What software makers need to know about the new EU directive

A recent update to the European Union’s Product Liability Directive (PLD) redefines safety-related responsibilities and risks for software producers.

The new directive becomes enforceable in December 2026 and is designed to strengthen consumer protection in a society that is increasingly dependent on software. The directive is focused on safeguarding individuals and therefore only applies to safety-related defects that harm individuals. It does not apply to defects in fitness for use that do not compromise safety and does not cover harm to property that is exclusively used for professional purposes.

Key impacts on software producers

1. Expanded liability

• No-fault liability: The new PLD imposes no-fault liability for commercial software producers in cases of safety-related defects. This covers personal injury, property damage, and material losses. This liability applies to software sold or put into service in the EU regardless of how the software is delivered – whether embedded in hardware, offered as a cloud service, or installed on a consumer’s device. While injured parties must prove harm and a causal link to a defect, they do not need to demonstrate negligence or misconduct by the producer.
• Post-release changes: Liability extends to defects that arise after a product’s release, including those caused by authorized updates, machine learning, or failure to provide necessary safety updates. This includes foreseeable risks tied to design and unsafe behaviors emerging from AI learning. For example, an AI system that adapts to user behavior might introduce new unsafe behavior as it learns and makes decisions that prioritize convenience over safety.
• Responsibility for third-party integrations: Software producers may also be liable for safety defects in integrated third-party components. Producers may be able to reduce this risk through careful selection and maintenance of third-party integrations, and through negotiation of indemnity clauses with component providers.
• Manufacturing files: Producers of digital instructions that guide automated production of physical goods are also subject to no-fault liability under the updated PLD.

2. Additional responsibilities

• Un-waivable accountability: Producers cannot limit liability for defective products through terms of use, purchase agreements, or similar contracts. Consumer protections established by the PLD override any conflicting provisions in such agreements.
• Psychological harm: The directive recognizes medically acknowledged psychological harm as compensable when it is directly caused by a defective product and requires therapy or medical treatment. For example, if a fitness tracker inaccurately reports abnormal health metrics or a financial app provides incorrect account information, a user may develop severe anxiety about their health or finances. If this anxiety necessitates therapy, the software producer could be required to compensate the user for related medical expenses and lost income.
• Data loss: The PLD expands compensable damages to include destruction or corruption of non-professional data. For example, if a defective software update causes a consumer’s personal photos or documents to be permanently deleted, the producer may be held liable for the resulting harm.

3. Limitations to liability

• Efficacy-related defects: The PLD does not cover defects related to a product’s fitness for use unless they compromise safety. If software fails to perform its intended function but does not create a safety risk, any claims against its producer must be addressed under warranty provisions or other applicable legal frameworks, not the PLD.
• Professional use: The PLD excludes damages to property used solely for professional purposes and corporate economic losses, such as lost profits or reputational harm. However, it covers harm to individuals, such as lost income from personal injury, private property damage, and non-professional data loss.
• Time: Liability is capped at 10 years from the date a product is placed on the market, or 25 years for personal injury cases with slowly emerging symptoms. If a product undergoes significant changes in performance, purpose, or safety, the liability period restarts (but routine updates do not). The PLD applies only to products placed on the market after Dec. 9, 2026.
• Third-party actions: Producers are not liable for defects caused by unauthorized modifications or harm resulting from a consumer’s failure to install safety-critical updates.
• Open-source software: Free and open-source software is exempt unless used in a commercial product. Producers are liable for defects in integrated open-source components.
• Unforeseeable use: Liability applies only to reasonably foreseeable use and misuse. Harm resulting from unforeseeable use is excluded from liability.
• Undiscoverable defects: Producers may avoid liability if they prove the defect could not have been discovered given the state of scientific and technical knowledge at the time the defect was placed on the market. Member states may exclude this defense for specific product types in the public interest.
• Disclosure risk: Producers may be required to disclose confidential information about their products and processes to demonstrate compliance with safety obligations. Refusal to disclose this information may lead to a presumption of defectiveness.

Steps to help minimize liability risks

1. Prioritize safety
   • Recognize that an effective product is not necessarily a safe product.
   • Implement continuous safety-focused risk assessments and testing throughout the product lifecycle.
2. Anticipate potential use and misuse
   • Design software to perform safely under all foreseeable use and misuse scenarios, including those involving user negligence or ignorance.
   • Engage a diverse group of people and perspectives throughout development to identify risks that may go unnoticed by less diverse teams.
3. Conduct frequent risk assessments
   • Continuously evaluate, reprioritize, and mitigate uncovered safety risks throughout the product lifecycle.
   • Perform safety-focused risk analysis and exploratory testing to help uncover new and emerging threats.
4. Assess third party components and relationships
   • Evaluate safety risks resulting from interactions between interconnected systems and third-party components.
   • Conduct thorough integration testing to detect weaknesses that could compromise safety.
   • Carefully manage third-party components and relationships with robust oversight. Establish clear contractual agreements that define responsibilities to ensure compliance with safety expectations.
5. Monitor learning systems
   • Continuously test and monitor artificial intelligence (AI) systems to detect and correct unsafe behaviors emerging from learning processes.
   • Define safeguards to prevent, and benchmarks to detect, degradation in safety.
   • Develop rapid-response protocols to restore systems to a safe state if safety is compromised.
6. Provide robust updates
   • Develop patches and upgrades focused on improving safety while minimizing the risk of introducing new vulnerabilities.
   • Maintain oversight of third-party updates and integrations and establish protocols for collaboration in upholding product safety.
7. Strengthen cybersecurity
   • Address cybersecurity vulnerabilities proactively, especially in high-risk environments.
   • Implement timely updates to counter emerging threats and reduce the risk of harm.
   • Educate users on the importance of updates and document efforts to ensure widespread adoption.
8. Prepare for potential disclosure
   • Document the measures taken to help ensure safety.
   • Organize technical information in ways that enable demonstrating compliance with safety obligations without unnecessarily disclosing trade secrets.
9. Test continuously, for safety
   • Go beyond functional testing to assess threats to safety throughout the product lifecycle.
   • Conduct safety-related regression testing and benchmarking to detect the introduction of unsafe behavior over time.
   • Perform interactive problem-seeking exploratory testing to uncover previously unknown safety issues.
   • Continuous testing can provide critical insights that empower software producers to make informed responsible decisions about risk.

The time to prepare is now

The updated EU Product Liability Directive introduces significant changes for software producers, emphasizing safety and accountability in the face of increasingly complex software systems. Testing plays a critical role in identifying safety threats, guiding informed decisions, and adapting to evolving challenges. While testing for every foreseeable use and misuse scenario may not be feasible, software producers can continuously reassess and reprioritize risks based on current knowledge and emerging threats as their products and contexts evolve.

Continuous testing, safety monitoring, and proactive cybersecurity measures are critical to reducing liability risks. The time leading up to December 2026 provides a crucial window to align processes and products with the directive’s requirements, minimizing exposure to potential liabilities.

Disclaimer: The above includes a general summary of the updated EU Product Liability Directive (PLD) with a focus on its implications for software producers. It is intended for informational purposes only and does not constitute legal advice. Readers are encouraged to consult their own legal counsel to understand how the PLD may apply to their specific circumstances.