Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/32024L2853

Product Liability Directive (EU) 2024/2853 — No-Fault Liability for Defective Products Including Software and AI

Analysis from 19 April 20262 sourcesOriginal version (OJ L, 2024/2853, 18.11.2024)EUR-Lex Original

If our AI-powered product injures someone after a software update, who pays — and can we still rely on the old Product Liability Directive defences?

From 9 December 2026, any manufacturer, importer or even fulfilment service provider placing a product — including standalone software and AI systems — on the EU market faces strict no-fault civil liability with no financial ceiling, and courts can presume both defectiveness and causation where the claimant faces technical complexity [Art. 10(4)].

Short Answer

Directive (EU) 2024/2853 replaces the 1985 Product Liability Directive with a modernised strict-liability regime that explicitly covers software, AI systems, digital manufacturing files and inter-connected digital services as 'products' [Art. 4(1)]. Manufacturers remain liable for defects caused by software updates, missing security patches or machine-learning behaviour that remains within their control after placing the product on the market [Art. 11(2)]. Courts may presume defectiveness where mandatory safety requirements are breached or evidence is withheld, and may presume the causal link where technical complexity makes proof excessively difficult for the claimant [Art. 10(2)–(4)]. Liability cannot be limited or excluded by contract or national law [Art. 15].

Who is affected

Every economic operator placing products — including standalone software, SaaS, AI systems and IoT devices — on the EU market in the course of a commercial activity. This includes manufacturers, importers, authorised representatives, fulfilment service providers and, where no EU-based operator is identifiable, distributors and certain online platforms [Art. 8]. Free and open-source software developed outside a commercial activity is excluded [Art. 2(2)].

Deadline

Member States must transpose the Directive into national law by 9 December 2026 [Art. 22(1)]. The new regime applies to all products placed on the market or put into service after that date [Art. 2(1)]. First Commission evaluation due by 9 December 2030 [Art. 20].

Risk

No administrative fines — but no financial ceiling on civil liability either [Art. 15]. Injured natural persons can claim full compensation for death, personal injury (including medically recognised psychological harm), property damage and data destruction or corruption [Art. 6]. Multiple operators are jointly and severally liable [Art. 12(1)]. The 10-year expiry period extends to 25 years for latent personal injuries [Art. 17(2)]. Contractual limitation or exclusion of liability towards injured persons is void [Art. 15].

Proof

Legal status

  • In force
  • as of 2026-04-19
  • Original version (OJ L, 2024/2853, 18.11.2024)

Primary sources

What to do now

Legal / DPO

  • Map the expanded definition of 'product' [Art. 4(1)] against your portfolio: standalone software, SaaS offerings, AI systems and digital manufacturing files now fall within scope — update product liability insurance policies and indemnity clauses accordingly.
  • Review all supply-chain contracts for third-party components and related digital services [Art. 4(3)–(4)]: under joint and several liability [Art. 12(1)] the integrating manufacturer is liable for defective components within its control, so ensure contribution and recourse clauses match the new regime.
  • Prepare for the new evidence disclosure rules [Art. 9]: courts can order you to produce relevant evidence in an easily accessible format, and failure to disclose triggers a rebuttable presumption of defectiveness [Art. 10(2)(a)] — establish document-retention protocols now.

Compliance

  • Audit every product line against the Directive's defectiveness criteria [Art. 7(2)]: cybersecurity vulnerabilities, missing safety updates and post-market learning behaviour of AI systems can each constitute a defect — align your conformity assessment with the new factors.
  • Implement a mandatory software-update and security-patch process for connected products: failure to supply necessary updates is explicitly carved out from the post-market exemption [Art. 11(2)(c)], meaning the manufacturer remains liable even if the defect arose after placing on the market.
  • Document 'substantial modification' thresholds [Art. 4(18)] in your change-management system: any modification that changes a product's purpose, creates a new hazard or increases risk levels triggers new liability and restarts the 10-year expiry period [Art. 17(1)(b)].

IT / Security

  • Ensure products meet all safety-relevant cybersecurity requirements [Art. 7(2)(f)]: a product found to have an exploitable cybersecurity vulnerability can be deemed defective, and third-party exploits do not reduce the operator's liability [Art. 13(1)].
  • Build logging and traceability mechanisms: courts can require evidence to be presented in an easily accessible and understandable format [Art. 9(6)], and the absence of operation-logging required by law triggers a presumption of defectiveness [Art. 10(2)(b)].
  • Establish a post-market security-update lifecycle that covers the entire 10-year expiry period [Art. 17(1)]: the Directive holds manufacturers liable for damage caused by failure to supply security updates within their control [Art. 11(2)(c)], even years after initial market placement.

Product / Engineering

  • Classify all AI-enabled and self-learning product features under the new defectiveness assessment [Art. 7(2)(c)]: post-market learning that produces hazardous behaviour remains the manufacturer's liability, so design safety constraints into ML pipelines from day one.
  • Re-evaluate connected-product architectures for 'related service' dependencies [Art. 4(3)]: if the absence of a digital service prevents the product from performing a function, that service is treated as a component and its defectiveness triggers product liability.
  • Plan product-lifecycle support covering the full 10-year expiry window [Art. 17(1)]: products that lose connectivity or stop receiving updates within that period may be found defective if the lack of maintenance contributed to harm [Art. 11(2)(c)].

Key Terms

Product
All movables, even if integrated into or inter-connected with another movable or immovable; includes electricity, digital manufacturing files, raw materials and software [Art. 4(1)].
Related service
A digital service integrated into or inter-connected with a product such that its absence would prevent the product from performing one or more of its functions [Art. 4(3)].
Substantial modification
A post-market modification of a product that is considered substantial under EU or national product safety rules, or that changes the product's purpose, creates a new hazard or increases its risk level [Art. 4(18)].
Economic operator
A manufacturer, provider of a related service, authorised representative, importer, fulfilment service provider or distributor involved in the product supply chain [Art. 4(15)].
Development risk defence
The defence that the objective state of scientific and technical knowledge at the time of market placement was not such that the defect could be discovered; Member States may derogate from it for specific product categories [Art. 11(1)(e), Art. 18].
Expiry period
The absolute time limit of 10 years (25 years for latent personal injuries) from market placement or putting into service, after which no new liability claims can be initiated [Art. 17].
Fulfilment service provider
A person offering at least two of warehousing, packaging, addressing and dispatching in the course of commercial activity without owning the product, excluding postal and freight services [Art. 4(13)].
?

Frequently Asked Questions

Does the new Directive apply to software delivered as a service (SaaS)?
Yes. Software is explicitly defined as a 'product' regardless of supply mode — including cloud-based or SaaS delivery [Art. 4(1), Recital 13]. A developer or producer of software, including AI system providers, is treated as a manufacturer.
Is open-source software covered?
Free and open-source software developed or supplied outside the course of a commercial activity is excluded [Art. 2(2)]. However, if FOSS is supplied for a price or in exchange for personal data used beyond security/compatibility purposes, it falls within scope [Recital 14]. A manufacturer integrating FOSS into a commercial product remains fully liable for defects in that software [Recital 15].
Can manufacturers limit liability through contract terms?
No. Member States must ensure that liability cannot be limited or excluded by contractual provision or national law [Art. 15]. Any such clause is void in relation to the injured person.
How long do injured persons have to bring a claim?
The limitation period is 3 years from the date the injured person became aware (or should have become aware) of the damage, defectiveness and the identity of the liable operator [Art. 16(1)]. The absolute expiry period is 10 years from market placement, extended to 25 years for latent personal injuries [Art. 17].
What is the 'development risk defence' and can Member States override it?
An economic operator can avoid liability by proving that the objective state of scientific and technical knowledge at the time of market placement was not such that the defect could be discovered [Art. 11(1)(e)]. However, Member States may derogate from this defence for specific product categories where justified by public interest [Art. 18(2)–(3)].
Who is liable when a product from a non-EU manufacturer causes harm?
Liability cascades to: (1) the importer, (2) the authorised representative, and (3) if neither is established in the EU, the fulfilment service provider [Art. 8(1)(c)]. If no such operator can be identified, the distributor becomes liable — provided the injured person requested identification and the distributor failed to respond within one month [Art. 8(3)].
Does the Directive cover damage from AI systems that learn after deployment?
Yes. The defectiveness assessment explicitly includes 'the effect on the product of any ability to continue to learn or acquire new features after it is placed on the market' [Art. 7(2)(c)]. A manufacturer that designs a product with the ability to develop unexpected behaviour remains liable for harmful outcomes [Recital 32].
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.