EU Expands Product Liability Rules to Cover AI and Software Providers

On 8th December 2024, the European Union adopted a new Product Liability Directive (PLD), replacing the long-standing 1985 framework that has governed liability for defective products in the EU for nearly four decades. While the original Directive focused on physical goods, the updated legislation reflects the increasingly digital nature of today’s products and services.

Crucially, for the first time, software and artificial intelligence (AI) systems are explicitly recognised as “products”, meaning they are now subject to the same strict liability rules as physical goods. This change has far-reaching implications for technology businesses operating in or exporting to the EU.

The original Product Liability Directive (85/374/EEC) was introduced in a pre-digital age, where most products were tangible and mechanical. However, modern products, from vehicles to home appliances, are now powered by complex digital systems, software layers, and increasingly autonomous AI technologies.

The updated PLD responds to this shift, ensuring that consumers harmed by defective digital products or AI systems can pursue compensation under a harmonised liability regime. It also aligns with broader EU efforts to regulate the digital economy, including the AI Act and the proposed AI Liability Directive.

Key Developments Under the New Product Liability Directive

1. Software is Legally a Product: Under the new Directive, the definition of “product” has been broadened to include software, whether embedded, downloadable, or cloud-based. This encompasses:

• Operating systems and firmware

• Mobile and web applications

• AI models and systems
  
  

2. The significance is that software defects can now trigger strict liability, even without proof of negligence.
   
   

3. AI Systems Explicitly in Scope: AI systems, particularly those capable of autonomous or evolving behaviour, are called out as examples of software that may fall within the new regime. This is especially relevant given the simultaneous introduction of the EU AI Act.
   
   

4. Redefining “Defectiveness”
   The concept of a “defect” is no longer limited to manufacturing faults. It now includes the following:

• Insufficient or missed software updates

• Cybersecurity vulnerabilities

• Unintended or unpredictable AI behaviour

• Post-market failures where manufacturers retain control over software performance
  
  

5. This reflects the growing realisation that harm can occur not just from how a product is built, but how it is maintained and evolves over time.
   
   

6. Strict Liability Extended: The PLD maintains the EU’s principle of strict liability, but now applies it to digital products. This means the following:

• Injured parties do not need to prove negligence, only that the product was defective and caused damage.

• Software developers, AI providers, and tech manufacturers may face claims even when operating with care.
  
  

7. New Forms of Recoverable Damage: The scope of compensation has been expanded to include:

• Destruction or corruption of personal data

• Medically recognised psychological harm

• Removal of the €500 minimum threshold for property damage claims
  
  

8. Wider Net of Potentially Liable Parties: Liability may fall not only on manufacturers, but also on the following:

• Importers, distributors, and fulfilment service providers

• Developers of software integrated into products

• Anyone who significantly modifies a product post-sale

• Online marketplaces (under certain conditions)
  
  

9. Notably, companies importing AI systems or software developed outside the EU (e.g., from the US) may now face liability if harm occurs in the EU market.
   
   

10. New Disclosure Rights and Presumptions of Defectiveness: Claimants will benefit from the following:

• Stronger rights to request internal documentation from manufacturers to help prove their case.

• A reversal of the burden of proof in certain cases (e.g., where technical complexity makes it unreasonable to expect a claimant to demonstrate defectiveness).
  
  

11. Post-Sale Obligations: Liability is no longer limited to the point of sale. Companies remain responsible where they retain control, including:

• Remote updates or algorithmic changes

• Failure to act on known defects or cybersecurity threats

• Modifications to AI behaviour after deployment
  
  

Implications for Software and AI Providers

The new PLD represents a fundamental shift in how liability is assessed in the EU’s digital market. For software and AI providers, this introduces both new risks and new compliance obligations, including the following:

• Increased exposure to litigation, especially for complex systems like autonomous vehicles, medical AI tools, or high-risk applications under the AI Act.

• Need for proactive product governance, including documentation, risk assessments, and update protocols.

• Stronger integration of cybersecurity and data integrity into software lifecycle planning.

• Potential impact on insurance costs and contractual risk allocations, especially where vendors supply components to larger digital ecosystems.
  

Additionally, companies must prepare for cross-compliance with the AI Act, which imposes obligations related to transparency, data governance, and risk mitigation, many of which overlap or intersect with the PLD.

What Businesses Should Do Now

Although the Directive will not apply to products placed on the EU market before 9th December 2026, early preparation is strongly advised. Key steps include:

• Conducting a compliance gap analysis against the PLD’s requirements.

• Reviewing update and maintenance protocols for all software and AI products.

• Mapping liability across the supply chain, especially where multiple vendors or third parties are involved.

• Assessing legacy products for potential update failures that could now trigger claims.

• Developing internal documentation policies to prepare for future disclosure obligations.

• Monitoring further developments, including the finalisation of the AI Liability Directive and implementing legislation at the Member State level.

The updated PLD is part of a broader EU effort to modernise product and consumer protection laws in the digital age. Alongside the AI Act, Digital Services Act, and other regulatory instruments, it reinforces the message that digital products will be held to the same safety and accountability standards as traditional goods.

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. 

We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.