Photo of Lisa Baird

Today’s guest post comes from our Reed Smith colleague Jamie Lanphear on a topic near and dear to the Blog’s heart: The new EU Product Liability Directive. As always, our guest posters deserve 100% of the credit, and any blame, for their posts. But, also as usual, our guest posters deliver the goods, so we expect there will be none of the latter to be had. Take it away, Jamie.

*********

While the Blog previously covered the new EU Product Liability Directive (PLD), formally known as Directive (EU) 2024/2853 of the European Parliament and of the Council of 23 October 2024 on liability for defective products and repealing Council Directive 85/374/EEC (Nov. 18, 2024), the prior posts, which can be found here and here, discussed the PLD’s overhaul of product liability law. This post zeroes in on aspects of the Directive related to software, cybersecurity, and digital products.

Passage of the PLD marks a watershed moment for technology companies, software developers, and any business placing digital products on the European market, including medical device companies whose products include software functionality.

Software as a Product: A Paradigm Shift

One of the most significant changes in the new PLD is the explicit inclusion of software—whether embedded, stand-alone, or delivered as a service—within the definition of a “product”:

Products in the digital age can be tangible or intangible. Software, such as operating systems, firmware, computer programs, applications or AI systems, is increasingly common on the market and plays an increasingly important role for product safety. Software is capable of being placed on the market as a standalone product or can subsequently be integrated into other products as a component, and it is capable of causing damage through its execution. In the interest of legal certainty, it should be clarified in this Directive that software is a product for the purposes of applying no-fault liability, irrespective of the mode of its supply or usage, and therefore irrespective of whether the software is stored on a device, accessed through a communication network or cloud technologies, or supplied through a software-as-a-service model. (Emphasis added)

This means that software, firmware, applications, AI systems, and even digital manufacturing files are now subject to the same strict liability regime as traditional physical goods. The Directive also covers integrated and interconnected digital services, such as “a health monitoring service that relies on a physical product’s sensors to track the user’s physical activity or health metrics.”

This expanded scope is intended to reflect the reality that software is now integral to product safety and performance. For companies, this means that, after the date the PLD goes into effect (December 9, 2026) any defect in software, potentially including vulnerabilities or failures in digital services, may trigger liability under in the EU, if it leads to harm.

Cybersecurity Vulnerabilities as Product Defects

The PLD’s new approach to cybersecurity is closely intertwined with the EU’s broader regulatory framework for digital product security. One important piece of legislation in this area is the EU Cyber Resilience Act (CRA), which, together with the NIS2 Directive and sector-specific rules, sets out mandatory cybersecurity requirements for a wide range of digital products and services.

Mandatory Security Requirements as a Benchmark Defect: Under the new PLD, non-compliance with “safety-relevant cybersecurity requirements” can form the basis of product defectiveness. For example, the CRA requires manufacturers to implement security-by-design, conduct risk assessments, provide security updates, and ensure secure default configurations for products with digital elements. If a company fails to meet these requirements, and a vulnerability leads to harm, non-compliance with the CRA may, in turn, be used to establish defectiveness under the PLD.

Failure to Provide Security Updates: Both the PLD and the CRA impose ongoing obligations to provide software security updates throughout a product’s lifecycle. Under the PLD, a product is defective if the manufacturer fails to supply necessary updates or patches to address vulnerabilities, providing such updates are within the manufacturer’s control. The CRA similarly requires manufacturers to monitor for vulnerabilities and issue timely updates. If a cyberattack exploits an unpatched vulnerability and causes injury or property damage, the failure to update may provide the basis for strict liability under the PLD.

Disclosure and Incident Response: The NIS2 Directive and the CRA require companies to have processes for vulnerability management, coordinated disclosure, and incident reporting. The PLD’s new rules on evidence and presumptions mean that if a company cannot demonstrate compliance with these processes, courts may presume defectiveness or causation in favor of the claimant under the PLD—especially in technically complex cases, as we discussed previously

Burden of Proof and Disclosure: Lowering the Bar for Claimants

The new directive also introduces procedural changes intended to make it easier for claimants to bring and succeed in product liability claims, including those involving software and cybersecurity:

Rebuttable Presumptions: If a claimant faces “excessive difficulties” in proving defectiveness or causation due to technical or scientific complexity (as is often the case with software or AI), courts can presume defectiveness and/or causation if the claimant can show it is likely that the product was defective or that there is a causal link.

Or, in the words of the PLD: “National courts should presume the defectiveness of a product or the causal link between the damage and the defectiveness, or both, where, notwithstanding the defendant’s disclosure of information, it would be excessively difficulty for the claimant, in particular due to the technical or scientific complexity of the case, to prove the effectiveness of the causal link, or both.”

Notably, the Directive instructs courts, when evaluating technical or scientific complexity, to consider certain factors, including “the complex nature of the product, such as an innovative medical device; the complex nature of the technology used, such as machine learning; the complex nature of the information and data to be analysed by the claimant; and the complex nature of the causal link.”

Disclosure of Evidence: Courts can require companies to disclose relevant evidence in their possession if the claimant makes a plausible case. Additionally, courts may also require that evidence be presented in an easily accessible and easily understandable manner.” The Directive explicitly calls out digital products as those embodying the sort of complexity envisioned: “Taking into consideration the complexity of certain types of evidence, for example evidence relating to digital products, it should be possible for national courts to require such evidence to be presented in an easily accessible and easily understandable manner, subject to certain conditions.”

No Liability Waivers: Companies cannot contractually exclude or limit their liability under the directive and disclaimers for software defects or security vulnerabilities are not valid: “Member States shall ensure that the liability of an economic operator pursuant to this Directive is not, in relation to the injured person, limited or excluded by a contractual provision or by national law.”

In short, the new EU PLD signals the start of a new era in which software quality, cybersecurity, and ongoing product support are not just best practices—they are legal obligations. Companies placing digital products on the EU market may wish to evaluate their compliance, engineering, and risk management strategies with the Directive in mind.

Drug & Device Resources

Bexis’ Book

FDA-regulated products now account for an estimated one-fifth of overall economic activity in the U.S. They have also been the focus of a litigation explosion. This timely guide covers all aspects of litigation involving drugs, medical devices, vaccines and other FDA-regulated prescription products.
Learn More About This Book