By Dr Jose Ramirez
The promise of U-space is elegantly simple: a digital ecosystem capable of managing drone traffic safely, efficiently, and at scale. The reality, however, is that the regulatory architecture underpinning U-space contains a major blind spot.
While Implementing Regulation (EU) 2021/664 defines services, certification requirements, operational procedures, and data-sharing obligations, it remains remarkably silent on one critical question: what happens when something goes wrong?
When a drone operating in U-space airspace causes damage to persons or property on the ground (or collides with a manned aircraft) who bears legal responsibility? The operator? The manufacturer? The U-space Service Provider (USSP) that authorised the flight? The state that designated the airspace?
At present, there is no clear European answer.
What exists instead is an essentially casuistic landscape where liability outcomes depend on: the factual circumstances of the incident; the combination of actors involved; the jurisdiction where the damage occurs; the contractual arrangements in place; and the national tort law applicable to the dispute.
There is no predictable harmonised rule, only case-by-case outcomes.
And that uncertainty is not merely academic. It is becoming a structural obstacle to legal predictability, investment, insurance underwriting, and the scaling of autonomous commercial drone operations across Europe.
A digital traffic system without a liability map
Article 15(1)(j) of Regulation (EU) 2021/664 merely requires U-space Service Providers (USSPs) to maintain arrangements “specifying the allocation of liability.”
In practice, this delegates a critical regulatory issue to private contractual negotiation, creating a fragmented legal environment where outcomes depend largely on national tort law rather than on a coherent European liability framework.
The contractual battle: SLAs as liability shields
Delegating liability allocation to private contracts creates a structural power imbalance waiting to happen.
To access U-space airspace, operators will need to contract with certified USSPs and accept their Service Level Agreements (SLAs). Technology companies routinely use SLAs to: cap liability exposure; exclude consequential damages, and impose indemnification obligations on customers.
There is little reason to expect USSPs to behave differently.
An operator needing access to digital airspace may ultimately face a simple commercial reality: accept the USSP’s liability terms or do not fly.
As a result, liability risk may progressively flow downward from digital infrastructure providers to operators regardless of where the actual fault lies.
When six different actors may be responsible
Consider a plausible near-future scenario.
An autonomous delivery drone suffers a GPS spoofing event, deviates from its authorised trajectory, and strikes a pedestrian, and causes bodily injury. The USSP’s monitoring system fails to detect the deviation in time, while the drone’s detect-and-avoid software does not trigger an emergency landing.
In a single incident, at least six different actors could face liability exposure.
The first actor in question is the operator. Under Regulation (EU) 2019/947, the operator remains responsible for operational compliance and risk assessment. In many Member States, operators already face strict or near-strict liability for surface damage caused by aircraft, a form of objective liability based on operational risk rather than fault. Some Member States, such as Italy, already apply aviation liability regimes operating as a lex specialis alongside the broader EU framework.
Then is the remote pilot. As autonomy increases, the traditional concept of “pilot error” becomes progressively less coherent. When an autonomous drone makes an algorithmic decision in milliseconds (for example, deviating to avoid a collision) liability may shift away from human negligence toward software reliability and system design.
The third actor is the manufacturer. Under the revised Product Liability Directive (EU) 2024/2853, liability will increasingly extend beyond hardware defects to: software; AI Systems; cybersecurity vulnerabilities; and and firmware updates introducing operational defects.
The fourth actor is the USSP. As a digital infrastructure provider authorising and managing operations, the USSP could face claims linked to the accuracy and reliability of its services. Yet there is currently no specific European liability framework governing USSP responsibility, meaning national tort law will apply differently across jurisdictions.
Then there is the CISP. The Common Information Service Provider (CISP) may face upstream liability where inaccurate or delayed information contributes to an incident.
The sixth, and final, actor is the State. In exceptional circumstances, Member States themselves could face liability claims where U-space designation or regulatory oversight was manifestly deficient in situations involving culpa in vigilando (failures of supervision) or culpa in eligendo (defective selection and certification processes).
The digital black box problem
Determining liability among these actors requires evidence. And this is where U-space introduces an entirely new challenge, not only regarding what evidence exists, but also regarding onus probandi: who bears the burden of proof, and how can they discharge it within a digital ecosystem where operational data is distributed across multiple actors, systems, and jurisdictions?
Traditional aviation relies on established evidentiary tools such as flight data recorders and cockpit voice recorders. U-space currently has no equivalent framework.
In a fully digital ecosystem where the drone, the USSP, the CISP, and the ANSP exchange data continuously in real time, determining whether fault originated in: the drone’s software; the USSP’s traffic information feed; or the broader data infrastructure requires access to complete, reliable, and tamper-proof records.
Who captures this data? Who stores it? In which jurisdiction? Who guarantees its integrity?
These questions remain largely unanswered.
Without standardised frameworks for digital flight recording and forensic data preservation (whether through cloud-based systems, distributed ledgers, or mandatory retention obligations) courts will struggle to establish causation.
And without causation, liability allocation becomes guesswork, potentially producing outcomes that are legally defensible yet materially unjust.
The development of “digital black boxes” for U-space is not a luxury. It is a prerequisite for any functioning liability regime.
The cross-border problem
The complexity multiplies when incidents involve cross-border operations, precisely the type of operations the European drone market is designed to facilitate.
Under the Rome II Regulation (EC No 864/2007), the general rule is that the applicable law is the law of the country where the damage occurs (lex loci damni).
For product liability claims, Rome II establishes a more complex cascade connecting: the injured party’s habitual residence; the place where the product was acquired; and the place where the damage occurred.
These rules were designed for physical products crossing borders and for the protection of consumers within traditional commercial chains, not for interconnected digital aviation ecosystems operating through distributed infrastructure.
As cross-border drone corridors become operational across Europe, these questions will require increasingly practical answers.
The governance gap – infrastructure without institutional accountability
One of the most striking aspects of U-space is that Europe is progressively building a continent-wide digital airspace infrastructure without yet establishing a corresponding institutional accountability architecture.
Traditional air traffic management evolved around clearly identifiable public actors: air navigation service providers, aviation authorities, certified airports, and internationally harmonised liability conventions. Responsibilities, while complex, were at least institutionally recognisable.
U-space changes that model fundamentally.
The future U-space ecosystem will rely increasingly on distributed digital infrastructure operated by: private USSPs; cloud-service providers; software developers; AI-driven decision Systems; telecommunications networks; and data aggregation platforms.
At the same time, the legal framework governing accountability within this ecosystem remains fragmented.
This creates a structural governance paradox. Europe is developing one of the world’s most technologically ambitious drone traffic-management systems while leaving core questions of accountability largely unresolved.
The deeper issue is whether the current framework adequately defines who bears systemic responsibility for maintaining the integrity and resilience of the U-space ecosystem itself.
As drone operations become increasingly autonomous and dependent on interconnected digital infrastructure, liability questions will inevitably evolve into broader governance questions: Who supervises the supervisors? Who audits the algorithms? Who guarantees data integrity across interconnected systems? And who ultimately bears responsibility when multiple individually compliant systems collectively fail?
These questions extend beyond traditional aviation liability. They concern the governance architecture of Europe’s future digital airspace itself.
The insurance market is not ready
The insurance implications are enormous.
Traditional aviation insurance models rely on relatively clear chains of operational control. U-space introduces a fragmented ecosystem involving operators, software providers, USSPs, CISPs, and autonomous systems.
Because liability allocation remains uncertain, insurers struggle to price these risks accurately.
This legal uncertainty makes autonomous drone operations harder to insure, finance, and scale commercially, ultimately slowing investment and delaying integration into urban mobility networks.
Lessons from real incidents
The consequences of regulatory ambiguity are not theoretical.
The Gatwick Airport drone incident of December 2018 remains one of the clearest illustrations. Reported drone sightings triggered a 36-hour airport shutdown affecting more than 140,000 passengers and generating estimated losses exceeding UKP50 million.
Nevertheless, no operator was ever identified, no prosecution was ultimately brought, and the economic losses largely remained where they fell.
The damage effectively spoke for itself (res ipsa loquitur), identifying the liable party, however, remained practically impossible.
The incident exposed not only the vulnerability of critical infrastructure to drone activity, but also the absence of clear liability pathways when drone-related disruption occurs.
More recently, EASA’s Annual Safety Review 2025 confirmed multiple occurrences involving drones and manned aircraft, including airprox events involving commercial aviation.
The reporting infrastructure is improving faster than the liability infrastructure.
The regulatory convergence ahead
Three major developments are now converging in ways that will reshape drone liability over the coming years.
First, the revised Product Liability Directive (EU) 2024/2853 significantly expands manufacturers’ exposure to strict liability (that is, objective liability independent of fault), including liability linked to software, AI systems, and cybersecurity vulnerabilities.
Second, broader European AI governance trends are moving toward enhanced evidentiary and accountability requirements for algorithmic decision-making systems.
Third, the practical rollout of U-space itself will inevitably generate litigation, regulatory practice, and case law filling today’s legal gaps.
The absence of a clear institutional accountability framework also raises a more fundamental question about regulatory coherence. Europe has invested heavily in building the technical and operational layers of U-space (services, certification, data exchange protocols) but has still not matched that investment with an equivalent governance architecture capable of assigning systemic responsibility when the infrastructure itself fails.
This is not merely a legal gap. It is an architectural failure. And as the ecosystem grows in complexity and autonomy, the cost of leaving it unresolved will grow proportionally, measured not only in litigation and compensation, but in the erosion of public and institutional trust in the safety of automated airspace.
As commercial drone traffic scales upward, these liability questions will inevitably generate practical disputes.
What the industry needs now
The industry cannot wait for perfect legislative harmonisation. Operators, manufacturers, USSPs, insurers, and investors need greater legal clarity now.
EASA or the European Commission should issue guidance (even non-binding) on liability allocation between operators, USSPs, CISPs, and manufacturers in order to establish common market expectations.
The insurance sector also needs standardised U-space risk categories reflecting the operational realities of automated drone ecosystems.
And industry participants themselves must recognise that liability clarity is not an obstacle to growth, it is a prerequisite for it. Legal uncertainty does not create flexibility. It creates hesitation.
Conclusion
U-space represents one of the most ambitious airspace modernisation projects in aviation history. Its operational potential is enormous. Its applications in logistics, infrastructure inspection, emergency response, and urban mobility are genuinely transformative. But until Europe develops a clearer and more coherent framework governing liability when things go wrong, the full economic potential of U-space will remain constrained.
The question is not whether a serious U-space incident will eventually occur. The question is whether the legal framework will be ready when it does. Today, the European framework is still unprepared.
Dr. Jose Ramirez is a Spanish aviation and corporate lawyer with 28 years of legal practice and member of the Madrid Bar Association (ICAM). He holds an MBA from ESADE, a Master in Aviation Management, a PhD in Airport Marketing, and is currently a doctoral researcher in EU aviation competition law. He advises internationally on cross-border aviation matters, drone regulation, liability frameworks, and European aerospace law.
He can be reached at jose.ramirez@icam.es
(Image: Shutterstock)