Cyber Laws
open main menu
Summary image for EU Product Liability Directive
Part of series: EU Directives

EU Directive on Product Liability

/ 3 min read
Last updated:

TLDR

The most recent version of the EU’s Product Liability Directive was adopted by the European Parliament on 12 March 2024 and is now awaiting formal approval by the Council. This is the first major update since 1985 and addresses digitalization, AI, and software-related liabilities. It expands the definition of “product” to explicitly include software and digital services, whether embedded or standalone.

The directive strengthens liability by holding manufacturers, developers, and other economic operators accountable when software defects, including cybersecurity vulnerabilities, lead to harm. It covers physical damage and certain economic losses. For the legal text, see: https://eur-lex.europa.eu/eli/dir/2024/2853/oj/eng

Key articles that affect software liability include:

  • Article 4: Defines “product” to include software and digital services.
  • Article 7: Establishes liability for economic operators whose defective software causes harm.
  • Article 10: Adjusts the burden of proof for victims, easing attribution of damages in complex scenarios.

Implications for Stakeholders

Software Explicitly Recognized as a Product

Relevant Articles: Article 4(1), Recital 13

The Directive explicitly includes software within the definition of a “product,” covering both standalone and embedded software, whether stored locally, accessed via cloud services, or delivered as SaaS. Recital 13 clarifies that software capable of causing harm can trigger liability, irrespective of its delivery method.

Expanded Scope of Liable Parties

Relevant Articles: Article 8(1)–(5)

Liability extends beyond traditional manufacturers to include importers, authorized representatives, fulfilment service providers, and, in specific cases, distributors and online platforms. Any party that substantially modifies a product (e.g., through remanufacture or reconfiguration) is treated as a manufacturer for liability purposes.

Inclusion of Software Updates and AI Behavior

Relevant Articles: Articles 8(1)–(2), 11(2); Recitals 32, 40

Products that evolve post-sale through software updates or AI learning remain within the manufacturer’s control and liability scope. If damage results from a defect introduced or revealed after a software update, or through autonomous AI behavior, the manufacturer can still be held liable.

Cybersecurity as a Safety Requirement

Relevant Articles: Article 7(2)(f); Recitals 32, 34

A product is considered defective if it lacks adequate cybersecurity measures. The Directive integrates safety-relevant cybersecurity compliance into the safety expectations that define whether a product is defective.

Rebuttable Presumptions and Burden of Proof

Relevant Articles: Article 10(2)–(5); Recitals 46–48

To balance evidentiary burdens, the Directive introduces rebuttable presumptions of defectiveness or causation in cases involving safety standard violations, obvious malfunction, or excessive technical complexity. These mechanisms ease the claimant’s burden when manufacturers possess disproportionate informational advantages.

Obligation to Disclose Evidence

Relevant Articles: Article 9

Courts may require both parties—claimants and defendants—to disclose relevant evidence, including technical documentation, software logs, or internal reports, when necessary to substantiate or refute claims. Courts must balance this with confidentiality protections, especially for trade secrets.

Extended Liability Period for Latent Defects

Relevant Articles: Article 17(2); Recital 57

While the standard liability period is 10 years, it extends to 25 years for latent personal injuries—those whose symptoms emerge only after a long period—ensuring victims are not excluded from compensation due to delayed harm.

Recognition of Data Loss and Psychological Harm

Relevant Articles: Article 6(1)(a), (c); Recitals 20–21

The Directive acknowledges non-traditional damages: data loss (if the data is not used professionally) and medically verified psychological harm. These now qualify as compensable injuries alongside traditional bodily and property damage.

Exclusion of Non-Commercial Open-Source Software

Relevant Articles: Article 2(2); Recitals 14–15

Free and open-source software (FOSS) developed or distributed outside of commercial activity is excluded from liability. However, liability applies if FOSS is integrated into a commercial product or supplied in return for remuneration or data beyond limited functional use.

Non-Retroactive Application

Relevant Articles: Article 2(1), 21

The Directive applies only to products placed on the market or put into service after 9 December 2026. Any product released before that date remains subject to Directive 85/374/EEC.