Director Liability In Cross-Border Online Services: The Significance Of Case C-77/24 (Wunner)

The judgment of the Court of Justice of the European Union (CJEU) in Case C-77/24 (Wunner) constitutes a significant development in the private law dimensions of cross-border service provision within the European Union. The Court's judgement, grounded in the Rome II Regulation on non-contractual obligations, substantially recalibrates the risk landscape for directors engaged in cross-border business models.

Factual Background and Legal Context

The dispute arose from a claim brought by an Austrian consumer seeking recovery of gambling losses incurred through participation in online games offered by a Malta-licensed gaming company. The company had provided services into Austria without holding the licence required under Austrian law. Notably, the claimant pursued not only the company itself, but also its directors personally, alleging unlawful commercial conduct.

The central legal issue concerned the applicable law governing such personal claims. Were these claims governed by the law of the company's incorporation, or by the law of the Member State in which the services were consumed and the alleged damage occurred?

Traditionally, issues relating to directors' duties are understood as matters of company law, generally governed by the law of the company's place of incorporation. However, the claim in Wunner was not confined to internal corporate governance. Rather, it was a third-party action alleging harm caused by unlawful commercial activity. The referring Austrian court submitted questions to the CJEU by way of a preliminary reference.

The Scope of Rome II and Director Liability

The Court held that claims against directors by third parties for allegedly unlawful commercial conduct fall within the scope of the Rome II Regulation, provided they are not limited to internal company law obligations. This distinction is critical. By classifying such claims as non-contractual obligations rather than purely corporate matters, the Court subjected director liability in cross-border settings to the harmonised EU conflict-of-law framework as regulated under Rome II.

Under Article 4(1) of Rome II, the applicable law is that of the country "in which the damage occurs." In this regard, the CJEU held that "In the context of an action for damages for losses incurred when participating in online games of chance ... the damage sustained by a player must be deemed to have occurred in the Member State in which that player is habitually resident.". Accordingly, the losses suffered by the Austrian claimant were considered to have occurred in Austria.

Operational or structural factors, such as the location of servers, bank accounts, or the company's registered office, were held to be irrelevant for the purpose of localising damage. As a result, Austrian law governed the claim against the directors, despite the company being established and licensed in Malta.

This reasoning marks an important doctrinal development. It reinforces a consumer-centric approach to the localisation of damage in digital environments and confirms that the cross-border provision of online services does not dilute the territorial anchoring of civil liability.

Corporate Separation and the Limits of Regulatory Shielding

Perhaps the most consequential element of the judgment lies in the Court's treatment of corporate separation and regulatory authorisation. The Court recognised that if the applicable national law permits personal liability of directors for unlawful commercial conduct, such liability may be enforced even where the directors act on behalf of a foreign-incorporated company.

The fact that the company held a valid licence in its Member State of establishment did not preclude the application of Austrian law, nor did it shield directors from private claims in Austria where local regulatory requirements had not been satisfied. The protective effect of incorporation in another Member State does not operate as a substantive defence to tort claims governed by the law of the state where the damage occurs.

This judgement challenges the notion that compliance with the regulatory regime of the home Member State is sufficient to mitigate liability risk throughout the Union. Additionally, it rejects the view that corporate personality and establishment in another Member State provide reliable insulation for directors against personal exposure in foreign jurisdictions. By separating regulatory compliance from private law accountability, the Court makes clear that neither incorporation abroad nor adherence to home-state licensing requirements necessarily shields directors from liability under the law of a host state where damage occurs.

The Broader Significance for Cross-Border Business Models

The implications of Wunner extend well beyond the online gambling sector and resonate across any business model premised on digital cross-border service provision, including financial services, e-commerce, digital platforms, and subscription-based online offerings. The judgment decisively reinforces the territorial relevance of host-state law in the context of private enforcement. Even within a harmonised internal market structured around the freedom to provide services, Member States retain considerable authority to regulate commercial conduct affecting their residents and to attach civil consequences to non-compliance. The Court's reasoning thus confirms that cross-border digital activity does not dilute the legal significance of the consumer's location for the purposes of private law accountability.

At the same time, the decision materially increases the litigation risk profile for directors engaged in cross-border operations. Directors may now face personal exposure under foreign tort law where a company's activities are subsequently found to contravene host-state regulatory frameworks. This exposure is not confined to administrative sanctions or public enforcement measures; it extends to private damages claims pursued before foreign courts and governed by foreign substantive law. More broadly, the case illustrates the growing role of EU private international law as an indirect mechanism of regulatory influence. By designating the applicable law through the Rome II framework, the Court effectively amplifies the practical reach of host-state regulatory regimes, positioning private claimants as enforcement actors and directors as potential defendants in multi-jurisdictional disputes.

Reassessing Risk and Governance

From a governance perspective, the judgment necessitates a recalibration of risk assessment in cross-border operations. Compliance analysis can no longer be confined to the regulatory framework of the state of incorporation. Instead, directors must consider host-state licensing requirements, consumer protection and unfair commercial practice regimes, the scope of personal liability under local tort law and the likelihood of private enforcement actions in foreign courts.

Importantly, the judgment does not impose automatic liability. Rather, it clarifies the applicable law and opens the door to potential personal liability where national substantive law so provides.

Conclusion

Case C-77/24 (Wunner) represents a significant clarification, and expansion of the legal landscape governing director liability in the EU's internal market. By bringing third-party claims against directors within the scope of the Rome II Regulation and localising damage at the consumer's habitual residence, the CJEU has strengthened the role of host-state law in cross-border disputes.

The decision underscores that digital cross-border service provision does not exist in a regulatory vacuum, nor does incorporation in a Member State with a favourable licensing regime confer comprehensive immunity. For directors, the internal market offers commercial opportunity, but it also entails multi-jurisdictional civil liability exposure.

In this sense, Wunner is not merely a technical conflict-of-laws ruling. It is a structural reminder that the freedoms underpinning the internal market operate alongside, and not in place of, the private law accountability mechanisms of Member States.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.