Software providers are now liable for defective products

The EU Product Liability Directive is changing. This means stricter requirements for software manufacturers. In the future, you will be liable for defective products, AI errors and inadequate cybersecurity – sometimes without limit. The backgrounds.

“Since the adoption of the Product Liability Directive in 1985, the way in which products are manufactured, sold and operated has changed significantly.” This is how the justification begins in the European Commission's proposal for a new version of the Product Liability Directive (ProdHaftRL) from October 28th 2022.

The previous standard was unable to reflect the challenges of modern technologies such as software, artificial intelligence and cybersecurity. However, in October 2024, the proposed amendment was adopted by the European Council and completely replaces the previously applicable regulation.

Software providers are liable for defective products

One of the most consequential changes: Software providers will in future be more liable for defective products. “The aim of the Product Liability Directive is to create an EU-wide system to compensate people who have suffered physical injury or property damage as a result of defective products,” says the EU.

For the first time, pure software is therefore defined as a product, even though it has no haptic physicality. This has been controversial so far, especially with regard to product liability. Now the official rule is: The manufacturer of a piece of software legally becomes the manufacturer of the future, defective product.

What is also new is that stand-alone software is considered liable. The scope of application has also been expanded overall: In addition to physical products and electricity, the directive now also includes digital construction documents, software-as-a-service and integrated software components.

However, open source software, i.e. free, open-source software, remains exempt from liability under certain conditions. How far this exception extends is currently still being discussed.

Liability exists as long as a manufacturer can exercise control over a product

A product is considered defective if it does not meet legitimate safety expectations. The ProdHaftRL provides new criteria for a corresponding assessment. These include, for example, the ability to learn, cybersecurity or use with other products. In the future, manufacturers will also be liable for damage caused by hacker attacks or manipulation by third parties.

The time frame for liability is also changing: it does not end with the sale of a product. Instead, it remains in place as long as the manufacturer can provide updates and thus continue to exercise control.

However, liability does not stop with the manufacturer. If a company in question is based outside the EU, importers, authorized representatives or fulfillment service providers can also be held accountable. If these are also not available, liability can also be transferred to suppliers and providers of online platforms.

Software providers are also liable for non-material damage

According to the new Product Liability Directive, the claim for damages includes not only all financial losses but also immaterial damages – as long as they are compensable under national law. This now also includes the destruction and damage of data that is not used in a professional context. In addition, psychological impairments are now considered personal injury.

For injured parties, the previous hurdles such as the deductible of 500 euros and the upper liability limit of 85 million euros no longer apply. Manufacturers have unlimited liability from the first euro.

In addition, the burden of proof will be changed in favor of the injured party and possible proceedings will be made easier. If the plaintiff has a plausible reason, manufacturers are obliged to disclose internal documents. If they do not do this, this is an indication that a product is defective.

Manufacturers and other players must therefore prepare for stricter liability requirements overall. In the future, you will have to be even more vigilant and protect yourself more specifically against cyber attacks. You should therefore comply with security standards such as the Cyber ​​Resilience Act (CRA), especially for digital products. It was passed together with the new product liability directive in October 2024.

Also interesting: