Software, digital products and AI: stricter safety requirements on the horizon

Gone are the days of offline products and their liability regimes. Companies – not only those in the technology sector – now face substantial changes to product safety requirements and a higher risk of damage claims as the transposition deadline for the EU’s revised Product Liability Directive (2024/2853) (PLD) approaches. For many industry players, including software developers, manufacturers of products with digital elements, AI providers and, to some extent, digital service providers and online platforms acting as distributors, the Directive marks a paradigm shift. For the first time, software – whether standalone or embedded physically or as a service component – falls within the scope of strict, no-fault product liability.

Member States must transpose the PLD into national law by 9 December 2026 with maximum harmonisation, meaning countries will have minimal room to deviate from its provisions. The PLD will apply to all affected products and services placed on the market after the transposition deadline and effective date. Products and services placed on the market earlier will continue to fall under the previous regime.

1. Software and AI as “products”

All types of software are explicitly covered by the new rules, including standalone applications, embedded firmware, operating systems, AI systems and SaaS, irrespective of delivery model and including updates and upgrades. Where a digital service is integrated into a physical product such that the product cannot function without it (e.g. a navigation system in a self-driving car or a digital device running a software as its main function), the service is treated as a product component. Free and open-source software developed outside commercial activity is excluded, but open-source software supplied commercially remains in scope. Digital manufacturing files – such as 3D design models – are also captured under the definition of “product”, further expanding the range of items to which liability may apply.

2. Expanded liable parties

The PLD creates a chain of liability ensuring that responsible market participants remain identifiable for enforcement purposes. Software developers and AI providers are expressly included as manufacturers of components and can be held liable accordingly. Where a non-EU manufacturer is involved, liability shifts to the EU importer, authorised representative or fulfilment service provider. Any party that substantially modifies a product – such as by integrating AI models or issuing software updates outside the original manufacturer’s control – may be treated as a manufacturer. Online platforms may also face increased scrutiny due to their role in facilitating online sales.

3. Broader basis for damage

Claimants may now seek compensation for new categories of damage, including loss and corruption of non-professional data, medically recognised psychological harm and, where national law permits, non-material losses. The previous €500 minimum threshold for property damage and the maximum liability cap have been removed, leaving software manufacturers potentially exposed to significantly higher claims.

4. Defectiveness beyond initial release

A pivotal change is that defectiveness can arise after a product is placed on the market. Manufacturers remain liable for defects caused by software updates, failure to address cybersecurity vulnerabilities, AI self-learning or continuous adaptation and failure to deliver necessary safety patches. The key determinant is the degree of control the manufacturer retains after the product enters the market. Given the prevalence of remote updates and monitoring in software and AI systems, this may be broadly interpreted.

5. Burden of proof and the “black box” problem

The PLD shifts elements of the burden of proof to companies, which is particularly relevant for opaque technical systems such as AI. Courts may order manufacturers to disclose technical information – including training data, model details and logs – failure to comply may trigger a presumption of defectiveness. Products are also presumed defective where they breach mandatory product safety requirements or cause damage through obvious and foreseeable malfunction. Where technical complexity makes proof “excessively difficult,” claimants need only demonstrate that defectiveness or causation is likely, a provision aimed at complex products. Defendants may rebut these presumptions but will require robust evidence to do so¹.

6. Liability periods

The new rules will apply from 9 December 2026. Companies remain liable for 10 years from the date the product is placed on the market, extended to 25 years in cases of latent personal injury². Claimants have three years from the date they become aware of the damage, the defect and the liable party to initiate proceedings³.

7. Recommended actions

To minimise the risk of future damage claims, businesses should use the transposition period to carry out the following:

1. Audit product portfolios to identify software, AI systems and integrated digital services that fall within the expanded scope.
2. Strengthen post-market monitoring, including processes for identifying defects arising from self-learning, updates and cybersecurity vulnerabilities, supported by comprehensive documentation of testing, training data and update histories.
3. Align with the AI Act, data protection rules and Cyber Resilience Act, as non-compliance may directly trigger presumptions of defectiveness.
4. Review contractual arrangements with suppliers, developers and integrators to clarify liability allocation and indemnities, noting that liability under the Directive cannot be excluded by contract.
5. Prepare for disclosure obligations by establishing document retention and evidence-management systems for technical documentation, while safeguarding trade secrets.
6. Assess insurance coverage to ensure product and cyber liability policies adequately reflect the removal of liability caps and the expanded categories of damage.

1. Article 10 of the PLD ↩︎
2. Recital 57 of the PLD ↩︎
3. Article 16 (1) of the PLD ↩︎