One of the headline changes introduced by the PLD is to expand the definition of a ‘product’ to include software. Although the PLD has left the definition of software open-ended to account for future technological developments, Recital 13 of the PLD gives operating systems, firmware, computer programs, applications or AI systems as examples of ‘software’. This change is designed to help consumers bring damages claims when something goes wrong with the operation of an AI system.

The new product liability regime comes shortly after the EU AI Act entered into force on 1 August, and further demonstrates the need for organisations intending to deploy or use AI in the EU to understand the evolving regulatory landscape in the area. This is an area we expect to see more developments in as the EU continues in its aim to be the leading force in AI regulation. More developments in this area have already been in the pipeline such as the AI Liability Directive. The impact assessment for the proposed AI Liability Directive was published on 19th September, and is expected to see further development throughout 2025.

While there is a two-year implementation period for member states to transpose the PLD into national law, relevant organisations, particularly technology companies, should conduct a thorough review of EU and national product safety laws to familiarise themselves with the rules that their products will now fall under. A gap analysis should then be conducted to address any areas in which their products may not meet these standards so that these issues can be addressed.

As a lack of software updates leading to injury can now also lead to a claim for compensation, a review to see if any old products have not received required software updates should also be conducted. Manufacturers should also be mindful of and introduce processes for possible disclosure exercises.

Timeframe for implementation

EU member states have until 9 December 2026 to transpose the PLD into national law. The new PLD will replace the existing Product Liability Directive, known as 85/374/EEC, which standardised member states’ product liability laws. The current directive will be repealed with effect from 9 December 2026, however, it shall continue to apply to products placed on the market or put into service before that date.

Although the new directive only applies to products placed on the market or put into operation after the expiration of the implementation period, manufacturers should begin preparing for these significant changes as soon as possible, particularly manufacturers of AI systems.

Expanded scope

Under the PLD, liability falls on a wide range of “economic operators”, which include the manufacturer of the product or component, the provider of a digital service that is integrated into the product, the authorised representative, the importer and any fulfilment service provider – such as warehousing, packaging, parcel delivery services or the distributor. In addition, anyone who significantly modifies a product outside the manufacturer’s control and then makes it available on the market or puts it into operation will be considered a manufacturer. Where two or more are liable for the same damage under the PLD, they can be held liable jointly and severally.

“Making available on the market” includes supplying a product free of charge as well as in return for payment.

Implications for software and AI products

The expanded definition of ‘product’, which brings software, such as AI systems, into the scope of the product liability regime is one of the most important features of the new PLD. It is a significant development for those engaging in the AI space within the region, whether they are developing the technology themselves or importing it from overseas. The fact that software now falls under the same regime that has governed physical products in the EU since 1985 further cements the need for these systems to be developed with safety in mind from the beginning, including concerns such as the safety of user data.

This expansion of the definition of a product is accompanied by an expansion of the concept of a ‘defect’. Most notably, its meaning has been widened to include any issues that arise from software updates. Recital 32 of the PLD states that a product can also be found to be defective due to cybersecurity vulnerabilities, and that manufacturers who design products with the ability to develop unexpected behaviour will remain liable for any damage caused by that behaviour. This is particularly important for developers of AI systems as it means that an AI system acting in an unpredictable manner will not be a defence in the event of any damage being caused.

The principle of strict liability is now extended to digital products as well as material goods. This means that a person can claim compensation from manufacturers of defective products or defective components placed on the EU market or put into service for damages caused by these products.

However, the PLD does not apply to free and open-source software that is developed or supplied outside the course of a commercial activity.

Damages to personal data recoverable

The scope of damages has been extended under the PLD