Mourant

Liability for software under the new European Product Liability Directive

Wednesday 30 April 2025

Christina Kiefer
reuschlaw, Saarbrücken
christina.kiefer@reuschlaw.de

Laure Herlitz
reuschlaw, Berlin
laura.herlitz@reuschlaw.de

The Council of the European Communities adopted a Directive on liability for defective products (85/374/EEC).[1] This regulatory framework, commonly known as the Product Liability Directive (‘PLD 1985’), has been harmonising the requirements for liability for defective products within the EU for 39 years, since its publication in the Official Journal of the European Union on 7 August 1985.

The technological advances over the last four decades have pushed the old product liability system to its limits. To ensure consistency with product safety legislation within the EU and to take account of the case law from the Court of Justice of the European Union (CJEU), the European legislator has adopted a new Directive on liability for defective products (2024/2853)[2] (‘PLD 2024’), which has to be transposed into the national law of the EU Member States by 9 December 2026 at the latest. PLD 2024 will lead to a massive increase in liability, so it is essential that companies are aware of the changes and prepare accordingly and in good time.

The regulation of software under PLD 1985

PLD 1985 was brief in its definition of the term ‘product’ and included all movable objects, with a few exceptions.

With the increasing digitisation of products, there was much debate as to whether software was covered by PLD 1985. This was undisputed in the case of embedded software integrated into a movable object. The question of liability for standalone software was more difficult. While some stakeholders wanted to affirm this in light of changes in technology and the product industry and in regard to the purpose of PLD 1985, others insisted on the wording of the legal definition, which explicitly referred only to movables as tangible objects.  

Liability for software under PLD 2024

Software as a ‘product’

The EU legislator has now left no room for dispute regarding the classification of software as a product and has explicitly included software in the new definition of products in Article 4 PLD 2024. Thus, any software that is placed on the market or put into service, whether standalone or in combination with another product, will be subject to the liability regime set out in PLD 2024.

The only exception is open-source software, which is excluded from the scope of application if it is not provided in the course of a business activity (Article 2 (2) PLD 2024). A chargeable service or a service in exchange for personal data revives the product character of open-source software and, thus, the applicability of PLD 2024 (recital (14)).

Liability requirements for defective software

The basic triad of requirements for liability for damage caused by defective products has not changed under PLD 2024. As in PLD 1985, the following requirements must be met:

  • requirements related to a defective product;
  • requirements related to damage suffered by a person; and
  • requirements related to a causal link between the defective product and the damage sustained.

Defective software

For the determination of the defect, reference is made to Article 7 PLD 2024. This article establishes the principle that a product is considered defective if it does not provide the level of safety required by national or EU legislation or which an average person may expect when using the product.

Software manufacturers should be aware that the fact that the software is free of defects when it is placed on the market does not exempt them from liability. Rather, as long as they have the ability to ensure that their software is free of defects and cybersecure by means of software updates or software upgrades, they have an obligation to do so (see recitals (19), (50) and (52) PLD 2024). This is because software may remain under the control of the manufacturer even after it has been placed on the market. The same applies to the software of a related service (eg, smart home systems). A software update does not mean that the older version of the software was defective.

Damage suffered by a person

The concept of damage, as regulated in Article 6 PLD 2024, has been extended. In addition to the existing liability for damage, such as death or personal injury, and damage to or destruction of property other than the defective product itself, the concept of damage has been broadened. According to Article 6 (1) lit c PLD 2024, the destruction of or damage to data is also to be regarded as damage if it is not used for professional purposes, which is of great importance in the context of software liability.

Causal link between the defective product and the damage sustained

The damage suffered must be directly related to the defective product, ie, there must be a causal link. This is presumed, in accordance with Article 10 (3) PLD 2024, if the product is defective and the damage is a typical consequence of that defect.

Recoverable loss

The pecuniary loss is compensated. What is new and particularly relevant regarding defective software and the associated damage in the form of data corruption or destruction is that under PLD 2024 not only material, but also immaterial damage can be compensated. Immaterial losses will be covered if the legislation in the relevant EU Member State provides for compensation for this form of damage (Article 6 (2) PLD 2024). This is another important extension of liability for software.

Another relevant change in PLD 2024 concerns the maximum amount of compensation applicable in such circumstances. PLD 1985 allowed Member States to set a limit for the maximum compensation possible. The German product liability law, for example, provided for a maximum liability of €85m. However, under PLD 2024, there is now no maximum liability threshold in regard to the compensation amount.

Defendant, exonerating evidence, exclusions and deadlines

The claim must be directed against the liable economic operators, as per Article 8 PLD 2024. This is usually the manufacturer of the defective product. If the manufacturer is not established in the EU, a separate claim along the supply chain applies. In the first instance, the importer of the product is liable. If no claim can be made against the importer either, the operator of the online shop is held liable if the conditions of Article 8 (4) PLD 2024 are met. The aim is that there should always be one economic operator in the supply chain who can be held liable for the damage caused by the defective product. If several economic operators are held liable, they are jointly and severally liable (Article 12 (1) PLD 2024).

It should be noted that the liability under PLD 2024 is no-fault liability (strict liability). This means that the injured person does not have to prove negligence or intent on the part of the manufacturer regarding the cause of the defectiveness of the product. In order to counterbalance the sharp sword of strict liability, the EU legislator has established that the injured person bears the burden of proof for the defectiveness of the product, the damage suffered and the causal connection between the defectiveness and the damage. When an injured person brings an action and presents a plausible case before a national court, the economic operator against whom the action is brought is obliged to disclose the facts necessary for the presentation of evidence, while respecting their interest in confidentiality. In turn, the claimant must also provide the economic operator with all the relevant information to enable the latter to defend itself against the claim for damages (Article 9(2) PLD 2024). Particularly in the case of liability claims in the software sector, the complexity of the matter means that the presumption rule is likely to be applied in most cases. As a result, it should be a high priority for software manufacturers to maintain a well-developed compliance system. In order to strike a balance between the presumption of product defect and the causal link between the damage and the product defect, companies will have the opportunity to provide evidence of exoneration for each presumption and, thus, not be subject to liability under PLD 2024.

There are some exceptions for small and micro-sized enterprises. For example, Article 12 (2) PLD 2024 allows small and micro-sized enterprises to contractually exclude liability for recourse claims in favour of the manufacturer of the product into which the software is integrated. The European Commission wants to use the liability privilege to create incentives for innovation by small and micro-sized enterprises (recital (54)). The manufacturer of the product into which the software is integrated will then be solely liable.

The limitation period for claims arising from software liability is, as for all other products, three years from the cumulative knowledge of: the damage, the defect and the identity of the liable economic operator. The limitation period is 10 years in general and 25 years for latent defects.

Conclusion and recommended action

The revision of PLD 1985 and its adaptation to the state of the art was urgently needed and long overdue. The extension of the definition of product to include software reflects the reality of the digital age, in which software is an integral part of a huge variety of products, but also of the risks associated with them.

The revision of the EU Product Liability Directive has further increased the importance of compliance systems. It is not only the broadening of the definition of product that leads to an expansion of liability for manufacturers: the risk of manufacturers being exposed to product liability under EU product liability law increases due to the broadening of the concept of defects to include inadequate cybersecurity, the broadening of the relevant damages to include loss or corruption of data and the broadening of compensable damages to include non-pecuniary damages. The expansion of the EU product safety regulatory framework, both in terms of general product safety law and specific legislation, such as the Cyber Resilience Act or the Artificial Intelligence Act, also leads to an expansion of liability and new liability traps. Both manufacturers and all economic operators in the supply chain should be aware of the new requirements and new liability risks and should already be implementing appropriate compliance processes. Software manufacturers are advised to put in place comprehensive infrastructure that enables them to provide evidence that relieves them of liability in the event of liability claims.

 

[1] Council Directive on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (85/374/EEC).

[2] Directive of the European Parliament and of the Council on liability for defective products and repealing Council Directive 85/374/EEC (2024/2853/EU).