Principals, agents, and principals agents

The legal architecture of European commercial exchange is organised around identifiable parties. A merchant extends an offer; a consumer accepts it; an intermediary, where present, operates under authority delegated by one of those parties and is accountable to that party for the exercise of that authority. This structure, embedded in the agency provisions of Member State private law, reflected in the EU's harmonisation instruments, and reproduced in the assumptions underlying the Consumer Rights Directive and the Digital Services Act, rests on a bilateral model of relational accountability. Each party in a chain of commercial dealings can, in principle, be traced to a human legal person who authorised the acts attributed to that party.

Agentic commerce platforms alter this structure at its foundation. The term "agentic commerce" refers, in this paper, to commercial systems in which an algorithmic intermediary, operating on the basis of a trained model or a rule-set established at design time, takes operative commercial decisions at runtime without contemporaneous human review or authorisation. Such systems set prices dynamically, select among available counterparties, initiate order placement, and, in the most advanced deployments, form contracts on behalf of end-users across networks of merchant APIs. The algorithmic intermediary in these systems is not a passive conduit that transmits instructions already formed by a human principal. It is a decision-making node that generates the instruction itself.

EU law's existing responses to digital intermediation were constructed in a prior technological moment. The E-Commerce Directive, the Consumer Rights Directive, and the earlier Platform-to-Business Regulation address platforms that host, rank, or display offers prepared by human sellers. The Digital Services Act extends that framework to systemic risks at platform scale. The AI Act introduces a provider-deployer distinction for AI systems. The revised Product Liability Directive broadens the definition of product to include software. None of these instruments was designed, or has been judicially interpreted, against the specific case in which the intermediary's algorithm is the operative principal of the commercial transaction, forming binding commitments whose precise terms were not specified by any human at the time of formation.

The doctrinal consequence is a triadic structure that existing bilateral categories cannot resolve cleanly. There is the consumer (the counterparty seeking a product or service), the merchant (who supplies the underlying good or service and may have delegated purchasing authority to an agentic system), and the algorithmic intermediary (which exercises that authority, or purports to do so, according to objectives set at training or deployment time). Liability questions, consent conditions, and withdrawal rights all depend on which of these nodes bears which legal status, and that question does not yet have a settled answer in EU doctrine.

This paper addresses that gap through doctrinal comparative analysis. It draws on the Lateral Exchange Market (LEM) typology developed by Perren and Kozinets [3] to classify the intermediation roles that agentic platforms occupy, on the principal-agent economic framework formalised by Laffont and Martimort [1] to characterise information-asymmetry dynamics, and on close reading of EU primary and secondary legislation, together with the scholarly literature on algorithmic regulation [5][6][8], to map where existing doctrine applies and where it fails.

The paper is structured as follows. The motivation section grounds the urgency of the analysis in current regulatory pressure and documented harms. The related work section reviews the economic and legal antecedents. The methodology section explains the doctrinal-comparative method and the case-selection rationale. The results section maps the alignment and failure points systematically. The discussion section argues the structural mechanism of doctrinal failure. The conclusion proposes the doctrinal repair most consistent with the existing EU legislative architecture.

The motivation for this analysis is not merely theoretical. Three convergent pressures make the doctrinal gap described above an immediate regulatory and commercial problem.

Regulatory layering without coherent integration. The EU's legislative response to algorithmic commerce has proceeded instrument by instrument, across different DGs, with different scope definitions, different accountability subjects, and different enforcement architectures. The Digital Markets Act addresses gatekeeper platforms; the Digital Services Act addresses online intermediary services and very large online platforms; the AI Act addresses AI system providers and deployers; the revised Product Liability Directive addresses manufacturers of defective products including software. Each instrument addresses a real regulatory concern. None of them was drafted with the explicit task of locating liability within the specific triadic structure of agentic commerce. The result is an overlapping but incomplete coverage pattern in which the identity of the accountable party differs depending on which instrument is applied. A consumer harmed by an algorithmically formed contract may find that DSA enforcement addresses the platform's systemic risk posture, that AI Act obligations attach to the system's developer, that product liability attaches to no party because the harm is economic rather than physical, and that contract law attribution depends on which Member State's private law governs the transaction.

The EU's experimentalist governance architecture, described by Sabel and Zeitlin [2] as a structure of framework goals combined with delegated national implementation and peer-review accountability, amplifies this problem. That architecture is designed to produce adaptive, context-sensitive regulation. Applied to agentic commerce, it produces enforcement inconsistency: national competent authorities, operating under different transpositions of the same directives, reach different attribution outcomes when the same algorithmic platform causes equivalent consumer harm in different Member States.

The pace of agentic deployment. Research on agentic systems in FinTech [7] documents that agentic AI is already deployed in credit decisioning, robo-advisory, automated portfolio management, and personalised insurance pricing. The shift from algorithm-assisted to algorithm-autonomous decision-making is occurring within existing regulatory frameworks that were not designed for it. The legal categories that govern these deployments, including the MiFID II suitability assessment and the GDPR Article 22 prohibition on solely automated decisions with legal effect, were written for systems in which a human reviews the output before it becomes a binding act. Agentic systems that act directly and irreversibly compress the window in which those requirements would operate.

Documented information asymmetry and consumer harm. The core economic mechanism of principal-agent failure, information asymmetry between principal and agent [1], is reproduced and intensified in algorithmic systems. As Lendvai and Gosztonyi [6] document, algorithmic opacity prevents consumers and regulators from observing the decision rules an agentic system applies, making post-hoc attribution of harm to a specific design choice technically and legally difficult. Where the consumer cannot observe the agent's decision-making process, the remedial doctrines that depend on proving agent misconduct, including breach of fiduciary duty, acting outside authority, and failure to act in the principal's best interest, become practically unavailable even when they would formally apply.

Economic foundations. The principal-agent model in its formal economic version, systematised by Laffont and Martimort [1], characterises the relationship between a principal who delegates a task and an agent whose effort and information the principal cannot directly observe. The central result of the framework is that information asymmetry between principal and agent forces the principal to design an incentive-compatible contract that elicits desirable agent behaviour through contingent reward rather than direct monitoring. The welfare consequence is a second-best allocation: the agent receives an information rent, and the level of the delegated activity falls below the first-best quantity. Laffont and Martimort establish this through a series of propositions showing that the constrained optimal quantity under hidden information is strictly less than the socially efficient quantity, a result that holds across the adverse-selection and moral-hazard variants of the model. This framework presupposes a dyad: one principal, one agent, a single dimension of private information. Extensions to multi-principal and multi-agent settings exist in the theoretical literature, but they have not been systematically imported into EU legal doctrine.

The conceptual vocabulary of agency costs, residual claimancy, and monitoring that EU corporate law and financial regulation employ in governance provisions is traceable to the economics literature on the firm developed during the 1970s and 1980s; however, documenting the specific doctrinal channel through which that vocabulary entered EU secondary legislation falls outside the corpus available to this paper, and this analysis therefore proceeds from the vocabulary as it appears in the enacted instruments rather than reconstructing the intellectual genealogy.

EU legal instantiation. EU contract law does not have a unified agency statute; agency is governed by Member State private law, with harmonisation achieved through instruments addressing specific sectors, including commercial agents (Directive 86/653/EEC), financial intermediaries (MiFID II), and insurance distribution (IDD). The Common European Sales Law (CESL), withdrawn by the Commission in 2014 before enactment, had articulated a framework in which contractual authority could be inferred from conduct and representations, tracking common law apparent authority doctrine. The withdrawal of the CESL means that courts are unlikely to treat its provisions as persuasive authority, and the doctrinal weight of that framework is accordingly lower than a stalled or deferred draft would carry. The EU's acquis in consumer protection assumes a binary structure: the trader, who bears disclosure and transparency obligations, and the consumer, who is owed those obligations. Intermediaries are addressed as conduits, not as independent decision-makers.

Digital intermediation and the platform turn. The emergence of platform markets prompted a first wave of doctrinal stress-testing. Perren and Kozinets [3] provide the most analytically useful typology for this paper's purposes. Their Lateral Exchange Market framework identifies four ideal types: Forums (platforms that facilitate information sharing), Enablers (platforms that reduce transaction costs without shaping the transaction), Matchmakers (platforms that actively select and pair counterparties), and Hubs (platforms that govern the terms of exchange, effectively setting the parameters within which transactions occur). Forum and Enabler types fit comfortably within the EU's passive-intermediary category and attract the liability exemptions in the E-Commerce Directive and DSA. Matchmaker and Hub types do not, because the platform's algorithmic decisions substantively determine the transaction's terms.

Mehra's analysis of robo-sellers in antitrust [5] demonstrates that algorithmic pricing systems can achieve outcomes functionally equivalent to collusion without any communicative act between competitors, exposing a gap between competition law doctrine, which requires an agreement or concerted practice, and the observable market harm. This is structurally similar to the liability-attribution problem in agentic commerce, with the critical difference that competition law's gap concerns the absence of a bilateral act between competitors, whereas the agency-law gap concerns the absence of a contemporaneous human instruction within a single commercial relationship. In both cases the legal category requires an act traceable to an identifiable agent, but the algorithmic system's conduct is emergent from a trained model rather than traceable to a specific instruction.

Prior critiques and this paper's contribution. Prior scholarship has addressed algorithmic intermediation primarily through competition law [5], non-discrimination and bias [6][8], and financial regulation [7]. The specific question of how EU contract law's agency categories apply to agentic systems that form contracts at runtime, and whether the AI Act's provider-deployer distinction maps coherently onto the principal-agent distinction, has not been systematically analysed. This paper provides that analysis, using the LEM typology as the classification instrument and the information-asymmetry framework from Laffont and Martimort [1] as the mechanism for explaining doctrinal failure.

This paper employs doctrinal comparative analysis as its primary method. The method consists of three sequential operations: (1) identifying the legal categories and tests that EU law and Member State private law apply to the attribution of contractual authority, consumer protection obligations, and civil liability; (2) specifying the structural properties of agentic commerce platforms that are legally material under those categories and tests; and (3) applying the categories to the structural properties to determine classification outcomes, with particular attention to cases of indeterminate, contradictory, or jurisdiction-dependent outcomes.

Legal materials examined. The primary legal materials are EU secondary legislation: the Digital Services Act, the AI Act, the Consumer Rights Directive, the E-Commerce Directive, the revised Product Liability Directive, and the Commercial Agents Directive (86/653/EEC). These are read against the CESL draft provisions on agent authority and the acquis harmonisation principles developed by the Study Group on a European Civil Code. CJEU case law on agency, apparent authority, and trader-consumer classification is reviewed where relevant, although the absence of agentic-commerce-specific adjudication means that analogical reasoning from adjacent domains is required. The GDPR Article 22 provisions on automated decision-making provide an automated-decision accountability baseline. The AI Act contributes two distinct layers of obligation: Article 6, which governs the classification of AI systems as high-risk and thereby triggers the full suite of obligations in Chapter III, and Article 13, which imposes transparency and information-provision requirements on providers and deployers of high-risk systems. These two articles are read together as the AI Act's disclosure and accountability architecture, with Article 6 as the threshold condition and Article 13 as the substantive obligation once that threshold is met.

The LEM typology as classification instrument. The Lateral Exchange Market typology [3] is adopted as the classification instrument for platform intermediation roles because it is the most structurally differentiated typology in the existing literature and because its four types (Forum, Enabler, Matchmaker, Hub) map onto legally significant distinctions: whether the platform shapes the transaction's terms, whether it selects the counterparty, and whether it governs the ongoing relationship. These are precisely the distinctions on which EU doctrine's passive-intermediary exemption, DSA active-platform standard, and AI Act deployment classification turn.

Principal-agent framework as the mechanism model. The economic framework from Laffont and Martimort [1] is used to characterise the information structure of each LEM type, setting aside equilibrium prediction as an objective. The analysis asks, for each type: who holds private information about decision rules, what form does the information asymmetry take, and which legal instruments, if any, impose obligations that would correct or compensate for that asymmetry. This generates a structured comparison across LEM types rather than a case-by-case narrative.

Assumptions and scope conditions. The analysis assumes that the agentic platform is EU-domiciled or that its services are directed to EU consumers, bringing it within the territorial scope of the DSA, the AI Act, and the Consumer Rights Directive. It assumes that the algorithmic intermediary exercises substantive commercial discretion at runtime, meaning that it generates the operative commercial decision rather than executing pre-specified human instructions in a fully determined sequence. Cases in which the algorithm functions as a rule-based automation of a fully specified human decision are treated as outside the scope of the analysis, because existing doctrine is adequate to those cases. The analysis does not model the algorithm's internal architecture or assess its engineering properties; it treats the algorithm as a black box whose inputs and outputs are legally observable but whose decision process is not.

Case selection. The analysis proceeds through the four LEM types in sequence, treating each as an ideal type against which concrete platforms can be measured. Representative commercial configurations for each type are described at the level of structural properties (degree of counterparty selection, degree of price governance, degree of contract initiation) rather than by reference to specific named platforms, because the doctrinal analysis does not depend on the identity of specific operators.

The application of EU legal categories to the four LEM platform types yields differentiated outcomes. Forum and Enabler types fall broadly within existing doctrine. Matchmaker and Hub types generate systematic doctrinal failure across the dimensions of liability attribution, consent validity, and remedial access.

Forum platforms. A Forum platform provides infrastructure for information exchange between users who retain full decisional autonomy over the commercial acts they undertake. The platform operator neither selects counterparties nor determines transaction terms. Under the DSA's hosting-liability framework, the Forum operator is a passive intermediary exempt from liability for user-generated content absent actual knowledge of illegality. Under Member State agency law, the platform has no agency relationship with any user: it acts neither as agent for the buyer nor as agent for the seller. This doctrinal outcome is internally coherent. The Forum type creates no principal-agent problem of the kind this paper addresses because the platform does not exercise delegated commercial authority.

Enabler platforms. An Enabler platform reduces transaction costs by providing infrastructure that facilitates exchanges (payment processing, escrow, logistics coordination) without controlling the terms of the exchange itself. The operator's legal position is that of a service provider to both parties, not an agent of either. Consumer protection obligations attach to the Enabler to the extent that it provides a consumer-facing service, but it does not bear warranty or withdrawal obligations in respect of the underlying product because it is not the trader. This classification is stable under the Consumer Rights Directive's definition of trader and under the DSA's intermediary-service framework. Algorithmic optimisation within the Enabler's infrastructure, for example, routing decisions that minimise delivery time, does not alter this classification because the algorithm does not affect the contractual terms between buyer and seller.

Matchmaker platforms. A Matchmaker platform actively selects and pairs counterparties. The algorithm that makes the match determines which seller's offer is presented to which consumer and under what conditions. This selection function has direct legal significance for three reasons.

First, it engages DSA transparency obligations. A platform that takes an active role in presenting offers and optimising for transaction completion is not a passive host under the DSA; its recommender systems are subject to the transparency obligations in DSA Articles 27 and 38. Those provisions address the platform's disclosure of the principal parameters of its recommender logic and the consumer's right to opt for alternatives. It is important to note a framing tension here that the analysis must acknowledge directly. The introduction and methodology sections of this paper describe the DSA as an instrument designed for systemic risk at platform scale, not calibrated to the specific case of an algorithm that functions as an operative principal of individual transactions. That characterisation remains accurate. DSA Articles 27 and 38 address recommender-system transparency as a systemic governance requirement, not as a transaction-level authority-attribution mechanism. Invoking these provisions as a doctrinal fit for Matchmaker platforms therefore represents a partial rather than a complete alignment: the DSA supplies a transparency obligation, but that obligation operates at the system level and does not resolve the question of liability attribution for individual algorithmically formed transactions. For Very Large Online Platforms, DSA Article 37 further requires independent audits of compliance with the Act's obligations in their entirety, including recommender-system obligations; the audit provision is general in scope and covers recommender-system conduct as one element of the broader VLOP compliance posture rather than as a recommender-specific audit obligation.

Second, the matching algorithm's selection of a counterparty raises the question of apparent authority. If the algorithm presents a specific seller's offer to a specific consumer in a manner that a reasonable consumer would interpret as the platform endorsing or authorising that offer, the platform may have created apparent authority for the seller under Member State agency law. Whether this apparent authority is grounded in EU doctrine depends on which Member State's law governs and on whether national courts have extended apparent authority doctrine to algorithmic conduct. The CESL provisions, though withdrawn, had suggested that authority could arise from conduct that reasonably induces reliance; an algorithmic recommendation that produces a contractual commitment plausibly satisfies this standard, but the withdrawal of the CESL reduces the persuasive weight of that framing, and no EU court has so held.

Third, where the Matchmaker platform's algorithm fails, for example by recommending a fraudulent seller or a product that does not meet the described specifications, liability attribution is contested. The consumer's claim runs against the seller as the contracting trader, but the practical recovery path may run against the platform if the seller is unlocatable or under-capitalised. EU law provides no general principle of platform liability for Matchmaker-type algorithm failures. The DSA removes the general monitoring obligation and the general liability for hosted content; no instrument imposes a specific liability for algorithmic mismatch. The resulting gap is a concrete remedial failure: the consumer has a right but lacks an accessible obligor.

Hub platforms. A Hub platform governs the terms of exchange. Its algorithm sets prices, allocates counterparty access on a preferential or exclusionary basis, and may initiate contractual commitments on behalf of users who have granted standing authority. The Hub type represents the full agentic configuration in which doctrinal failure is most acute.

The liability-attribution failure in the Hub type takes three forms. The first is the authority question. The algorithm that initiates a contract purportedly under standing authority from a user is acting as an agent of that user. Member State agency law requires that an agent act within the scope of authority actually or apparently granted. Where the standing authority was granted through standard-form platform terms that few users read, the authority's scope is poorly defined. Where the algorithm acts outside that poorly defined scope, the standard legal analysis would render the contract voidable at the user's election. But this analysis depends on the user being able to identify that the algorithm acted outside its authority, which requires transparency about the algorithm's decision rules that current EU instruments do not consistently mandate at transaction level.

The second form is the AI Act's provider-deployer gap. The AI Act distinguishes between the provider of an AI system (who bears obligations to design a compliant system) and the deployer (who bears obligations for use in a specific context). In a Hub platform configuration, the deployer may be the platform operator, the merchant who has integrated the platform into its commercial infrastructure, or both. The Act's obligation structure does not resolve the question of which party bears contractual authority for the transactions the system initiates; it addresses safety and transparency, not civil liability for commercial acts.

The third form is the remedial access failure. The Consumer Rights Directive grants a consumer the right of withdrawal from a distance contract within fourteen days. That right presupposes that the consumer knows a contract was formed, knows its terms, and can identify the trader against whom the right is exercised. Where a Hub platform's algorithm forms a contract without contemporaneous user review, the consumer may not know that a binding commitment has been made until fulfilment occurs. The withdrawal window may expire before the consumer is aware it began. This is a structural conflict between the directive's remedial design, premised on consumer awareness, and the agentic system's operating mode, premised on speed and automation.

Cross-jurisdictional classification conflicts. Where Matchmaker and Hub platforms operate across multiple Member States, the classification of the platform's role under national agency law may differ. A Member State whose private law follows a strict actual-authority test will reach a different liability conclusion than one whose law recognises broad apparent-authority. The DSA's country-of-origin principle partially addresses this by applying the law of the platform's establishment, but consumer protection minimum harmonisation preserves Member State divergence in the remedial layer. The result is that the same consumer harm produced by the same algorithm generates different remedies depending on the consumer's and the platform's respective domiciles.

The results set out above exhibit a consistent structural pattern. Where the platform's algorithm occupies a passive or ministerial role, EU doctrine produces determinate classification outcomes. Where the algorithm exercises substantive commercial discretion, discretion that is neither authorised by the consumer in any meaningful transactional sense nor observable by the merchant in real time, doctrine produces indeterminate or conflicting outcomes. The explanation for this pattern is structural, not incidental: EU legal doctrine was built on a dyadic information model, and the algorithm introduces a third information state that the dyad cannot absorb.

The dyadic assumption in principal-agent law. The legal structure of agency, as reflected in both the commercial agency directive and Member State private law, presupposes two parties: a principal whose will is authoritative, and an agent whose acts derive their legal effect from that will. Information asymmetry in this structure, as formalised by Laffont and Martimort [1], runs along a single dimension: the principal cannot observe the agent's effort or private information, and the agent exploits that gap to extract an information rent. The legal response to this asymmetry is a combination of fiduciary duties, disclosure obligations, and residual liability rules that, together, pressure the agent toward conduct aligned with the principal's interests.

This architecture functions when there are two parties and one information dimension. It begins to strain when there are three parties, because the assignment of the "agent" role becomes underdetermined. In classical commercial agency, the agent is the human intermediary who acts on behalf of a disclosed or undisclosed principal. In agentic commerce, the algorithmic intermediary acts, and the question of whose will it expresses, the consumer-user who granted standing authority, the merchant whose offers it presents, or the platform operator whose training objectives shaped its decisions, does not have an answer that existing doctrine can produce without importing external assumptions.

The three-way information asymmetry. The algorithmic intermediary in a Hub or Matchmaker configuration generates three distinct information asymmetries, each of which maps onto a principal-agent dyad without fitting any single one cleanly.

The first asymmetry is between the consumer and the algorithm. The consumer grants standing authority for the algorithm to act on their behalf but cannot observe the criteria the algorithm applies in exercising that authority. This is the classic principal-agent information gap, with the algorithm in the agent role. Laffont and Martimort [1] establish that under this information structure the constrained optimal outcome for the principal is strictly below the socially efficient quantity, because the agent retains an information rent corresponding to its private knowledge of its own decision criteria. The legal response would be mandatory disclosure of decision criteria at transaction level, which current EU instruments do not consistently require for agentic systems.

The second asymmetry is between the merchant and the algorithm. The merchant deploys the algorithm to serve the merchant's commercial interests but cannot observe, in real time, each decision the algorithm makes on the merchant's behalf. The algorithm may form contracts that the merchant would not have authorised had it been asked, because the algorithm's training objectives optimise a proxy for merchant interest rather than merchant interest directly. This gap maps onto the employer-employee variant of the principal-agent problem, and Member State private law imposes vicarious liability on the employer for acts of the employee within apparent scope. Whether that doctrine extends to algorithmic acts is the unadjudicated question.

The third asymmetry is between the regulator and the algorithm. The regulator cannot observe the algorithm's decision rules from the outside. The AI Act addresses this through transparency and audit obligations directed at providers and deployers, as established by its legislative text and examined in the fairness-regulation context by Meding [8]. Those obligations are directed at the human parties at the system's boundary, not at the algorithm itself. If the provider and deployer have designed a compliant system that nonetheless produces discriminatory or anti-competitive outcomes through emergent behaviour, the regulatory audit addresses the design, not the outcome-generating process. This is the opacity problem that Lendvai and Gosztonyi [6] identify as the core legal dilemma of algorithmic systems: the legal instrument reaches the human at the boundary of the system but not the system's operative behaviour.

Distinguishing genuine doctrinal gaps from applied-rule misalignment. Not every failure to produce a clean classification outcome represents a genuine doctrinal gap. Some classification difficulties arise because existing rules have not yet been applied by a court to the new fact pattern; a court applying existing doctrine might resolve the question satisfactorily. These are cases of applied-rule misalignment, where the rule is adequate but its application to the new configuration is unsettled. Genuine doctrinal gaps arise where no application of existing rules can produce a coherent outcome because the fact pattern contradicts a structural assumption of the rule.

The results of this analysis support the conclusion that the Matchmaker type presents largely applied-rule misalignment: apparent authority doctrine, as developed in Member State law, is capable of capturing algorithmic recommendations as authority-generating conduct, provided a court is willing to extend it to non-human actors. This is a doctrinal extension, not a doctrinal impossibility.

The Hub type presents a genuine doctrinal gap. The gap arises because Hub-type agentic systems act simultaneously as the consumer's agent (exercising standing authority), the merchant's agent (presenting the merchant's offer), and the platform's instrument (optimising for the platform's objectives). Existing agency doctrine has no category for an intermediary that holds delegated authority from both transaction parties while optimising for a third party's objectives. The law does not lack such a category through oversight; the category is structurally incompatible with the bilateral foundation of agency doctrine, under which an agent's fiduciary obligation runs to one principal and conflicts of interest are a ground for disqualification, not a constitutive feature of the role.

The AI Act's provider-deployer distinction as partial repair. The AI Act's distinction between provider and deployer, established in Articles 3(3) and 3(4) of the Act's legislative text, represents a legislative attempt to distribute responsibility across the supply chain of an AI system without resolving the underlying authority question. The provider is responsible for the system's design; the deployer is responsible for its use in context. The relationship between this statutory distribution of regulatory obligations and the algorithmic fairness requirements of the Act is examined by Meding [8]. Applied to agentic commerce, the deployer is the platform operator or the merchant who integrates the system into a commercial workflow. Treating the deployer as the residual apparent principal for algorithmically formed contracts, subject to rebuttal only by ex-ante contractual reallocation notified to a competent authority, would close the liability gap in the Hub type without requiring a new primary-legislation category. The notified contractual reallocation mechanism operates as follows: the provider and deployer may, by agreement executed prior to deployment and registered with the relevant national competent authority under the AI Act's market-surveillance framework, specify that responsibility for particular categories of commercial act initiated by the system rests with the provider rather than the deployer, or is shared across both parties according to defined criteria. Absent such a registered agreement, the deployer bears the presumptive apparent-principal status. This construction preserves the civil law's requirement of an identifiable obligor, addresses the consumer's practical need for a reachable respondent, and is consistent with the AI Act's text rather than contradictory to it.

The DSA systemic-risk mechanism as a supplementary instrument. The DSA Article 34 systemic-risk assessment mechanism, applied by Mehra's [5] analogy to the antitrust context of algorithmic conduct, provides a supplementary governance instrument. If the platform's governing algorithm is treated as a systemic-risk feature, the DSA's mandatory audit obligation would require the platform to expose its decision rules to external scrutiny. The civil-liability question remains a separate matter; the audit mechanism addresses the regulator-algorithm information asymmetry identified above, converting an unobservable decision process into an auditable one. The combination of deployer-as-apparent-principal in civil law and algorithmic audit in public regulatory law represents the most coherent available doctrinal repair strategy within the existing EU legislative architecture.

The analysis presented in this paper establishes three conclusions of doctrinal and practical significance for EU commercial law.

First, the doctrinal failure in agentic commerce is structural, not incidental. The bilateral principal-agent model embedded in EU contract law, consumer protection directives, and the agency provisions of Member State private law was designed for a world in which commercial authority moves from an identifiable human to another identifiable human, with a third human as counterparty. The algorithmic intermediary in Hub and Matchmaker configurations is not a complication of this model; it contradicts the model's foundational assumption that the locus of decision-making power is a legal person who can bear rights and obligations. No interpretive manoeuvre within the bilateral model can resolve a triadic structure in which the same system simultaneously acts as the consumer's delegate, the merchant's representative, and the instrument of a platform operator whose objectives may conflict with both.

Second, the existing EU legislative portfolio provides the raw materials for a partial but coherent doctrinal repair. The AI Act's deployer category, established by Articles 3(3) and 3(4) of the Act and extended by a rebuttable apparent-principal construction, assigns the algorithm's commercial acts to the human legal person who placed the system into commercial use. This assignment is rebuttable: where the developer or upstream provider has retained operational control, or where a registered contractual reallocation, executed prior to deployment and notified to the relevant national competent authority under the AI Act's market-surveillance framework, has distributed responsibility across provider and deployer according to specified criteria, the presumption of deployer-as-principal can be displaced. This construction preserves the civil law's requirement of an identifiable obligor, addresses the consumer's practical need for a reachable respondent, and is consistent with the AI Act's legislative text.

Third, the deployer-as-principal construction alone is insufficient to close the regulator-algorithm information asymmetry. The deployer can be held liable for the outcomes of an algorithm whose decision rules neither the deployer nor any external party has observed. Liability without observability is an incomplete accountability mechanism: it assigns loss to an identifiable party but does not create the transparency conditions that would allow that party, or the regulator, to identify and correct the conduct that produced the harm. The DSA Article 34 systemic-risk framework, applied to governing-algorithm opacity as a systemic-risk feature of Matchmaker and Hub platforms, provides the observability mechanism that civil liability lacks. Mandatory algorithmic audit under that provision converts the algorithm's decision process from a black box attributable in law to a disclosed process subject to ongoing regulatory scrutiny.

The integrity of EU commercial law's accountability structure depends on the capacity of the law to trace harmful outcomes to identifiable obligors and, through that tracing, to create corrective incentives that reduce future harm. In agentic commerce, that capacity is compromised across three specific vectors. The first is the unresolvable triadic authority structure: where an algorithm holds delegated authority from both transaction parties while optimising for a third party's objectives, no existing principal-agent category can produce a coherent authority assignment, and the consumer is left without a primary obligor against whom withdrawal rights, warranty claims, and damages actions can be directed simultaneously. The second vector is the standing-authority consent model: consumers who grant algorithmic systems ex-ante authority to form contracts on their behalf surrender the contemporaneous awareness that withdrawal-right provisions presuppose, and the fourteen-day withdrawal window under the Consumer Rights Directive begins to run from the moment of contract formation regardless of whether the consumer has received notification that a contract was formed. The third vector is the opacity of algorithmic decision rules: without transaction-level disclosure of the criteria an agentic system applied in a specific commercial act, post-hoc attribution of harm to a specific design choice is obstructed at every level of the enforcement chain, from the consumer seeking to invoke a remedial right, to the national competent authority conducting a market-surveillance investigation, to the deployer seeking to demonstrate that the harm lay in a design defect attributable to the upstream provider. Each of these vectors requires a targeted doctrinal response calibrated to its specific obstruction mechanism. The response need not await new primary legislation; it requires coordinated interpretation of existing instruments toward a coherent framework in which the algorithmic intermediary is treated as a locus of legal obligation, distributed across identifiable human legal persons through the deployer-as-principal construction and the mandatory-audit mechanism, rather than treated as a mere tool whose acts belong by default to whoever commissioned it.

The following limitations affect the conclusions of this analysis and should be considered by readers evaluating the paper's claims.

1. Confinement to written law and adjudicated cases. The analysis draws on EU primary and secondary legislation, CJEU case law, and legal scholarship. It does not incorporate empirical data on enforcement practice, settlement patterns, or regulatory agency decision-making. The doctrinal gaps identified may be partially addressed in practice through informal enforcement guidance, supervisory expectations, or industry self-regulatory arrangements that do not appear in written law. The analysis cannot assess the extent to which such informal mechanisms mitigate the formal gaps identified.

2. Absence of agentic-commerce-specific CJEU adjudication. The CJEU has not, at the time of writing, adjudicated a consumer-harm case arising specifically from an agentic commerce platform operating in the Hub or Matchmaker configuration. The doctrinal analysis therefore rests on analogical extension of cases addressing adjacent fact patterns. The analogical extensions made in this paper are argued, but they may not reflect the outcome that the CJEU or national courts would reach when confronted with the specific fact patterns described.

3. Exclusion of engineering-artifact analysis. The analysis treats the algorithmic intermediary as a black box observable by its inputs and outputs. It does not model the algorithm's internal architecture, training process, or emergent-behaviour dynamics. The classification of a platform as Hub or Matchmaker type depends on its observable commercial conduct, not on its technical design. Platforms that would be classified differently under a technical-design-based taxonomy may produce different doctrinal outcomes than those predicted here.

4. Territorial scope assumption. The analysis assumes EU territorial jurisdiction over the platforms examined. Where agentic platforms are domiciled outside the EU and direct services to EU consumers, the extraterritorial application of the DSA, the AI Act, and the Consumer Rights Directive raises additional questions of international private law and enforcement jurisdiction that this analysis does not address.

5. Temporal limitation on legislative landscape. The AI Act's application dates are staggered, and the revised Product Liability Directive's transposition period had not expired at the time of writing. The analysis addresses the legislation as enacted, but the full regulatory landscape will take effect over a multi-year transition period, during which the doctrinal gaps identified may be partially addressed through implementing measures, delegated acts, or Commission guidance.

Three concrete vectors for legal and doctrinal development follow from this analysis.

First: modification of the agency authority standard. The Commercial Agents Directive and Member State private law agency provisions should be amended or authoritatively interpreted to address algorithmic agents explicitly. The specific modification required is an extension of the apparent-authority doctrine to cover algorithmic acts, combined with a defined standard for the scope of standing authority in agentic deployments. The doctrinal instrument for this development is a Commission Recommendation or a Member State high-court decision that applies apparent-authority reasoning to a specific agentic-commerce fact pattern. Such a decision would provide the precedent foundation for the deployer-as-apparent-principal construction argued in this paper without requiring parliamentary action.

Second: creation of an intermediate accountability category. EU law should develop an intermediate category between passive intermediary and active trader for platforms that exercise substantial algorithmic governance without being the contracting party. The specific legislative instrument is a targeted amendment to the DSA or a standalone algorithmic-intermediary regulation that assigns disclosure, audit, and residual liability obligations to platforms in the Matchmaker and Hub LEM types. The drafting benchmark for this amendment is the AI Act's provider-deployer distinction, extended to cover civil liability as well as regulatory compliance.

Third: algorithmic disclosure as a transactional duty. The AI Act's transparency obligations under Article 13 currently require providers and deployers to supply information about the AI system's capabilities, limitations, and intended purpose at the system level. That obligation is an existing partial requirement, not an absent one: it creates a disclosure duty toward deployers and, where the system interacts with natural persons, toward those persons in general terms. The reform proposed here supplements rather than replaces that existing obligation. The specific gap to be addressed is the absence of transaction-level disclosure: a requirement that an agentic system operating in a consumer-facing commercial context document and communicate to the consumer, at the point of each commercial act, the operative decision criteria applied to that specific transaction. The specific mechanism is an implementing regulation under AI Act Article 13 that specifies the disclosure format and content for agentic systems at the transaction level. This transaction-level duty, combined with the DSA Article 34 systemic-risk audit obligation applied to governing-algorithm opacity, provides the observability infrastructure that makes the deployer-as-apparent-principal construction practically meaningful: the deployer who can inspect and communicate each transaction's decision basis can also identify where the system acted outside the scope of the granted authority and can apportion upstream liability to the provider accordingly.