The adoption of the new Product Liability Directive (PLD, Directive 2024/2853) renews product liability rules after several decades and will make them better adapted to the digital age (e.g. one important novelty of the new PLD is that it covers libility for the defectiveness of software and AI systems).
The new PLD has already been published and Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with the new PLD by 9 December 2026. The product liability rules under the new PLD shall apply to products placed on the market or put into service after 9 December 2026. (The "old" PLD, i.e. Directive 85/374/EEC is repealed with effect from 9 December 2026; however, it shall continue to apply with regard to products placed on the market or put into service before that date.)
In addition to extending the definition of product and thus the directive´s scope, the new PLD also brings a number of other novelties, including those related to digital services integrated or interconnected with products, such as digital manufacturing files.
Whereas digital files as such are not products within the scope of this Directive, digital manufacturing files, which contain the functional information necessary to produce a tangible item by enabling the automated control of machinery or tools, such as drills, lathes, mills and 3D printers, should be considered to be products in order to ensure the protection of natural persons in cases where such files are defective. For example, a defective computer-assisted-design file used to create a 3D-printed good that causes harm should give rise to liability under this Directive, where such a file is developed or supplied in the course of a commercial activity. For the avoidance of doubt, it should be clarified that raw materials, such as gas and water, and electricity are products. (Recital 16, emphasis added)
It is becoming increasingly common for digital services to be integrated into, or inter-connected with, a product in such a way that the absence of the service would prevent the product from performing one of its functions. While this Directive should not apply to services as such, it is necessary to extend no-fault liability to such integrated or inter-connected digital services as they determine the safety of the product just as much as physical or digital components. Those related services should be considered components of the product into which they are integrated or with which they are inter-connected where they are within the control of the manufacturer of that product. Examples of related services include the continuous supply of traffic data in a navigation system, a health monitoring service that relies on a physical product’s sensors to track the user’s physical activity or health metrics, a temperature control service that monitors and regulates the temperature of a smart fridge, or a voice-assistant service that allows one or more products to be controlled by using voice commands. Internet access services should not be treated as related services, since they cannot be considered as part of a product within a manufacturer’s control and it would be unreasonable to make manufacturers liable for damage caused by shortcomings in internet access services. Nevertheless, a product that relies on internet access services and fails to maintain safety in the event of a loss of connectivity could be found to be defective under this Directive. (Recital 17, emphasis added)
1. How does cybersecurity become an assessment criterion of defectiveness in the PLD?
If the range of products that contain digital components or of which digital services are an integrated part increases, cybersecurity issues arise when it comes to product safety, as these products are exposed to much greater risks from cyberspace than possibly "traditional" (i.e. non-connected or not "smart") products, for which physical safety plays a decisive role.
The new PLD introduces cybersecurity as an essential component of product safety for products that may also be exposed to cybersecurity threats. According to the Preamble of the new PLD,
[...] A product can also be found to be defective on account of its cybersecurity vulnerability, for example where the product does not fulfil safety-relevant cybersecurity requirements. (Recital 32, emphasis added)
In order to reflect the relevance of product safety and market surveillance legislation for determining the level of safety that a person is entitled to expect, it should be clarified that relevant product safety requirements, including safety-relevant cybersecurity requirements, and interventions by competent authorities, such as issuing product recalls, or by economic operators themselves, should be taken into account in the assessment of defectiveness. Such interventions should, however, not in themselves create a presumption of defectiveness. (Recital 34, emphasis added)
As the Recitals cited above show, cybersecurity as a criterion basically appears in the evaluation of whether a product can be considered defective or not. According to Article 7 of the new PLD, "a product shall be considered defective where it does not provide the safety that a person is entitled to expect or that is required under Union or national law" (see Art. 7(1) PLD). "In assessing the defectiveness of a product, all circumstances shall be taken into account, including: [...] relevant product safety requirements, including safety-relevant cybersecurity requirements [...]" (Art. 7(2) PLD, emphasis added). When considering the circumstances, it may even play a role whether the economic operator concerned (e.g. manufacturer) makes available a security update in connection with a discovered security breach, as this may indicate that there was a cybersecurity vulnerability in the product that needed to be remedied.
2. What does cybersecurity mean in EU legislation?
The EU concept of cybersecurity is defined in the Cybersecurity Act (Regulation 2019/881). According to this,
cybersecurity means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats. (Art. 2(1) of the Cybersecurity Act)
Cyber threat is defined as "any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons" (Article 2(8) of the Cybersecurity Act) [The notion of "network and information systems" is defined in Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.]
3. What are the limits of the liability for cybersecurity?
The Preamble to the new PLD provides some guidance on the assessment of cybersecurity requirements, thus addressing situations (see Recital 55) where the activities of third parties (other than the potentially liable economic operator) contribute to the cause of the damage suffered. An example of this could be a hacker attack, where a third party exploits a cybersecurity vulnerability in a given product to cause damage. An important aspect in this regard is laid down in the Preamble to the new PLD, according to which the defective nature of a product (that is to say, damage due to a vulnerability which "makes the product less safe than the public at large is entitled to expect") is not overridden if that defect is exploited by a third party (e.g. by a hacker) so that "the liability of the economic operator should not be reduced or disallowed as a result of such acts or omissions by a third party" (emphasis added). However, it is necessary to examine how the injured party acted in relation to the event (e.g. not installing an important safety update made available by the manufacturer), since "[...] where injured persons themselves have negligently contributed to the cause of the damage, [...]", "[...] it should be possible to reduce or disallow the economic operator’s liability" (emphasis added).
On the other hand, the Preamble to the new PLD clarifies (see Recital 51) that "the possibility for economic operators to avoid liability by proving that the defectiveness came into being after they placed the product on the market or put it into service should be restricted when a product’s defectiveness consists in the lack of software updates or upgrades necessary to address cybersecurity vulnerabilities and maintain the safety of the product". Thus, "[...] manufacturers should also not be exempted from liability for damage caused by their defective products when the defectiveness results from their failure to supply the software security updates or upgrades that are necessary to address those products’ vulnerabilities in response to evolving cybersecurity risks". (emphasis added)
A key issue from the perspective of manufacturer´s liability is to monitor the constantly and rapidly changing cybersecurity environment and to provide the necessary updates for the products to operate safely, even at a later stage after the release. This may be a significant difference compared to "traditional" products, where the changing technological environment may not be as prominent for manufacturers as a criterion to be assessed and addressed in terms of liability for product defects. This is something that needs to be taken into account when designing and monitoring a product's lifecycle. (Of course, this liability extends as long as the product is under manufacturer’s control, i.e. "such liability should not apply where the supply or installation of such software is beyond the manufacturer’s control, for example where the owner of the product does not install an update or upgrade supplied for the purpose of ensuring or maintaining the level of safety of the product", Recital 51, emphasis added).
Another important consideration with regard to cybersecurity requirements (but not limited to them) could be that "in the interests of a fair apportionment of risk, economic operators should be exempted from liability if they prove that the state of scientific and technical knowledge, determined with reference to the most advanced level of objective knowledge accessible and not to the actual knowledge of the economic operator in question, during the period in which the product was within the manufacturer’s control, was such that the existence of the defectiveness could not be discovered." (see Recital 52, emphasis added). In the field of cybersecurity, this may mean the emergence of new technologies for which the manufacturer could not have been objectively prepared, which may cause defects from a cybersecurity point of view, in which case an exemption may take place. However, the bar is very high for manufacturers to be exempted from liability.
4. What does cybersecurity compliance mean in practice?
The new PLD does not contain specific cybersecurity requirements (nor other specific safety requirements), as this is not the aim and regulatory content of the directive. The requirements for a product, including cybersecurity requirements, are defined in the product-specific legislation and, where applicable, standards. Specific cybersecurity rules may be laid down for certain product categories. For example, the recently adopted and promulgated Cyber Resilience Act (Regulation 2024/2847 on horizontal cybersecurity requirements for products with digital elements), which applies to products with digital elements. [The Cyber Resilience Act, in principle, applies from 11 December 2027.]
Product with digital elements means a software or hardware product and its remote data processing* solutions, including software or hardware components being placed on the market separately. (Cyber Resilience Act, Art. 3(1))
(*remote data processing means data processing at a distance for which the software is designed and developed by the manufacturer, or under the responsibility of the manufacturer, and the absence of which would prevent the product with digital elements from performing one of its functions, see Cyber Resilience Act, Art. 3(2)).
The Cyber Resilience Act sets out essential cybersecurity requirements for products with digital elements, compliance with which is necessary for the placing on the market of those products. In addition, the Cyber Resilience Act addresses the issue of identifying, reporting and addressing vulnerabilities. The presence of exploitable vulnerabilities under the Cyber Resilience Act and the actively exploited vulnerabilities may be important criteria for assessing product defects and thus establishing product liability. The occurrence of security incidents can also be an important aspect of the assessment.
According to the Cyberresilience Act,
vulnerability means a weakness, susceptibility or flaw of a product with digital elements that can be exploited by a cyber threat;
exploitable vulnerability means a vulnerability that has the potential to be effectively used by an adversary under practical operational conditions;
actively exploited vulnerability means a vulnerability for which there is reliable evidence that a malicious actor has exploited it in a system without permission of the system owner.
(Cyber Resilience Act, Art. 3(40)-(42)).
Overall, we can see that manufacturers (and, where appropriate, other economic operators) have to meet an increasingly diverse set of requirements for the safety of their products, especially when manufacturing and placing on the market products that may also face threats coming from cyberspace.
