unusually high invoice amounts or contradictory customer data, are not automatically waved through but escalated to a human for approval. This is not a legal formality but lived due diligence: a complete record of who made or approved which decision when is often the crucial evidence in case of dispute that the company took its control obligations seriously. Anyone planning automation should establish these escalation thresholds from the beginning in their own AI consulting, not only after the first error occurs.
With the reformed EU Product Liability Directive, software and AI systems are for the first time explicitly considered products in the sense of liability law, as the law firm Bird & Bird outlines in their assessment of the new directive. Member States must transpose the directive into national law by December 9, 2026; for products placed on the market after that, a reversal of burden of proof also applies for complex AI systems: no longer must the injured party prove the defectiveness, but the provider must prove freedom from defects. In parallel, from August 2, 2026, the full obligations of the EU AI Act apply for high-risk systems, with fines of up to 35 million euros or 7 percent of global annual turnover. For most automation in SMEs, as we have shown in our article on the EU AI Act for SMEs, this is not the decisive hurdle, but an additional reason to review contracts with automation partners now rather than in 2027.
This assessment does not replace legal advice in individual cases. For specific contract drafting, particularly liability clauses and escalation thresholds, a review by a specialist lawyer for IT law is recommended.
By Simon Glowik, published on July 9, 2026.
Toward its own customer, initially the company that deploys and controls the AI agent is liable. Whether and to what extent damages can subsequently be claimed from the automation or software provider is determined by the contract concluded with that provider, particularly the liability clauses agreed upon there.
With a contract for work, the provider owes a concrete, defect-free result and is liable for defects regardless of fault. With a service contract, the provider owes only diligent effort; liability here typically requires demonstrable fault.
No, a complete liability exclusion in terms and conditions is regularly ineffective once gross negligence, intent, or material contractual obligations are affected. A liability limitation with a maximum amount instead of a total exclusion is more common and reliable.
For most automation in SMEs, it is not an explicit legal requirement, but an effective demonstration of due diligence. A documented escalation model shows in case of dispute that critical decisions were made by a human.
The EU AI Act primarily regulates supervisory obligations depending on risk class, not the civil liability itself. Most automation in SMEs falls into a low-risk class, as our article on the EU AI Act for SMEs classifies it.
NordFlux builds digital employees for organisations: automations and AI agents that take over repetitive work. You stay in control.
The EU AI Act applies in stages. Here is what small and mid-sized companies need to know, which obligations kick in, and why panic is the wrong advisor.
In a free initial analysis we discuss your case directly. No strings attached.