Who Is Liable When AI Makes a Mistake? Legal Vacuum, EU Regulation and What It Means for Serbian Companies

ByNaumović i partneri
Who Is Liable When AI Makes a Mistake?

Imagine the following situation: a software company implements an AI system that automatically assesses clients’ creditworthiness. The algorithm makes a mistake – it wrongly rejects a fully creditworthy applicant and causes real damage. The question is simple: who is liable? The answer – within the current legal framework – is still far from clear.

Problem

Why Existing Law Fails?

This is perhaps the most important open question in AI law today. Traditional liability rules – both in Serbian and in European law – start from a simple logic: the person who causes damage is liable, unless they prove they were not at fault. For AI systems, this model breaks down on three levels.

  • First, there is the problem of the liability chain. Between the developer who built the model, the company that implemented it, and the end user, everyone is pointing at someone else. There is no clear point where liability starts and ends.
  • Second, there is the problem of causation. To obtain compensation, the injured party must prove a causal link between an act and the damage. For AI “black boxes” – systems that make decisions based on millions of parameters – this is practically impossible without access to technical documentation.
  • Third, there is the problem of transparency. Why did the algorithm reach a specific decision? Answering this question requires insight into the system itself – something developers rarely share voluntarily. This is precisely why the European approach insists on documentation, logs and explainability, at least for high-risk systems – because without that there can be neither meaningful liability nor effective protection of victims.

The Core Issue

Serbia’s Law on Obligations is still the main basis for damages claims in this area – but it certainly did not have AI in mind back in 1978. Under fault-based liability, the injured party must prove the fault of a specific person. This is structurally incompatible with the way AI systems function.

This does not mean that the Law on Obligations cannot be applied to AI disputes, but in practice, the burden of proving fault and causation becomes almost insurmountable for the injured party, especially without access to technical documentation and code. There have also been attempts to fit AI into strict liability regimes (for example, as a dangerous thing or a dangerous activity), but Serbian case law in this area is practically non-existent at this point.

EU Regulation

What Is Happening at EU Level – and Why It Matters Directly?

The EU AI Act (Regulation 2024/1689) has been in force since August 2024. This law introduces a risk-based hierarchy: from prohibited AI systems (for example, mass biometric surveillance) to high-risk systems (autonomous vehicles, medical diagnostics, credit scoring) and limited-risk systems (chatbots). In addition, there is a category of minimal-risk systems (for example spam filters) that are practically free from specific obligations. For high-risk systems, obligations fully apply as of August 2026.

However, the AI Act is primarily a regulatory instrument – it tells you what you may and may not do, under which conditions and with what documentation. It does not directly answer the question of who pays compensation to the victim.

To address that, the EU proposed a separate AI Liability Directive (AILD) in 2022. In February 2025 the European Commission withdrew the AILD proposal from its work programme, citing industry pressure, the need to simplify the rules and a lack of consensus, but it left the door open to propose a new model of AI liability in the future. The European Parliament nevertheless continues to work on this issue – in the committees dealing with justice and the internal market there is an ongoing political struggle to keep AI liability rules on the table, with views that the directive in its current form may be premature, but that the topic itself is neither redundant nor closed.

Why This Matters for Serbia?

Serbia currently has no dedicated AI law. Experience with the GDPR clearly shows the pattern: the Serbian Data Protection Act largely follows EU regulation. It is therefore highly likely that the EU AI Act will shape the future Serbian Artificial Intelligence Act, which means that companies already aligning with EU standards are building both a competitive edge and a legal advantage.

Even today, companies that introduce high-risk AI systems can hardly avoid conducting a data protection impact assessment (DPIA) and aligning with the domestic rules on profiling and automated decision-making. In addition, sector-specific regulations – in banking, healthcare and transport – already impose constraints and standards for automated decision-making.

Practical Angle

Three Scenarios Already Happening

The legal vacuum is not theoretical. Here are three situations in which Serbian companies can already find themselves today – without a clear and predictable legal answer:

  1. AI Hallucination in Service Delivery
    A legal chatbot or automated advisory system gives a client wrong legal advice. Damage occurs. Who is liable: the company that developed the system, or the one that implemented it in its service? In practice, the contractual relationship between the firm and the client will usually be the natural basis for a claim – the client will go after the party they have a contract with – but the liability chain and recourse against the developer remain unclear and depend on specific contractual clauses between the firm and the vendor.
  1. Automated Credit Scoring
    A bank or fintech company uses AI for risk assessment. The system discriminates against a group of clients due to a biased training dataset. Credit scoring is explicitly recognised as a high-risk use case under the EU AI Act logic and requires specific documentation, oversight and anti-discrimination measures. Under current Serbian law, however, liability remains unclear, especially when it comes to proving discrimination, causation and identifying who in the chain actually made the mistake.
  1. Medical Diagnostics and Autonomous Vehicles
    An AI system in medical diagnostics makes an error and the doctor bases their decision on the system’s incorrect recommendation. Who bears liability – the doctor, the hospital, or the developer? The same principle applies to autonomous vehicles: damage occurs, but the root cause lies deep in the system architecture and the data used. In practice, we will increasingly see models of “shared liability” between the doctor, the hospital, the device manufacturer, the software developer and insurers – but clear rules in our jurisdiction still need to be developed through legislation and case law.

One way to look at each scenario is through three simple questions:

  • Who has a contract with the injured party?
  • Who controls the AI system at the time of the decision?
  • Who has access to the documentation needed to prove the error?

Recommendations

What Should Companies Do Now?

Waiting for the legislator is not a strategy. Companies that are implementing or developing AI systems today can – and should – take the following steps:

  • Map all AI systems in use and assess which risk category they fall under based on the EU AI Act logic – not only the “AI products” they develop in-house, but also AI features integrated into CRM, HR tools, cloud services and other existing software.
  • Establish internal policies and documentation for AI usage – who is allowed to use what, in which processes, under which controls and with what internal approval.
  • Review contracts with AI solution providers – who bears liability if the system makes a mistake? Contracts should explicitly address responsibility for model accuracy and updates, duties to cooperate in incidents, access to logs and technical documentation, as well as limitations of liability and insurance.
  • Introduce oversight mechanisms over AI decisions, especially in high-risk domains – from human-in-the-loop review to periodic model audits and performance monitoring, including bias and discrimination.
  • Monitor the development of Serbian AI legislation and be ready to harmonise quickly – because “soft alignment” with EU standards will, at some point, rapidly turn into a formal obligation.

For companies targeting investors or a potential exit, alignment with the AI Act logic is already becoming a key element of legal and technology due diligence, much like GDPR and information security.

Conclusion

The legal vacuum in AI liability is real and ongoing. But that does not mean companies are out of options. Strategic alignment with the EU AI Act logic today is not only a matter of legal prudence – it is an investment in client trust, access to the EU market and long-term legal certainty. Law follows technology more slowly than we would like, but it always catches up in the end – the only question is whether companies will meet that moment prepared or caught off guard.

Schedule a consultation>

Follow for more legal insights:

Similar Posts