The European Union has significantly overhauled its product liability regime with a new directive concerning liability for defective products (Product Liability Directive). EU member states have until December 9, 2026, to transpose the Product Liability Directive into local law. From that date, it will apply to all products placed on the market or put into service.
The new regime will have a sizable impact on the risk profile of companies involved at any stage of the product manufacturing supply chain, including, crucially, software developers and providers of AI systems. It is part of the broader push to regulate AI alongside the EU AI Act — which entered into force on August 1, 2024 (see our full series of AI insights here) — and now offers the primary means for recourse for consumers that have suffered harm due to AI systems after the Commission shelved the EU AI Liability Directive.
Why is it Needed?
The current regime was formulated in 1985 and is ill-suited to the digital age, leading to inconsistencies and legal uncertainties as to when no-fault product liability applies. For example, there has been some debate on whether the current definition of product extends to software. The new text also seeks to rectify existing inadequacies by addressing developments in new technologies such as AI and smart products, emerging circular economy business models in which products are recycled or otherwise put back into circulation, and the complexities of global supply chains.
The new directive also seeks to correct obstacles for individuals being awarded compensation, in part because of the challenges in gathering evidence and due to restrictions on making claims.
What Does It Change?
Of note, the Product Liability Directive recognizes that the current definition of in-scope products is outdated, reflects the multifaceted nature of manufacturers and other actors in the supply chains (including online platforms), addresses certain complexities of AI and machine learning, deems companies that make unauthorized substantial modifications to third-party products to be directly liable as a manufacturer, and sets out additional criteria to establish whether a product is defective.
Expanded Definition of Product
In the digital age, products are no longer just tangible items, and software — such as operating systems, firmware, computer programs, applications, and AI systems — increasingly play an important role in product safety. The Product Liability Directive seeks to reflect this reality by expressly extending the definition of product to include software (among other things), whether sold as a standalone product or integrated into other products. The recitals of the new directive are clear that this includes AI systems.
The Product Liability Directive recitals also stress that the expanded definition of product includes integrated and interconnected digital services to the extent that they are within the control of the product manufacturer given that the role they play in determining the safety of the product is on an equal footing with physical or digital components. The Product Liability Directive provides examples of such digital services, including a voice assistant service that allows products to be controllers or temperature control services that regulate the temperature of a smart fridge.
Information itself, however, is not a product, and the content of digital files (including source code) is excluded. In the interests of research and innovation, free and open-source software is also excluded as a product, provided it is developed and supplied outside of commercial activity.
More Potentially Liable Parties
Under the existing regime, the producer or importer is liable for defective products; the supplier is liable if the producer cannot be identified.
The Product Liability Directive introduces an expanded list of potentially liable parties (“economic operators”):
a) Manufacturers, including parties who represent themselves as the manufacturer by, for example, putting their name or trademark on the product — including those of integrated or interconnected components along the supply chain in which the manufacturer of that component has caused it to be defective. Notably for the tech industry, software developers, including AI system providers, are treated as manufacturers.
b) Where the manufacturer is established outside of the EU, importers, authorized representatives, and fulfilment service providers are included.
c) Any person who substantially modifies a product outside of the manufacturer’s control is also included. Substantial modification could be the result of a software update, for example, or the continuous learning of an AI system.
Further, if no economic operator in the EU can be identified, distributors of these products and the online platforms selling them may be held liable in certain circumstances.
Finally, the new Product Liability Directive introduces the possibility of recourse to national compensation schemes if victims are unable to obtain compensation due to the insolvency or disappearance of those responsible.
Redefining Defectiveness and Damage
The current directive defines a product as defective when it doesn’t provide the safety which a person is entitled to expect, taking into account certain criteria such as the use of the product that could reasonably be expected. The new Product Liability Directive — in its quest for a flexible and dynamic assessment of product safety, one adapted to technological innovations and interconnected uses — extends these criteria to include the presentation of the product (including labeling, design, and technical characteristics), interactions with other products, compliance with safety requirements (including cybersecurity), the specific needs of the group of users for whose use the product is intended, and the context of its marketing.
Of relevance for providers of AI systems, the Product Liability Directive confirms that manufacturers remain liable for a product’s ability to continue to learn or acquire new features after the product is placed on the market, including situations in which it develops behavior that causes harm.
It is also clear that a product can be considered defective if it has cybersecurity vulnerabilities that compromise its safety. This includes situations in which the product does not fulfil cybersecurity requirements relevant for safety. Manufacturers cannot be exempted from liability if the defectiveness of a product is due to a lack of necessary software updates or upgrades to address cybersecurity vulnerabilities, provided it is within the manufacturer’s control (for example, where the manufacturer retains the ability to supply software updates or upgrades).
The current definition of damage is extended to expressly include damage to psychological health and, in a nod to the growing importance of intangible assets, the destruction or corruption of data not used for professional purposes.
Other Notable Changes
The Product Liability Directive makes other notable amendments to the existing framework to strengthen consumer protection, including the following:
a) new measures to alleviate a claimant’s burden of proof, including rebuttable presumptions of defectiveness and causality in cases of technical or scientific complexity
b) facilitating claimants’ access to evidence, ensuring national courts can require the disclosure of relevant information if the claimant presents sufficient evidence to support the claim before a national court
c) removal of liability caps and mandating a blanket 10-year limitation period
What is The Impact?
The Product Liability Directive represents a significant step forward in enhancing consumer protection. By addressing the complexities of modern technologies, supply chains, and business models, the Product Liability Directive seeks to improve the framework for liability and enhance fairness and legal certainty for consumers and economic operators.
The Directive’s explicit inclusion of software and AI as products ensures these rapidly evolving technologies are subject to the same liability rules, addressing potential risks associated with their use. Providers of software and AI systems will need to consider how their products could interact with other products and whether their systems will evolve safely over time.
All EU companies will need to assess their supply chains afresh and revisit contractual protections to properly apportion the increased risk profile.
At Goodwin, our teams are experts in European law and new technologies. In particular, they can advise you on the steps you need to take to ensure that your products comply with interconnecting new legislation such as the AI Act and the new provisions of this Product Liability Directive.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/j/jay-josephine
Josephine Jay
Associate - /en/people/m/mcatominey-sarah
Sarah McAtominey
Partner - /en/people/s/scott-gretchen
Gretchen Scott
Partner - /en/people/w/watt-genevieve
Genevieve Watt
Counsel
