The new Product Liability Directive (PLD, Directive 2024/2853) has recently been published in the Official Journal of the European Union, renewing the previous product liability regime established by the old product liability directive adopted in 1985. Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with the new PLD by 9 December 2026 and the rules shall apply to products placed on the market or put into service after 9 December 2026.
Among other important changes, one of the key elements of the new PLD is that in the future it will also cover softwares by broadening the definition of product.
The question arises: how will the extended Product Liability Directive be applied to AI systems or AI models (especially that the AI Liability Directive, initiated by the Commission at the same time as the new PLD, has yet to be adopted)?
1. What does it mean that the new PLD also applies to software?
Due to digitalisation, software and software-based products play an increasingly important role in the economy and to meet such changes, the new PLD has been extended to new product categories, including software. According to the new PLD, "product" means
all movables, even if integrated into, or inter-connected with, another movable or an immovable; it includes electricity, digital manufacturing files, raw materials and software. (Art. 4, Point 1, emphasis added)
Products in the digital age can be tangible or intangible. Software, such as operating systems, firmware, computer programs, applications or AI systems, is increasingly common on the market and plays an increasingly important role for product safety. Software is capable of being placed on the market as a standalone product or can subsequently be integrated into other products as a component, and it is capable of causing damage through its execution. In the interest of legal certainty, it should be clarified in this Directive that software is a product for the purposes of applying no-fault liability, irrespective of the mode of its supply or usage, and therefore irrespective of whether the software is stored on a device, accessed through a communication network or cloud technologies, or supplied through a software-as-a-service model. Information is not, however, to be considered a product, and product liability rules should therefore not apply to the content of digital files, such as media files or e-books or the mere source code of software. A developer or producer of software, including AI system providers within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council*, should be treated as a manufacturer. (Recital 13, emphasis added)
(*AI Act)
On the basis of the above, it is clear that software should be considered as a product under the product definition, so product liability rules should also apply to software, regardless of whether it is placed on the market as a separate product or can be incorporated into other products as a component.
2. Which software does the Directive not apply to?
The PLD does not apply to free and open-source software that is developed or supplied outside the course of a commercial activity.
According to the Preamble,
Free and open-source software, whereby the source code is openly shared and users can freely access, use, modify and redistribute the software or modified versions thereof, can contribute to research and innovation on the market. Such software is subject to licences that allow anyone the freedom to run, copy, distribute, study, change and improve the software. [...] (see Recital 14)
It is worth pointing out that the AI Act does not apply to AI systems released under free and open-source licences, unless they are placed on the market or put into service as high-risk AI systems or as an AI system that falls under Article 5 (prohibited AI practices) or 50 (e.g. AI systems intended to interact directly with natural persons; AI systems, including general-purpose AI systems, generating synthetic audio, image, video or text content; emotion recognition system or a biometric categorisation system; AI system that generates or manipulates image, audio or video content constituting a deep fake; see Article 2(12) of the AI Act).
"Software and data, including models, released under a free and open-source licence that allows them to be openly shared and where users can freely access, use, modify and redistribute them or modified versions thereof, can contribute to research and innovation in the market and can provide significant growth opportunities for the Union economy." (see AI Act, Recital 102).
Free and open-source software is not considered to be developed or made available in the course of a commercial activity (see Recital 14) if the free and open-source software
- is provided on open repositories, unless that occurs in the course of a commercial activity,
- is supplied by non-profit organisations, unless such supply occurs in the course of a commercial activity.
"However, where software is supplied in exchange for a price, or for personal data used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity" and the PLD should apply (Rectital 14, emphasis added, *It is worth pointing out that even in the case of "payment with personal data", software may be covered by the rules.)
If such software (free and open-source) "supplied outside the course of a commercial activity is subsequently integrated by a manufacturer as a component into a product in the course of a commercial activity and is thereby placed on the market, it should be possible to hold that manufacturer liable for damage caused by the defectiveness of such software but not the manufacturer of the software" (see Recital 15). This clause is also relevant for manufacturers incorporating AI systems or AI models released under free and open-source licences into their products.
3. What about AI-systems, are they also covered by the Product Liability Directive?
The new PLD also highlights, in Recital 3 of its preamble, that the revision of the previous directive was necessary, inter alia, by the emergence and uptake of new technologies, including AI:
Directive 85/374/EEC has been an effective and important instrument, but it would need to be revised in light of developments related to new technologies, including artificial intelligence (AI), new circular economy business models and new global supply chains, which have led to inconsistencies and legal uncertainty, in particular as regards the meaning of the term ‘product’. Experience gained from applying that Directive has also shown that injured persons face difficulties obtaining compensation due to restrictions on making compensation claims and due to challenges in gathering evidence to prove liability, especially in light of increasing technical and scientific complexity. That includes compensation claims in respect of damage related to new technologies. The revision of that Directive would therefore encourage the roll-out and uptake of such new technologies, including AI, while ensuring that claimants enjoy the same level of protection irrespective of the technology involved and that all businesses benefit from more legal certainty and a level playing field. (emphasis added)
A few recitals later (see Recital 13), the new PLD explicitly mentions AI systems among the different types of software:
[...] Software, such as operating systems, firmware, computer programs, applications or AI systems, is increasingly common on the market and plays an increasingly important role for product safety. [...] (emphasis added)
Thus, based on the above, there can be little doubt that the intention of the legislator also extended to the application of product liability rules to AI-systems.
However, the new PLD does not define the concept of an AI-system, leaving it to the AI Act. According to the AI Act, "AI system" means
a machine-based system that is designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment, and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. (AI Act, Art. 3, Point 1)
(Please see my previous post concerning the definition of the concept of AI systems in the AI Act here.)
The AI Act also includes the concepts of "general purpose AI model" and "general purpose AI system":
"general-purpose AI model" means an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications, except AI models that are used for research, development or prototyping activities before they are placed on the market;
"general-purpose AI system" means an AI system which is based on a general-purpose AI model and which has the capability to serve a variety of purposes, both for direct use as well as for integration in other AI systems.
The new PLD does not lay down specific rules for AI systems, to which the general product liability rules and, where applicable, certain provisions on software apply. However, one thing is worth highlighting, and that is the "continuous learning" capacity of (certain) AI systems:
[...] Where a substantial modification is made through a software update or upgrade, or due to the continuous learning of an AI system, the substantially modified product should be considered to be made available on the market or put into service at the time that modification is actually made. (Recital 40, emphasis added)
In addition to the above, Recital 32 of the Preamble states:
[...] The effect on a product’s safety of any ability to learn or acquire new features after it is placed on the market or put into service should also be taken into account to reflect the legitimate expectation that a product’s software and underlying algorithms are designed in such a way as to prevent hazardous product behaviour. Consequently, a manufacturer that designs a product with the ability to develop unexpected behaviour should remain liable for behaviour that causes harm. [...] (emphasis added)
The "continuous learning" referred to in the PLD (see Article 7 of the Directive, in relation to the assessment of product defectiveness) or the "acquisition of new features" essentially correspond to the "adaptiveness" element in the definition of AI systems as defined in the AI Act and has an impact on manufacturer´s liability and, where appropriate, whether the conditions for exemption from liability may be met for the manufacturer (since the change as a result of continous learning may constitute a substantial modification of a product). However, it is important that the existence of the capacity for "continuous learning" should be assessed on a case-by-case basis for the AI system concerned, as "adaptiveness" is not necessarily present in all AI systems (the definition under the AI Act sets out that the AI system "may exhibit adaptiveness", i.e. it may have such a characteristic, but this is not an essential conceptual element).
The preamble to the PLD also provides an indication that providers of AI systems under the AI Act should also be considered manufacturers (please see my post about the "roles" defined in the AI Act here).
According to the AI Act, "provider" means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge. (Art. 3 (3) of the AI Act)
Although this is not addressed in the PLD, it is worth mentioning the concept of "downstream providers" of AI systems as set out in the AI Act, which is "a provider of an AI system, including a general-purpose AI system, which integrates an AI model, regardless of whether the AI model is provided by themselves and vertically integrated or provided by another entity based on contractual relations." (Art. 3 (68) of the AI Act. Interesting practical issues may arise concerning the liability of downstream providers for claims initiated under the national rules implementing the new PLD.
In addition to the concept of downstream providers, the concept of "product manufacturers" in the AI Act, i.e. manufacturers of products "placing on the market or putting into service an AI system together with their product and under their own name or trademark", falls within the definition of manufacturer under the PLD. (Of course, in line with the logic of the directive, the liability of other actors in the value chain, e.g. importers, distributors, may be relevant with regard to AI systems as well.)
4. What do the applicability of product liability rules to AI systems mean for actors that qualify as manufacturers of AI systems?
The scope of product liability rules also underscores the importance of product compliance, also in case of AI systems. Compliance with the AI Act, in particular for high-risk AI systems and general-purpose AI models, must be a priority, also form this perspective. Preparation for compliance with the AI Act should therefore include, among others,
- risk assessment related to product liability,
- proper management of product liability risks and
- documentation, which may also play a crucial role if a claim under product liability rules is enforced.
Preparation should also take into account topics such as the integration of free and open-source software (AI model) as a component in the product (since, if such a product is placed on the market, the manufacturer of the product will also be held liable for damages caused by a defect in the open-source software) and the impact of "continuous learning" as a feature of AI systems on product liability .
5. Why is an AI Liability Directive still necessary if AI systems are covered by the new PLD?
The new PLD covers software, including AI systems, however, it does not address many of the issues and potential harms that may easily arise in the case of using AI systems or software more broadly, as the PLD focuses only on product safety issues. (E.g. the PLD does not address situations where discriminatory or other decisions infringing fundamental rights are taken through the use of an AI-system and consequently, damages occur). The basic approach is also different, while the PLD is a strict liability regime for product safety, the draft AI Liability Directive covers fault-based liability. It is no coincidence that the European Parliament's impact assessment on the AI Liability Directive, published in September, recommends extending the AI Liability Directive and transforming it into a more general software liability instrument.
