EN
HomeAI Compliance › Board liability

Governance · organisational duty · personal responsibility

Board liability and AI: what you personally remain responsible for even without knowing every system detail

The EU AI Act addresses companies. Through Austrian company and supervisory law, however, AI governance becomes an organisational duty of the management board.

The legal starting point

The Austrian Stock Corporation Act requires board members to apply the care of a diligent and conscientious manager. For banks, Section 39 BWG adds the duty of proper business organisation. These rules form the basis for organisational failure having personal consequences.

If an AI system is operated without sufficient governance and damage results, civil-law, supervisory-law and insurance-law questions can arise. Concrete liability always depends on the individual case and should be legally assessed.

Three liability dimensions

Regulatory sanctions

For high-risk AI systems of supervised financial institutions, the FMA is relevant as a market surveillance authority under the AI Act. Existing supervisory regimes such as BWG, VAG, DORA and GDPR also continue to apply.

Civil liability for damages

AI systems without documented governance, without risk assessment and without appropriate human-oversight structures can affect the diligence standard of a proper manager. Damage from AI misdecisions may lead to claims against the company and internal recourse questions.

D&O coverage risk

D&O insurance does not cover breaches of duty without limit. Exclusions may become relevant in cases of intentional or grossly negligent breaches. This is precisely why documented, traceable governance is important.

Four liability levels

LevelRisk
Corporate finesThe EU AI Act provides tiered sanctions of up to EUR 35 million or 7 percent of global annual turnover.
Personal organ liabilityThrough Section 84 AktG, Section 25 GmbHG and sectoral organisational duties, missing AI governance can become a duty-of-care issue.
Organisation and oversight dutyBoards and managing directors must create appropriate structures, monitor them and react to deviations.
Internal liabilityWhere culpable breach of duty causes damage, recourse questions against organ members may arise.

The strategic consequence: documented governance is not only a regulatory duty, but also personal liability protection. An institution that documents inventory, roles, controls, escalation and management reviews stands in a different risk position than one that does not actively monitor AI use.

The "we did not know" problem

A common misunderstanding is: "We did not know that this system contains AI." As a control concept, that argument does not hold. Deployer duties assume that the institution knows, classifies and documents the AI systems it uses. Not knowing about vendor AI is therefore a governance risk and argues for a structured AI inventory.

CSRD / ESRS: responsibility for reportable bias risks

If AI bias leads to material social impacts, discrimination cases or governance risks, this can also become relevant for CSRD / ESRS reporting. For management bodies, the key issue is not only technical AI compliance, but also whether policies, controls, due-diligence processes, incidents and measures can be reported and audited clearly.

Criminal-law questions must be assessed case by case

Where required governance measures are knowingly omitted, criminal-law aspects may need to be reviewed in addition to supervisory and civil-law questions. Such statements should not be assessed in general terms, but always through specialised legal advice in the concrete facts.

Would you like to know where your institution stands on AI governance?

A structured status check clarifies the current state and the measures that should be prioritised.

Request status check

Sources

Notice: This page is for general information only and does not constitute legal advice. Legal questions are aligned with specialised lawyers where needed.