The European Union’s New Product Liability Directive (PLD), adopted in December 2024 and set for implementation by December 2026, marks a transformative shift in how liability is assigned in the EU for defective products in the digital age. For the first time, software - both embedded and standalone - will be treated as a product, subject to the same rigorous liability rules as physical goods. This change has far-reaching implications for software developers, AI providers and the broader technology sector operating in the EU. The PLD is designed to improve consumer protection in the digital age, making it easier for individuals to seek redress for harm caused by defective software, AI or digital devices. The presumption of defectiveness and eased burden of proof are particularly significant for consumers facing complex technical products.
Key changes
1. Software as a product. Under the previous regime, liability rules were primarily designed for tangible goods, with software often considered an accessory or service. The new PLD explicitly expands the definition of a “product” to include software, operating systems, firmware, computer programmes, applications and AI systems. This means that digital products are now subject to strict liability - consumers do not need to prove negligence, only that a defect caused damage.
2. Expansion to AI and IoT. The directive’s scope now covers interconnected devices and AI, reflecting the complexity of modern digital ecosystems. Producers of software, AI systems and IoT devices can be held responsible for damage caused by their defective products, regardless of fault.
3. Defectiveness redefined. The concept of defectiveness is broadened. A product is defective if it does not provide the level of safety a person is entitled to expect. The new rules clarify that defectiveness can arise from:
- Insufficient or missing software updates
- Weak cybersecurity protections
- Unpredictable behaviour of AI systems
- Post-sale modifications or updates under the manufacturer’s control
A regulatory intervention, such as a product recall, may now indicate defectiveness, and manufacturers’ liability can persist after the product is placed on the market if they retain control, such as through software updates.
4. New categories of damage. The PLD introduces new categories of recoverable damages, including destruction or corruption of data (including costs to recover lost data), and medically recognised psychological harms. The previous €500 minimum threshold for property damage claims is removed, allowing claims for even minor losses, which could have significant implications if pursued through class actions.
5. Extended liability and post-sale duties. Manufacturers face liability for up to 10 years for defective products, extended to 25 years for latent personal injury claims. Importantly, liability can now arise from defects that occur after the product is on the market, especially if the manufacturer retains control via updates or remote access. This includes liability for:
- Defective software updates
- Failure to address cybersecurity vulnerabilities
- Damage caused by AI systems learning or changing after sale
6. Wider range of defendants. The new PLD expands the pool of potential defendants. In addition to manufacturers and importers, liability can extend to:
- Authorised representatives of manufacturers
- Software developers
- Fulfilment service providers (e.g. storage, packaging, shipping)
- Distributors and online marketplace operators (in certain conditions)
- Entities that substantially modify a product post-sale
7. Eased burden of proof. Claimants will benefit from a presumption of defectiveness and a causal link if proving these is “excessively difficult” due to technical or scientific complexity, and if defectiveness or causality is at least “probable.” This is especially relevant for complex digital products and medical devices.
8. Disclosure obligations. Courts can now require defendants to disclose relevant evidence if the claimant makes a sufficiently plausible case for damages. This aims to address the information asymmetry between consumers and manufacturers, though courts must also protect trade secrets and confidential information.
9. Exemptions and defences. The PLD maintains some traditional defences, such as if the defect did not exist when the product was placed on the market or if it could not have been discovered with the scientific knowledge available at the time. However, these defences are limited when the defect arises from a lack of updates or modifications under the manufacturer’s control. Notably, free and open-source software developed or supplied outside commercial activity is excluded from the PLD’s scope.
Implications for software developers and the technology industry
The most significant change is that software is now treated as a product, not a service. This means:
- Strict liability applies. Developers and vendors can be held liable for defects regardless of fault.
- Software updates are a key risk. Failure to provide necessary updates or address vulnerabilities can trigger liability.
- AI unpredictability is not a defence. If an AI system causes harm through unexpected behaviour, manufacturers remain liable.
Practical steps for compliance
1. Product safety by design. Companies must adopt a “safety by design” approach, ensuring that software and AI systems are robust, secure and regularly updated. This includes rigorous testing before release, ongoing monitoring for vulnerabilities, and timely deployment of updates and patches.
2. Documentation and evidence management. Given the new disclosure rules, maintaining detailed records of product development, updates and safety measures is crucial. This will help in defending against claims and demonstrating compliance.
3. Review of supply chains and contractual arrangements. With liability extending to various actors in the supply chain, businesses must review contracts with suppliers, developers and service providers, clarify responsibilities for updates, cybersecurity and modifications, and ensure that third parties are also compliant with the new rules.
4. Preparing for litigation. The lowered barriers for claimants and expanded categories of damage mean that litigation risk is higher. Companies should review insurance coverage for product liability and prepare for potential class actions or multiple simultaneous claims.
Conclusion
The EU’s New Product Liability Directive represents a watershed moment for software and technology providers. By bringing software, AI and digital products within the scope of strict product liability, the EU is responding to the realities of a digital-first economy and the risks posed by increasingly complex and interconnected products. For software developers and technology companies, the new rules demand a proactive approach to product safety, cybersecurity and legal risk management, with the next two years being critical for the industry to adapt, review processes and ensure compliance before the new rules take effect in December 2026.
If you would like to discuss the content of this article in more detail, please contact Tim Wright.
