The EU Product Liability Directive is changing. This means stricter requirements for software manufacturers. In the future, they will be liable for defective products, AI errors and inadequate cybersecurity – sometimes without limit. The backgrounds.
“Since the adoption of the Product Liability Directive in 1985, the way products are manufactured, distributed and operated has changed significantly.” This is how it begins Justification in the proposal for a new version of the European Commission’s Product Liability Directive (ProdHaftRL) of October 28, 2022.
The previous standard was unable to reflect the challenges of modern technologies such as software, artificial intelligence and cybersecurity. In October 2024, however, the proposed change was rejected adopted by the European Council and completely replaces the previously applicable regulation.
Software providers are liable for defective products
One of the most consequential changes: Software providers will in future be more liable for defective products. “The aim of the Product Liability Directive is to create an EU-wide system to compensate people who have suffered physical injury or property damage as a result of defective products,” says the EU.
For the first time, pure software is therefore defined as a product, even though it has no haptic physicality. This has been controversial so far, especially with regard to product liability. Now the official rule is: The manufacturer of a piece of software legally becomes the manufacturer of the future, defective product.
What is also new is that stand-alone software is considered liable. The scope of application has also been expanded overall: In addition to physical products and electricity, the directive now also includes digital construction documents, software-as-a-service and integrated software components.
However, open source software, i.e. free, open-source software, remains exempt from liability under certain conditions. How far this exception extends is currently still being discussed.
Liability exists as long as a manufacturer can exercise control over a product
A product is considered defective if it does not meet legitimate safety expectations. The ProdHaftRL provides new criteria for a corresponding assessment. These include, for example, the ability to learn, cybersecurity or use with other products. In the future, manufacturers will also be liable for damage caused by hacker attacks or manipulation by third parties.
The time frame for liability is also changing: it does not end with the sale of a product. Instead, it remains in place as long as the manufacturer can provide updates and thus continue to exercise control.
However, liability does not stop with the manufacturer. If a company in question is based outside the EU, importers, authorized representatives or fulfillment service providers can also be held accountable. If these are also not available, liability can also be transferred to suppliers and providers of online platforms.
Software providers are also liable for non-material damage
According to the new Product Liability Directive, the claim for damages includes not only all financial losses but also immaterial damages – as long as they are compensable under national law. This now also includes the destruction and damage of data that is not used in a professional context. In addition, psychological impairments are now considered personal injury.
For injured parties, the previous hurdles such as the deductible of 500 euros and the maximum liability limit of 85 million euros no longer apply. Manufacturers have unlimited liability from the first euro.
In addition, the burden of proof will be changed in favor of the injured party and possible proceedings will be made easier. If the plaintiff has a plausible reason, manufacturers are obliged to disclose internal documents. If they do not do this, this is an indication that a product is defective.
Manufacturers and other players must therefore prepare for stricter liability requirements overall. In the future, you will have to be even more vigilant and protect yourself more specifically against cyber attacks. Especially for digital products, they should therefore implement security standards such as Cyber Resilience Act (CRA) retain. It was passed together with the new product liability directive in October 2024.
Also interesting:
- Data leak in government software: employees sue the EU Parliament
- By 2028, software developers will be using AI in their work
- New technology: satellites identify plastic waste from space
- Meta, OpenAI and Anthropic sell their AI models to the US military
The post Software providers are now liable for defective products by Beatrice Bode appeared first on BASIC thinking. Follow us too Facebook, Twitter and Instagram.
As a tech industry expert, I believe that holding software providers liable for defective products is a necessary step in ensuring consumer protection and accountability in the industry. Software plays a crucial role in our daily lives, from managing personal data to controlling critical infrastructure, and it is essential that we hold providers responsible for any flaws or defects in their products.
By imposing liability on software providers, we can incentivize them to invest in rigorous testing, quality assurance, and security measures to prevent defects from occurring in the first place. This will ultimately lead to better and more reliable products for consumers, as well as increased trust in the industry as a whole.
However, it is important to strike a balance between holding providers accountable for their products and allowing for innovation and creativity to thrive in the tech industry. We must ensure that liability laws are fair and reasonable, taking into account the complexities and rapid pace of technological advancements.
Overall, I believe that making software providers liable for defective products is a positive step towards ensuring the safety and reliability of technology for consumers. It will ultimately benefit both consumers and the industry as a whole by promoting higher standards of quality and accountability.
Credits