The New EU Product Liability

The new EU Product Liability Directive fundamentally changes the rules: software is now a product. Data loss is a ground for liability for the first time. And there is no longer a cap on damages.

What has changed? #

The previous Product Liability Directive dates from 1985 — a time when software was not an independent product. The new version closes this gap:

Software is a product. Any software made available on the EU market is subject to product liability — regardless of whether it is embedded in a physical device or distributed independently.
Data loss as a ground for liability. For the first time, injured parties can claim damages for the loss or corruption of data.
No more cap on damages. The previous ceiling on compensation claims has been removed. Liability is therefore theoretically unlimited.
Extended grounds for liability. Not only the manufacturer is liable but potentially also the importer or distributor if the manufacturer is not reachable.
Disclosure obligations. Manufacturers can be required to disclose relevant evidence. If they refuse, the court can decide in favour of the claimant.
Facilitation of burden of proof. In certain cases, a product defect is presumed if the injured party can show that the pattern of damage is typical of a product defect.
Cybersecurity is a safety feature. Art. 7(2)(f) expressly lists "safety-related cybersecurity requirements" among the criteria by which the defectiveness of a product is assessed. A product that fails to meet applicable cybersecurity requirements (such as those from the CRA) is therefore deemed defective in a liability case — even if it otherwise functions. Missing security updates, unpatched vulnerabilities, or a neglected supply chain are no longer merely compliance issues but direct indicators of defectiveness.

Interaction with the CRA #

The Product Liability Directive and the Cyber Resilience Act complement each other: the CRA defines the safety requirements a product must meet. Product liability kicks in when a product causes damage despite these requirements. A breach of CRA obligations — such as missing security updates or an unmaintained SBOM — can serve as evidence of a product defect within the meaning of product liability.

Legal references #

The new Product Liability Directive (Directive EU 2024/2853):

Art. 4 No. 1: Software is a product within the meaning of the Directive
Art. 6(1)(c): Data loss as compensable damage
Art. 7(2)(f): Cybersecurity requirements as a criterion of defectiveness
Art. 8: Liability of the manufacturer for defective products and components
Art. 9: Disclosure obligation — manufacturers must disclose relevant evidence upon request
Art. 10: Facilitation of burden of proof — in cases of technical complexity, the court may presume the defect
Art. 11(2): No development risk defence where security updates are missing
Art. 12: Joint and several liability, no more liability cap

In interaction with the CRA:

CRA Art. 13(5): Due diligence when integrating open source components
CRA Annex I Part II No. 1: SBOM obligation to document all components
CRA Annex I Part II No. 2: Prompt handling and remediation of vulnerabilities
CRA Art. 13(8): At least 5 years of security support
CRA Art. 65: Representative actions for consumer protection applicable

Whoever demonstrably fulfils these obligations significantly reduces their liability exposure. Whoever neglects them creates an attack surface for compensation claims.

Implementation in Germany #

The new EU Product Liability Directive must be transposed nationally. In Germany, it replaces the existing Product Liability Act (ProdHaftG). Transitional periods apply until full transposition. The specific national arrangements — such as court jurisdiction and procedural rules — will be determined as part of the transposition. Other EU countries have comparable provisions with potentially differing details.

What does this mean for you? #

If your company manufactures, imports, or distributes software, you are liable for damages — including data losses. The best defence is documented diligence: a current SBOM, demonstrable vulnerability management, and a complete remediation history show that you take your obligations seriously. Without this evidence, you have no line of defence in a damage case.