Stricter product liability rules for the life sciences sector

The new EU Product Liability Directive 2024/2853 (“the Directive”) introduces significant changes to a wide range of solutions used in the life sciences sector and the medical field resulting in stricter safety requirements and a higher risk of damages. The new rules will have significant implications for a broad range of life sciences products, including medical devices, pharmaceuticals, software-based health products and AI-enabled medical technologies.

The Directive must be transposed into national law by Member States by 9 December 2026 and will apply to products placed on the market or put into service after that date. 

1. Expanded scope of products

The Directive expands the definition of “product” in Art. 4(1) to include software, whether standalone or integrated into other products. In the life sciences context, this means:

• Software as a Medical Device (SaMD) is expressly covered, including diagnostic apps, smartwatch health apps, AI-driven diagnostic tools and clinical decision-support software.
• AI systems used in medical settings (e.g. machine-learning based diagnostic tools) clearly fall within scope.
• Digital services and components integrated into medical devices that affect their safety are included.

2. Broader liability for defectiveness

Under Art. 7, a product is defective if it does not provide the safety that a person is entitled to expect or – a new parameter – that is required under EU or national law. This includes failures to comply with the safety requirements set out in the Medical Device Regulation (EU) 2017/745 (“MDR”). Accordingly, a manufacturer of a medical device that does not meet MDR safety requirements may be liable for damages caused by that defect under the Directive.

As before, “all” circumstances must be taken into account when assessing whether a product is defective. However, the list of circumstances has been significantly expanded, which may have considerable implications for medical-related products.

The Directive identifies the following criteria:

1. The presentation and characteristics of the product, including its labelling, design, technical features, composition, packaging and instructions for assembly, installation, use and maintenance.
2. A reasonably foreseeable use of the product.
3. The effect on the product of any ability to continue to learn or acquire new features after being placed on the market or put into service (e.g. self-learning AI diagnostic tools).
4. The reasonably foreseeable effect on the product of other products that can be expected to be used together with the product, including through inter-connection (e.g. networked medical devices or IoT healthcare systems).
5. The moment when the product was placed on the market or put into service or, where the manufacturer retains control afterwards, the moment when the product left that control (under the previous Directive, the relevant moment was market placement only).
6. Relevant product safety requirements, including safety-relevant cybersecurity requirements.
7. Any product recall or other relevant safety-related intervention by a competent authority or by an involved economic operator.
8. The specific needs of the group of users for whom the product is intended.
9. For products designed to prevent damage, any failure to fulfil that purpose.

3. Extended liability for software and updates

Manufacturers remain liable for defects arising after a product is placed on the market if they result from:

• software or related services within the manufacturer’s control, including updates, upgrades or machine-learning algorithms; or
• failure to supply necessary security updates or patches needed to maintain safety and address cybersecurity vulnerabilities.

This is particularly relevant for medical device manufacturers, who must already comply with post-market surveillance and safety-update obligations under the MDR. The Directive strengthens these requirements by attaching civil liability consequences.

4. Expanded categories of liable parties

Art. 8 extends liability beyond manufacturers to:

• importers (where the manufacturer is outside the EU);
• authorised representatives;
• fulfilment service providers; and
• entities that substantially modify a product (e.g. refurbishment, remanufacturing).

Under Art. 12, this may result in joint and several liability among multiple parties.

5. Product liability claims become easier

One of the most significant changes is the alleviation of the burden of proof for injured persons. Under Art. 10:

• defectiveness may be presumed where the product does not comply with mandatory safety requirements (e.g. under the MDR), where the defendant fails to disclose evidence or where there is an obvious malfunction;
• causation may be presumed where the product is established to be defective and the damage is of a kind typically consistent with the defect;
• in cases of technical or scientific complexity (such as claims involving pharmaceuticals, AI-enabled diagnostics or complex medical devices), courts may presume defectiveness or causation where it would be excessively difficult for the claimant to prove these elements.

The defendant has the right – and the need – to rebut these presumptions in order to prevent liability.

This constitutes a substantial shift and may make it easier to bring claims against manufacturers, particularly in cases involving:

• adverse drug reactions;
• AI diagnostic errors;
• medical device malfunctions; and
• failures of connected health devices.

6. Disclosure of evidence

Under Art. 9, courts may order defendants to disclose relevant evidence that is at their disposal. For pharmaceuticals and medical devices, this could include:

• clinical trial data;
• post-market surveillance reports;
• software logs and algorithm documentation; and
• quality-control records.

7. Stricter rules for the development risk defence

The development risk defence (Art. 11(1)(e)) remains available, enabling manufacturers to avoid liability if they prove that the state of scientific and technical knowledge at the time did not allow the defect to be discovered. However, the defence is:

• unavailable where defects arise from failure to supply necessary post-market software updates; and
• subject to stricter scrutiny due to enhanced disclosure obligations.

Member States may derogate from this defence under Art. 18. Under the previous Directive, certain Member States, such as Hungary, adopted such derogations for pharmaceuticals.

8. Larger scope of recoverable damages

Art. 6 defines a broad scope of recoverable damage, including:

• death or personal injury, now explicitly including medically recognised psychological harm;
• damage to property (excluding the defective product itself and property used exclusively for professional purposes), with no minimum threshold; and
• destruction or corruption of personal data, which is particularly relevant for digital health products.

9. Longer limitation period

The limitation period remains, three years from the point at which the claimant becomes aware of the damage, defect and liable party. The long-stop period remains ten years but is extended to 25 years for latent personal injuries, which has particular relevance for pharmaceuticals and certain medical devices.

10. Practical considerations for life sciences companies

Companies should consider the following steps to prepare for compliance with the Directive and to minimise the risk of claims:

1. Audit product portfolios to identify products that will fall within the expanded scope.
2. Strengthen post-market surveillance and software-update processes to ensure timely detection and remediation of safety risks.
3. Enhance documentation and record-keeping for clinical development, manufacturing and post-market activities to prepare for potential disclosure requests.
4. Review supply chain agreements to ensure appropriate allocation of liability among economic operators.
5. Evaluate cybersecurity posture for connected devices and digital health products.
6. Review product liability insurance to ensure it covers expanded exposure, particularly for software- and AI-enabled products.