What the new EU product liability directive means for your business
For nearly four decades, European product liability law was designed for a physical world — think defective toasters, faulty car brakes, or contaminated food. Software, algorithms, and digital services existed in a legal grey zone where consumers had limited recourse and businesses operated with few clear rules.
That era is over. In November 2024, the European Union adopted Directive 2024/2853, a sweeping revision of product liability rules that brings software, AI systems, and digital products squarely under the same strict liability regime that has long governed physical goods. Every EU member state must transpose it into national law by 9 December 2026. If you run a business that develops, distributes, or integrates digital products in Europe, this directly affects you.
Software is now legally a “product”
The single biggest change in the revised directive is deceptively simple: software is now officially a product. This includes standalone applications, embedded firmware, SaaS platforms where the provider retains control, and AI systems of every kind. Under the old 1985 directive, a defective algorithm that caused financial damage or a security flaw in a cloud application existed in a liability no-man’s land. Contract law applied in some cases, general negligence rules in others, but strict product liability almost never did.
Under the new rules, strict liability means a claimant does not need to prove the developer was negligent — only that the software was defective and that the defect caused harm. The definition of “defect” has also expanded. A digital product can be considered defective due to cybersecurity vulnerabilities, failure to provide necessary security updates, or — in the case of machine learning systems — failure to learn correctly from training data.
This has real consequences. The old EUR 500 threshold for property damage claims has been eliminated, meaning even small-value incidents are now actionable. The previous EUR 500 million aggregate liability cap per product type is gone entirely. For small and medium businesses operating on tighter margins, a single overlooked vulnerability or missed patch could trigger claims that were previously too small to pursue or too difficult to win.
The AI “black box” problem gets a legal answer
Perhaps the most forward-looking provision in the directive addresses a problem that has frustrated regulators and claimants alike: how do you prove an AI system is defective when even its developers cannot fully explain how it reaches decisions?
The directive introduces a rebuttable presumption of defectiveness. When a product’s technical complexity makes it excessively difficult for a claimant to prove a defect or establish causation — a situation almost tailor-made for opaque AI systems — courts can presume the product was defective once the claimant presents a plausible case. The burden then shifts to the manufacturer to prove otherwise.
Courts can also order companies to disclose relevant technical evidence. Refuse, and the court may simply presume defectiveness. For businesses developing or deploying AI, the practical takeaway is clear: explainability and logging are no longer just best practices or ethical aspirations. They are legal necessities. If your system causes harm and you cannot explain why, European courts now have the tools to hold you liable anyway.
This provision works in tandem with the EU AI Act (Regulation 2024/1689), which establishes risk-based obligations for AI systems. While compliance with the AI Act does not create a liability safe harbour, it can serve as evidence against a presumption of defectiveness — giving companies a strong incentive to align with both regulatory frameworks.
Who bears responsibility in the supply chain
The directive also tackles a problem familiar to anyone who has tried to resolve a complaint about a product purchased from a non-EU seller through an online marketplace. Under the old rules, if no EU-based manufacturer or importer could be identified, the consumer was often left without a viable claim.
Now, online marketplaces and fulfilment service providers can be treated as the liable party when no EU-based economic operator stands behind the product. This shifts significant risk onto platforms and onto European businesses that distribute or integrate third-party components from outside the EU.
For SMBs, this means supply chain due diligence is more important than ever. If you integrate third-party software components — including open-source libraries — into a commercial product, you bear liability for defects in the final product. The directive does carve out genuinely non-commercial open-source contributions, but the moment that code enters a commercial offering, the business selling it owns the risk.
According to the European Commission’s impact assessment, only about 6% of consumers who suffered harm from defective products previously sought compensation, and success rates were low. The revised burden-of-proof provisions are projected to increase successful claims by 20 to 30 percent — a figure that should concentrate attention on quality assurance and testing processes.
Practical steps for European SMBs
With the December 2026 transposition deadline approaching, businesses should be acting now rather than waiting for national implementing legislation to crystallise. Several measures deserve immediate attention.
Review your quality assurance and update policies
The directive creates ongoing liability for products that become defective after sale due to missing security patches or software updates. A “ship and forget” approach to software is no longer viable. Document your update policies, maintain patch schedules, and keep records of known vulnerabilities and your response timelines.
Invest in documentation and traceability
Detailed records of design decisions, risk assessments, testing protocols, and AI training processes serve as your primary defence against liability claims. Given the shifted burden of proof for technically complex products, the ability to demonstrate due diligence is not optional.
Audit your insurance coverage
Traditional product liability policies were written for physical goods. Many do not adequately cover software defects, AI-related incidents, or data corruption — all of which now fall within the directive’s compensation scope. Review your coverage with your insurer and adjust before claims materialise, not after.
Map your supply chain
Identify every third-party component in your digital products, assess whether EU-based economic operators stand behind them, and evaluate the contractual protections you have in place. Where gaps exist, address them through supplier agreements or by sourcing alternatives.
The end of the grey zone
The revised Product Liability Directive is not an isolated regulation. It sits alongside the AI Act, the Cyber Resilience Act, and the broader Digital Single Market strategy as part of a comprehensive effort to bring the EU’s legal framework into alignment with the digital economy — an economy that now accounts for over 15% of EU GDP.
For European SMBs, the message is straightforward. The informal immunity that software and digital services enjoyed under the old liability rules is gone. The businesses that adapt early — by strengthening their QA processes, documenting their decisions, and understanding their supply chains — will be best positioned to thrive under the new regime. Those that treat December 2026 as someone else’s problem may find that the first claim lands before they are ready for it.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.