Executive Summary
The Court of Justice of the European Union’s judgment in Case C-77/24 (Wunner), handed down on 15 January 2026, marks a turning point for directors of companies operating across EU Member States. At its heart, the case involved directors of a Maltese gambling company who found themselves sued personally by an Austrian player for losses incurred through online gaming. The twist? The company held a valid Maltese licence and operated lawfully from Malta, yet lacked the separate Austrian authorisation.
What makes this judgment so significant is the Court’s determination that such claims against directors fall within the Rome II Regulation’s scope rather than being excluded as company law matters. More surprisingly still, the applicable law turns out to be that of the consumer’s habitual residence rather than the law governing the company’s incorporation. This represents a marked departure from the traditional corporate law principles that have long protected directors through separate legal personality and limited liability frameworks.
The practical consequences are threefold and troubling. The judgment undermines separate legal personality by permitting claimants to sue directors personally without establishing fraud, bad faith, or abuse of corporate form. It fractures director liability across twenty-seven different national tort law regimes. Perhaps most worryingly, it extends personal exposure to directors across all regulated sectors offering cross-border services—financial services, e-commerce, data processing, professional services.
For Maltese companies in particular, the judgment sits uncomfortably with the carefully calibrated Maltese legal framework that restricts director liability to narrow circumstances involving culpable conduct. Directors who comply scrupulously with Maltese law and hold valid Maltese regulatory authorisations may nonetheless find themselves facing personal liability under foreign legal systems with more expansive standards. Whilst Maltese Bill 55 prevents enforcement of such judgments within Malta, it offers no protection for directors with assets elsewhere, nor does it shield them from the reputational damage of foreign proceedings.
What we see here is consumer protection being prioritised over legal certainty, proportionality, and the practical viability of cross-border digital business. Directors serving consumers across multiple EU jurisdictions now confront fundamentally altered risk exposure. This demands enhanced due diligence, corporate restructuring, expanded insurance coverage, and in some cases a fundamental reassessment of whether cross-border operations remain viable. Legislative clarification is urgently needed to restore some equilibrium between consumer protection objectives and the foundational principles of corporate law.
Introduction
The CJEU’s judgment in Wunner addresses a question that goes to the heart of corporate governance across the European Union: can directors be held personally liable in tort for their company’s breaches of national regulatory prohibitions? The case specifically concerned online gambling offered without the required licence, but its ramifications extend far beyond the gaming sector to encompass all regulated cross-border services.
Traditionally, directors of Maltese companies have operated within a legal framework where companies are distinct entities from their directors, and where companies alone bear liability for their obligations unless directors expressly agree otherwise. Maltese law carves out specific, limited exceptions to director immunity—fraud or bad faith when entering obligations, entering obligations when insolvency was reasonably foreseeable, and bad-faith or negligent breach of duty causing company loss. These carefully delineated limitations embody a principle: directors should face personal liability only when they have abused their position or acted culpably, not merely because corporate decisions might breach regulatory requirements elsewhere.
Wunner carves out a significant new exception. Directors of Maltese companies can no longer take comfort from the assumption that the corporate veil will shield them from personal actions when their company breaches regulatory prohibitions in other Member States. The judgment’s implications ripple outward from gaming to encompass directors of Maltese companies offering cross-border regulated services across all sectors—financial services, e-commerce, data processing, professional services, and indeed any regulated activity where companies serve consumers across multiple jurisdictions.
Background to the Case
Titanium Brace Marketing Limited (TBM) was an insolvent Maltese company whose directors operated an online casino from Malta. The company held a Maltese gambling licence but lacked the separate licence required under Austrian law. An Austrian player, identified in the proceedings as TE, lost €18,547.67 between November 2019 and April 2020. TE decided to pursue not the company, but its directors—NM and OU—personally, on the basis that infringing the Austrian gambling monopoly constituted a breach of law rendering the directors personally and jointly liable.
The facts warrant close attention. TBM was incorporated in Malta, operated from Malta, held a valid Maltese gambling licence, and complied with Maltese regulatory requirements. The directors lived in Malta. Every operational decision was taken in Malta. Measured by any traditional connecting factor in corporate or commercial law—seat, place of incorporation, principal place of business, licensing jurisdiction, directors’ residence—the company and its directors had their closest and most meaningful connection to Malta.
The directors challenged jurisdiction on principled grounds. They argued that under Maltese law—the lex societatis—there exists no recognition of director liability towards the company’s creditors, and that the applicable law should therefore be Maltese rather than Austrian. This rested on a fundamental tenet of corporate law: the law of incorporation governs a company’s internal affairs, including the relationship between company and directors, and the circumstances in which directors may be held personally liable for corporate obligations.
The Court’s Key Findings
Directors’ Liability Falls Outside Company Law Exclusions
The Court faced a threshold question: does an action in tort brought against company directors for breach of a prohibition under national law against offering games of chance without a licence fall within ‘non-contractual obligations arising out of company law’ under Article 1(2)(d) of the Rome II Regulation?
Article 1(2)(d) excludes from the Regulation’s scope a defined category: ‘non-contractual obligations arising out of the law of companies regarding matters such as the creation, legal capacity, internal organisation or winding-up of companies, the personal liability of officers and members as such for the obligations of the company or body and the personal liability of auditors to a company or to its members in the statutory audits of accounting documents.’ On a natural reading, the phrase ‘personal liability of officers and members as such for the obligations of the company’ would appear to encompass liability arising from directors’ exercise of corporate functions and management authority.
The Court’s reasoning proves somewhat difficult to follow and contains a certain circularity. It concluded that such actions do not fall within non-contractual obligations arising out of company law. The Court drew a distinction between liability arising from obligations imposed by reason of a director’s constitution or appointment—relating to internal company management and excluded from Rome II—and liability arising from obligations situated outside company life, which falls within the Regulation’s scope.
This distinction between ‘internal’ and ‘external’ obligations suffers from inherent instability. Consider the predicament: directors only act through the company. When TBM’s directors caused the company to offer gambling services to Austrian residents, were they acting ‘as directors’ or ‘as tortfeasors’? The judgment offers no clear test. Directors exercise authority solely by virtue of their corporate office. Every decision they make—including decisions about what services the company offers and in which markets—is made ‘as directors’. To characterise some of these decisions as ‘external to the company’s affairs’ whilst others remain ‘internal’ creates what appears to be an arbitrary dividing line.
The logic, taken to its conclusion, extends personal director liability to virtually any regulatory breach. If gambling licensing breaches create ‘external’ liability because such laws protect third parties, why not environmental regulations protecting the public from pollution, consumer protection laws safeguarding purchasers, data protection legislation protecting individuals’ privacy, health and safety requirements protecting workers and the public, or financial services regulations protecting investors and depositors? Under this framework, directors breaching any protective regulatory regime across EU Member States could face personal tortious liability under the law of the jurisdiction where the ‘victim’ resides, irrespective of where the company is incorporated or what the lex societatis provides.
The interpretation also sits uneasily with Article 1(2)(d)’s plain language. The provision refers to ‘personal liability of officers and members as such for the obligations of the company’. The phrase ‘as such’ most naturally connotes ‘in their capacity as officers’, not ‘only for internal company matters’. When directors cause a company to breach regulatory obligations, they act in their capacity as directors exercising management authority. One would think this ought to fall squarely within the exclusion.
What troubles us most is how fundamentally the judgment contradicts Maltese corporate law principles regarding separate legal personality. Maltese law treats legal persons as distinct entities from their directors and shareholders, with acts binding only themselves except as provided by law. The carefully calibrated exceptions requiring proof of culpable conduct embody a principle: directors should face personal liability only when they have abused their position, not simply because they made decisions—lawful under the lex societatis—that breached regulatory requirements elsewhere.
Wunner circumvents these safeguards entirely. It permits personal liability without requiring proof of fraud, abuse of corporate form, bad faith, reckless disregard, foreseeable insolvency, or any of the traditional veil-piercing requirements. The directors held a valid Maltese licence. They operated a business that was entirely legal in its place of incorporation. Nobody alleged they had acted fraudulently or abused the corporate form. Yet they now face personal liability under Austrian law for decisions made in Malta about a Malta-incorporated company’s operations—decisions that would create no personal liability whatsoever under the lex societatis.
The Court’s reliance on a generic duty of care owed erga omnes strikes us as problematic. Directors do not, and should not, owe a duty of care to consumers or the general public in their capacity as directors. The company itself—as a regulated entity—bears primary responsibility for regulatory compliance. The gambling licensing regime regulates the provision of services by undertakings. The director’s decision-making authority derives entirely from their corporate office, and any breach of regulatory requirements ought properly to be attributable to the company’s failure to comply with its legal obligations. The imposition of a general duty erga omnes represents something rather more fundamental: a reconceptualisation of the director’s legal role. Directors are corporate officers whose duties run to the company itself, not independent professionals who owe duties directly to those they serve. To hold directors personally liable for the company’s regulatory breaches conflates director with company and undermines what has been a foundational principle of separate legal personality.
The Austrian courts will now apply Austrian tort law to determine whether the directors are personally liable. Austrian law recognises joint and several liability where persons contributed to damage ‘jointly, directly or indirectly, by inducement, threats, orders, assistance, concealment and the like’. The application of these broad principles to directors whose sole ‘contribution’ was making corporate decisions may well result in the corporate veil being pierced in circumstances that would be quite inconceivable under the lex societatis.
The Law of the Victim’s Habitual Residence Applies
The Court determined that in an action for repayment of losses suffered through participation in online games offered without the required licence, the damage is deemed to have occurred in the Member State where the player has his habitual residence. This determination creates several difficulties.
Where does ‘damage’ occur in cases involving financial loss? The concept is inherently abstract. One could plausibly say the player’s economic harm occurred in Malta, where TBM’s player account system debited TE’s account or where TBM received and retained TE’s funds. Equally, one could locate it in Austria, where TE’s personal bank account was debited to fund his player account. Or perhaps in Austria, where TE participated in the games. The judgment opts for the last—participation from habitual residence—without really explaining why this location is more ‘real’ or meaningful than the alternatives. Each of these events forms part of the causal chain leading to TE’s loss. Singling out one as the ‘place where damage occurred’ involves a normative choice rather than an objective factual determination.
The consequence is multiplicity and fragmentation. An online gambling operator serving customers across the EU could face twenty-seven different tort law regimes, each with different rules on tortious liability elements, whether directors can be held personally liable, joint and several liability principles, causation requirements, limitation periods, damages quantification, and available defences. This makes it effectively impossible for directors to know in advance what legal standards will govern their conduct.
Nor is the logic confined to gambling. Any online service breaching local protective regulation could trigger director liability under the law of the user’s habitual residence—financial services, e-commerce, data processing, professional services, subscription services. For directors of platform companies or digital service providers, the Wunner framework creates what can only be described as exponentially multiplied personal liability exposure.
There is also a problematic circularity in the relationship between jurisdiction and applicable law. The Austrian court’s jurisdiction under Article 7(2) of the Brussels Ia Regulation rested on the assumption that Austrian law might apply. The CJEU confirmed Austrian law applies under Rome II, thereby confirming jurisdiction. But if the tort occurred in Malta—where TBM operated and where the directors made all decisions—neither Austrian jurisdiction nor Austrian law would apply. The Court’s determination that damage occurred in Austria both establishes jurisdiction and is premised upon jurisdiction’s existence.
The Court held, critically, that whether the non-contractual obligation is attributable to the directors or to the company is determined not by the lex societatis (Maltese law), but by the law applicable to the tort (Austrian law), since that law determines the conditions and extent of liability, including who may be held liable. As a matter of the Rome II Regulation’s structure, this is correct. Article 15 makes clear that the law applicable to non-contractual obligations governs the basis and extent of liability, including the determination of persons who may be held liable. Yet this reasoning only serves to highlight how critical the Article 1(2)(d) determination was. Had the Court correctly held that ‘personal liability of officers as such for the obligations of the company’ falls within the company law exclusion, the question would be governed by the lex societatis, which provides robust protection. The entire edifice of personal director liability under Austrian law rests on that narrow interpretation of Article 1(2)(d).
The practical effect is to permit Austria to regulate conduct in Malta through private civil litigation. TBM was incorporated, operated, licensed, and compliant in Malta, managed by Malta-resident directors who made all operational decisions there. Malta, as the host state, had made a deliberate regulatory choice to licence TBM’s operations. Yet Austrian law now determines whether the directors are personally liable for those Malta-based operations. This creates considerable tension with freedom of establishment, freedom to provide services, mutual recognition principles, and country-of-origin concepts that increasingly characterise EU digital regulation.
Personal director liability represents an exceptionally severe sanction. Less restrictive regulatory alternatives could achieve consumer protection objectives whilst respecting corporate law principles—regulatory enforcement actions against the company, licence revocation or suspension, corporate fines and penalties, director disqualification orders, injunctive relief preventing future breaches, criminal sanctions in egregious cases involving fraud. None of these requires dismantling separate legal personality or exposing directors to personal civil liability for corporate regulatory breaches.
The Rome II Regulation does include an ‘escape clause’ in Article 4(3), permitting departure where ‘it is clear from all the circumstances of the case that the tort or delict is manifestly more closely connected with a country other than that indicated’. In principle, this could allow departure from Austria in favour of Malta. The factors indicating a manifestly closer connection to Malta seem compelling: company incorporation and registered office, directors’ residence, principal place of business, location of all operational decisions, licensing jurisdiction, any pre-existing contractual relationship.
Yet the Court’s treatment renders Article 4(3) something of an illusory protection. The Court emphasises it is an ‘exceptional departure’ requiring a ‘manifest’ (clear, obvious, indisputable) closer connection occurring ‘only exceptionally’ to ensure ‘predictability and legal certainty’. The judgment offers no real indication of what circumstances might satisfy this demanding standard. If company incorporation, directors’ residence, principal place of business, licensing jurisdiction, and a potentially applicable pre-existing contractual relationship—all pointing to Malta—do not create even a plausibly ‘manifestly closer connection’, one struggles to imagine what would suffice. The reasoning suggests an implicit presumption that protective legislation in the victim’s home jurisdiction always creates the closest connection in consumer protection cases, effectively reading Article 4(3) out of the Regulation for this category of claims.
The Court asserts that directors ‘could reasonably expect’ that offering gambling services to Austrian residents would expose them to Austrian law and liability. This assertion seems questionable. Directors operating in 2019 and 2020 might reasonably have believed their valid Maltese licence, issued by an EU Member State authority, authorised them to provide services throughout the EU under freedom to provide services principles. They might have believed Austria’s licensing requirement could itself be challenged as a disproportionate restriction on free movement—such challenges have succeeded in some CJEU cases on gambling restrictions. They might have believed any liability would attach to the company rather than directors personally, or that the lex societatis would govern director liability questions. These are hardly fanciful beliefs. They represent reasonable interpretations of EU law principles as they stood before Wunner.
No CJEU judgment before Wunner clearly established that Article 1(2)(d)’s company law exclusion would be interpreted narrowly, that damage would be located at the consumer’s habitual residence, or that directors could face personal tortious liability under the consumer’s domestic law for corporate regulatory non-compliance. The directors of TBM, making decisions in 2019 and 2020, could scarcely have foreseen a judgment handed down in 2026. Applying it retroactively seems to violate basic principles of legal certainty and legitimate expectations. Even with Wunner’s benefit, directors serving consumers across the EU cannot ‘reasonably expect’ to understand and comply with twenty-seven different national tort law regimes. The foreseeability requirement is rather a fiction than a meaningful protection.
Practical Implications for Directors
Directors can no longer proceed on the assumption that incorporation in Malta, compliance with Maltese law, and the absence of personal liability under Maltese law will shield them from personal exposure for company activities outside Malta. They need to adopt what might be called a pan-European perspective on regulatory compliance and personal liability risk, assessing which Member States’ laws might apply and whether those laws impose personal liability on directors for regulatory breaches.
The sensible approach involves commissioning comprehensive legal opinions from local counsel in each Member State where the company offers services. These should address applicable regulatory requirements, whether regulatory breaches create tortious liability, whether such liability extends to directors personally, the elements of director liability, potential quantum of exposure, and limitation periods. Expensive and burdensome, particularly for companies serving consumers across multiple jurisdictions, but this now represents a necessary cost of cross-border business.
Corporate restructuring to contain personal liability exposure merits serious consideration. This might involve establishing local subsidiaries in high-risk jurisdictions with local directors, functional separation between holding company directors making strategic decisions and operating company directors implementing compliance, limiting the number of directors with executive functions (non-executive directors may have stronger arguments that they did not ‘contribute’ to regulatory breaches), and appointing local resident directors in particularly risky jurisdictions. These structures add cost and complexity but may prove necessary to manage the multiplied liability exposure Wunner creates.
Directors’ and officers’ insurance policies warrant careful review to ensure coverage extends to personal liability claims brought under foreign laws for regulatory breaches. Key considerations include territorial scope covering claims in all EU Member States where the company operates, confirmation that coverage extends to tortious liability arising from alleged regulatory non-compliance, adequate coverage for legal defence costs in multiple jurisdictions (which may well exceed any eventual damages), severability provisions, and whether policy limits prove adequate given potential exposure across multiple jurisdictions. Insurance premiums will likely increase significantly as insurers price in the Wunner risk.
Compliance management systems demonstrating good-faith efforts to identify and comply with regulatory requirements across all jurisdictions served have become essential. Legal advice protocols should require formal opinions on regulatory compliance before entering new markets. Board minutes should document directors’ consideration of regulatory compliance, reliance on legal advice, and good-faith belief in lawfulness of operations. Delegation frameworks should clearly set out which compliance matters are delegated to compliance officers, legal counsel, or local management. Whilst these measures may not prevent liability under strict or negligent liability standards, they provide evidence of good faith that may prove relevant under some national tort law regimes and may influence damages quantum.
Contractual provisions in customer terms and conditions deserve attention, including choice of law clauses specifying Maltese law governance (though their effectiveness for tort claims seems questionable following Wunner), dispute resolution clauses requiring claims against the company rather than directors personally, and limitation of liability clauses (though enforceability against consumer claims varies across Member States).
In extreme cases, resignation from directorships may be warranted if regulatory compliance across all potentially applicable jurisdictions cannot be assured. Market exit—ceasing to serve customers in particularly high-risk jurisdictions—may prove necessary. Advance planning to identify circumstances triggering resignation to limit exposure to future conduct seems prudent. These represent drastic steps, but Wunner has fundamentally altered the risk-reward calculus of serving as a director of a company with cross-border operations.
The judgment creates particular difficulties when companies face financial distress or enter insolvency, as TBM did. Personal liability becomes the only practical remedy because claimants cannot recover from an insolvent company. Opportunistic litigation risk increases as individual claimants or insolvency practitioners may target directors personally rather than pursuing collective insolvency procedures. Directors face exposure for decisions made years earlier when the company was solvent. This creates a perverse disincentive to rescue attempts and tension with orderly insolvency by encouraging individual creditor claims against directors. Directors of companies approaching financial distress should obtain urgent legal advice on potential personal exposure and available protective measures.
The Case for Legislative Clarification and Judicial Restraint
The EU legislature could amend Article 1(2)(d) to clarify that ‘personal liability of officers and members as such for the obligations of the company’ encompasses liability arising from directors’ exercise of corporate management authority, even when the company’s conduct breaches protective legislation in other Member States. This would preserve the lex societatis for director liability questions, maintain separate legal personality principles, reduce fragmentation across twenty-seven tort law regimes, and improve legal certainty. Director liability would still be possible under the lex societatis in appropriate circumstances involving fraud, bad faith, or abuse of corporate form, but would not be subject to twenty-seven different national standards.
Alternatively, Rome II could be amended to require proof of fault—intentional wrongdoing, reckless disregard, or gross negligence—rather than permitting strict or ordinary negligence liability. This would ensure directors face liability only for culpable conduct, align with traditional veil-piercing requirements, and reduce opportunistic litigation. The Regulation might also create rebuttable presumptions that certain connecting factors indicate ‘manifestly closer connection’ under Article 4(3), giving real content to the escape clause.
A directive harmonising the circumstances in which directors may be held personally liable for corporate obligations across Member States would reduce current fragmentation, provide clarity and foreseeability, ensure a level playing field, and potentially include safe harbours for good-faith reliance on legal advice.
Pending legislative action, national courts applying Wunner should interpret Article 4(3) generously, recognising that where a company is lawfully incorporated, licensed, and operating in one Member State, with directors resident there making decisions there, Article 4(3)’s ‘manifestly closer connection’ test likely proves satisfied, particularly where the company held valid regulatory authorisations, directors relied on legal advice, no fraud or abuse is alleged, and the lex societatis provides for director liability only in limited circumstances.
Even where foreign tort law applies, courts should interpret director liability provisions in light of fundamental corporate law principles requiring culpable conduct before piercing the corporate veil. Mechanical application of broad joint liability principles to directors who simply made corporate decisions ought to be resisted. Courts should consider whether personal director liability represents a proportionate remedy, particularly where less restrictive alternatives are available, directors acted in good faith, and no allegation of fraud or abuse is made. The principle of proportionality, fundamental to EU law, should inform how national tort law is applied in cross-border contexts.
Conclusion
The central lesson from Wunner is this: notwithstanding the robust protection against personal liability that Maltese law affords, directors may still find themselves exposed to claims under foreign legal systems imposing stricter standards of personal responsibility, given the remarkably narrow interpretation the CJEU has given to what constitutes non-contractual obligations arising out of company law.
Wunner represents a fundamental and troubling departure from established corporate law principles. It undermines separate legal personality by permitting claimants to bypass the corporate entity and sue directors personally without establishing fraud or abuse. It fractures director liability across twenty-seven regimes, making it impossible for directors to know in advance what legal standards govern their conduct. It creates an unstable and unpredictable distinction between ‘internal’ and ‘external’ obligations lacking any principled foundation. It locates damage at the consumer’s habitual residence without adequate justification. It exposes directors to multiplied personal liability across all EU Member States where consumers are located. It undermines Digital Single Market objectives by making cross-border service provision legally perilous. It lacks proportionality by imposing severe personal liability without requiring culpable conduct. It contradicts the lex societatis, which deliberately restricts director liability to narrow circumstances involving fault.
For Maltese gaming companies specifically, an adverse judgment holding directors personally liable would not, under current legislative framework through Bill 55 protections, be enforceable in Malta. This does not, however, preclude enforcement in other EU Member States, where Maltese law’s protective reach does not extend and where courts may well give effect to the foreign decision. Bill 55 prevents enforcement only in Malta. Directors with assets in other EU Member States remain exposed to enforcement there under the Brussels I Regulation’s mutual recognition framework. Bill 55 protects only gaming company directors, not directors in other regulated sectors. Moreover, Bill 55’s restriction on recognising and enforcing judgments from other Member States is itself currently under challenge at EU level.
Directors of Maltese companies serving consumers across the EU now confront a fundamentally altered risk landscape. The combination of narrow interpretation of the company law exclusion, localisation of damage at the consumer’s habitual residence, application of fragmented national tort law regimes, inadequacy of the Article 4(3) escape clause, and expansive national joint liability principles creates personal exposure that is unpredictable, potentially unlimited, and impossible to fully mitigate through compliance efforts.
The Draghi Report on European competitiveness observes that ‘innovation is blocked at the next stage: we are failing to translate innovation into commercialisation, and innovative companies that want to scale up in Europe are hindered at every stage by inconsistent and restrictive regulations.’ The Report identifies that ‘more than half of SMEs in Europe flag regulatory obstacles and the administrative burden as their greatest challenge’, and that ‘we have left our Single Market fragmented for decades, which has a cascading effect on our competitiveness. It drives high-growth companies overseas.’ The Wunner judgment compounds precisely this regulatory fragmentation by creating twenty-seven different tort law regimes governing director liability, making it effectively impossible for directors to navigate cross-border operations. At a time when European competitiveness requires urgent strengthening, Wunner creates additional legal uncertainty that will drive directors and companies to avoid cross-border operations or relocate entirely outside the EU.
Legislative clarification is urgently needed to restore some equilibrium between consumer protection objectives and the foundational principles of corporate law concerning separate legal personality and limited liability. Pending such clarification, national courts should interpret Article 4(3) generously to recognise the manifestly closer connection to the company’s home jurisdiction, require proof of culpable conduct before imposing personal director liability, and consider proportionality in remedies. Directors must obtain specialist cross-border legal advice, enhance insurance coverage, implement robust compliance systems, consider corporate restructuring, and possibly reassess whether the risks of serving as a director of a pan-European business remain acceptable. Wunner has fundamentally changed the risk calculus of cross-border directorship.
