The revised Product Liability Directive, software is now a product in law

The EU Product Liability Directive (PLD), first adopted in 1985, is being fundamentally updated to reflect how products are built and deployed today. The key change is straightforward but far-reaching. Software and AI systems are now treated as products for the purpose of liability.

Under the revised directive, consumers can seek compensation for harm caused by defective digital products without having to prove fault. This introduces strict liability for software, aligning it legally with physical goods.

Why does this matter now?

The revised PLD complements the Cyber Resilience Act. While the CRA focuses on security and compliance before and during market placement, the PLD addresses what happens afterwards, when a product fails, is updated, or behaves in unexpected ways.

For software teams, this shifts liability exposure to areas that were previously handled through contract or negligence law. Defects introduced by updates, flawed AI decision-making, and security vulnerabilities that lead to damage can all trigger liability, even in the absence of negligence.

Scope, broader than many expected

The directive applies to a wide range of digital products and systems, including:

Embedded software in physical devices
Standalone software and applications
AI systems making autonomous decisions
Products updated via OTA mechanisms
Digital services with physical or safety-relevant effects

Software updates are explicitly considered part of the product, not an external modification.

Key legal mechanics

Several elements of the revised PLD are particularly relevant for engineering and compliance teams:

Strict liability, claimants must show damage and causality, not fault
Expanded damage definitions, including data loss and certain non-material harms
Shared liability, multiple economic operators in the supply chain can be jointly liable
Evidence obligations, documentation may need to be retained for up to ten years after market placement

This places new emphasis on traceability, version control, and decision accountability, especially in AI-driven systems.

Open source, not exempt by default

Non-commercial open-source software is excluded in principle. However, once an open-source component is integrated into a commercial product, liability may still attach to the economic operators placing that product on the market.

For teams relying heavily on open-source or community-maintained AI components, documentation, provenance, and update governance become increasingly important.

Practical implications for software teams

Organizations placing digital products on the EU market should already be reassessing:

How updates and patches are developed, tested, and documented
How responsibilities are contractually divided across the supply chain
Exposure to claims related to AI behavior, data integrity, and security failures
Insurance coverage and long-term evidence retention strategies

The revised PLD does not change how software is engineered, but it materially changes how its failures are judged.

Assess your liability risks

Stop wondering what's hiding in your code. The CRA and PLD require explicit, provable control over your software. While manual reviews take weeks, our automated CRA Compliance Scan uncovers CVEs, hardcoded passwords, and kernel weaknesses in seconds.

Gevorg Melikdjanjan

Security | Reliability | DataSolutions

Concerned about software liability?

The revised PLD changes how software failures are judged legally. I help organizations understand their exposure and implement the traceability and documentation standards needed to mitigate risk under the new strict liability rules.

Schedule a meeting Chat now

The post The revised Product Liability Directive, software is now a product in law appeared first on Logic Technology.

Source: https://logic.nl/knowledge-center/the-revised-product-liability-directive-software-is-now-a-product-in-law/

view profile