Are you prepared for the impact of the new EU Product Liability Directive (PLD 2024) on your business?

Directive (EU) 2024/2853 (New PLD)

What is it?
The new EU Product Liability Directive modernises the EU's strict liability regime, ensuring that consumers who suffer damage from a defective product can claim compensation without having to prove the fault, or negligence of the manufacturer. Its primary goal is to adapt liability rules to the digital age, the circular economy, and global value chains.

Who Does It Affect?
The Directive affects a wider range of economic operators than the previous rules, with the core aim of ensuring there is always an EU-based entity that can be held liable.
Liable parties now explicitly include:

• Manufacturers (or "quasi-manufacturers" who brand a product).
• Developers or Producers of Software and AI systems.
• Importers placing a product onto the EU market.
• Authorised Representatives of non-EU manufacturers.
• Fulfilment Service Providers (under subsidiary liability, if no importer or authorised representative exists).
• Online Platforms (in specific circumstances where the platform appears to be the provider).
• Any entity that substantially modifies a product (e.g., through remanufacturing) and places it on the market.

What Counts as a 'Product' and What is 'Defective'?
The scope of what constitutes a 'product' has been significantly broadened.

• Product Definition: Now also explicitly covers software (including operating systems, firmware, applications, and AI systems), digital manufacturing files (e.g., for 3D printing), raw materials, components, and electricity. It also covers related services (integrated digital services necessary for a product to function, like a health monitoring service for a wearable device).
• Defectiveness: A product is defective if it does not provide the safety a person is entitled to expect. Courts must now specifically consider:
  • Cybersecurity requirements and other mandatory safety laws.
  • The effect of the product's ability to learn (e.g., an AI system acquiring new, unforeseen features).
  • The time the manufacturer retains control over the product (e.g., via software updates), extending liability beyond the point of initial sale.

 
When Does It Take Effect?
The new Directive entered into force in December 2024. However, Member States have a period to integrate it into their national laws. The new rules will apply to products placed on the market from 9 December 2026 onwards. Products placed on the market before this date remain subject to the old 1985 Directive.
 
What are the Key Changes that Relate to Injured Parties?
The Directive introduces major changes to lower the burden of proof for claimants, particularly in complex digital or scientific cases.

Damage
Previous Regime (1985 Directive): Physical injury, death, and property damage (subject to a EUR500 threshold).
New PLD (2024/2853): Includes medically recognised psychological damage and the destruction or corruption of data (non-professional use). The EUR500 minimum threshold for property damage is removed.

Burden of Proof
Previous Regime (1985 Directive): Claimant must prove the defect, the damage, and the causal link between them.
New PLD (2024/2853): The new law makes it easier for a person to prove their case in court, even without perfect evidence. The court will now assume the product was defective, or that the defect caused the injury, if:

• The case is so complex (like with advanced AI or tech products) that it's extremely hard for the injured person to find proof.
• The company that made the product refuses to hand over important evidence that the court asked for.

Evidence Disclosure
Previous Regime (1985 Directive): No explicit harmonised right to disclosure.
New PLD (2024/2853): Courts can order the disclosure of relevant evidence from the defendant to the claimant, provided the claim is plausible and the request is necessary and proportionate.

Limitation Period
Previous Regime (1985 Directive): 10 years "long-stop" from when the product was placed on the market.
New PLD (2024/2853): Extends the "long-stop" to 25 years in cases of latent personal injury where the injury only becomes apparent after the standard 10-year period has expired.

What Does It Mean for My Product Business?
This change significantly increases the risk and liability for companies that place products on the EU market, especially those involving software, AI, or advanced technology.

1. Your Burden of Proof is Higher: In a complex case, an injured person no longer has to do all the heavy lifting to prove the defect. The court can assume your product was defective, and you must then provide clear, strong evidence to disprove that assumption.
2. Software is Now a "Product": The new rules explicitly cover standalone software, AI systems, and digital manufacturing files. This means software developers and AI providers now face the same strict liability as makers of physical goods.
3. New Reasons for a Defect: A product can now be considered defective if you fail to provide necessary security updates, if it has a weak cybersecurity defence, or if an AI system's self-learning behaviour leads to harm.
4. Evidence is Crucial: If a court thinks you have relevant internal documents or data, they can order you to disclose that evidence. Refusing to hand it over can lead directly to the court assuming the product was defective.

What Should I Be Doing in Light of These Changes?
You need to shift from a reactive to a proactive approach in how you design, document, and defend your products.

• Product Design

Integrate safety and cybersecurity by design from the very start. Ensure continuous monitoring for your digital products and have a clear, well-tested plan for issuing security updates and patches over the product's entire life cycle.

• Documentation

Establish meticulous, detailed record-keeping for the entire product lifecycle: design choices, risk assessments, testing protocols, software updates, and vulnerability management. You need a clear paper trail to rebut any presumption of defectiveness in court.

• Supply Chain

Review all contracts with suppliers, component manufacturers, and software developers (including cloud service providers). Clearly define who is responsible for software updates, cybersecurity, and providing documentation in the event of a claim.

• Legal Preparedness

Review your document retention policies to ensure you can quickly find and produce relevant evidence if ordered by a court, while still protecting trade secrets. Also, review your insurance coverage to ensure it addresses the expanded scope of liability, including software, AI, and the longer liability period in some cases.

• Compliance
  

Ensure you are compliant with other related EU laws, particularly the AI Act and the Cyber Resilience Act (CRA), as well as the relevant cybersecurity and data protection standards under the Radio Equipment Directive (RED) and the GDPR, as non-compliance with these safety, security, and privacy requirements can be used to argue that your product is defective.

If you need some help to strengthen your Risk Management Strategy and put practical improvements in place, Email me.