EU Product Liability Directive 2024/2853: What Software and AI Providers Need to Know Now

The EU's previous product liability directive fundamentally dates back to 1985 – a time when smartphones, cloud solutions, or generative AI were completely unthinkable. Until now, the focus of strict liability was almost exclusively on physical goods. Injured consumers faced extreme difficulty claiming damages for pure software errors.

With the new Directive (EU) 2024/2853 (often referred to as the Product Liability Directive or PLD), which entered into force on December 8, 2024, the EU replaces the nearly 40-year-old framework.

The timeline for implementation:

• September 11, 2025: The German Federal Ministry of Justice (BMJ) has already presented an official draft bill to adapt the German Product Liability Act (ProdHaftG).
• December 9, 2026: Germany must finally transpose the EU requirements into national law by this deadline.
• Important Transitional Regulation: For all products and software versions placed on the market up to and including December 8, 2026, the previous, old ProdHaftG remains applicable. The new, stricter law applies exactly to products that come onto the market on or after December 9, 2026.

The decisive lever of the reform is the fundamental expansion of the term "product". Under the new law, a "product" is no longer necessarily a physical, tangible object.

The new definition now explicitly covers:

• Software of all kinds: Operating systems, mobile apps, classic embedded software, and stand-alone programs.
• Cloud Services & SaaS: It is legally irrelevant whether the software is stored on a local device or accessed purely virtually from the cloud.
• Artificial Intelligence: AI systems are understood as a subcategory of software and are fully subject to strict product liability.

The only exception: Free and open-source software (Open Source) is excluded from the directive – however, only if it is not developed or provided as part of a commercial activity. As soon as a company makes money with it or integrates open-source components into a commercial product, full liability applies.

The new law drastically shifts the balance of power between software manufacturers and consumers. These are the three most massive impacts for companies:

1. Abolition of All Liability Limits

Previously, the financial risk for manufacturers was capped: there was a €500 deductible for property damage and a maximum liability limit of €85 million for personal injury. Both limits are eliminated without replacement. As a result, theoretically unlimited claims for damages can be brought by consumers and injured parties in the future.

2. Liability for Data Loss, Updates, and Cybersecurity

The compensable damage is massively expanded. In the future, product liability will also include the loss, destruction, or corruption of data, provided it is not used exclusively for professional purposes. Companies can be held directly liable if damage is caused by insufficient or completely missing software updates, or if flawed cybersecurity protection (e.g., lack of encryption) enables manipulation by hackers.

3. Easing the Burden of Proof for Complex Technology

Since it is impossible for an ordinary consumer to look into the "black box" of an algorithm or an AI, a far-reaching reverse burden of proof takes effect. If the plaintiff cannot prove the exact programming error due to technical complexity, the court will presume the defect lies with the manufacturer. The company must then actively prove that the system was free of defects.

The directive exacerbates risk particularly for Artificial Intelligence: The manufacturer is also liable for errors that occur due to the continuous learning and autonomous development of an AI system after its launch on the market.

The reform stands in direct context with the European AI Act. The safety and transparency requirements defined there are explicitly pulled into the civil law "concept of defect" of product liability via legal references. Anyone who violates the AI Act will automatically have their AI product deemed defective in court – making liability almost impossible to avoid.

The new directive drastically increases responsibility and expands the circle of potential defendants who must answer for a defective digital product.

In the future, this includes:

• The software developer (also as a subcontractor if their faulty code corrupts the overall system).
• Authorized representatives of the manufacturer and fulfillment service providers.
• Quasi-manufacturers who distribute software under their own name or trademark.

Furthermore, the directive ensures that there is always a liable person within the EU. If the actual software manufacturer is based outside the EU (e.g., in the USA or China), the importer or the EU-based authorized representative is automatically liable for any damages incurred.

The Product Liability Directive is part of a complex, interlocking regulatory framework within the EU:

• AI Act: Defines preventative quality and risk standards for AI systems.
• GDPR: Protects personal data. If a software error leads to a data leak, GDPR compensation and product liability apply in parallel.
• NIS2 Directive: Defines the statutory minimum standard for cybersecurity in 2026. Anyone neglecting NIS2 duties will automatically have their software deemed defectively designed in a liability lawsuit.

Practical Tip: The interplay of these laws presents a compliance jungle that is hard to navigate for medium-sized businesses. To effectively avoid liability traps, forward-thinking tech companies rely on holistic digital platforms like heyData. heyData bundles the necessary expert knowledge and helps companies centrally manage the status of their data protection, whistleblower, and IT security compliance, transparently close gaps, and maintain the legally required documentation in an audit-ready format.

Manufacturers and distributors of digital products should intensively use the remaining time until the final date of application in December 2026 for:

• Reviewing Documentation Processes: Seamless documentation of training data, algorithm logic, and quality assurance is your only line of defense against the reverse burden of proof.
• Adapting Insurance Coverage: Due to the elimination of the €85 million liability cap, coverage amounts for IT liability and product liability insurance must be urgently reviewed and increased.
• Monitoring and Recall Systems for Software: Establish processes to track security vulnerabilities in the field in real time and roll out over-the-air updates (OTA) in a legally compliant and error-free manner.
• Recourse Agreements with Third-Party Suppliers: Contracts with API providers, cloud providers, and external code suppliers must precisely regulate how the product liability risk is distributed internally in the event of damage.

The EU Product Liability Directive 2024/2853 ends the era in which software providers could hide behind the argument that "software just has bugs." Alongside the new product liability, manufacturers should also keep an eye on upcoming plans for a specific EU AI Liability Directive, which will soon complete the civil liability system for AI providers.

For practical purposes, the reform strikes at the heart of a completely new reality: The core statement "A prototype is not software" is no longer just a design opinion from December 2026 onward, but carries direct, existential liability consequences. Especially for the current trend of using AI tools to build unrefined SaaS products in no time and throwing them onto the market unchecked, a new era of legal responsibility begins right now.

Do small startups have to follow the same rules as tech giants? 

Yes. The Product Liability Directive does not differentiate based on company size. Anyone who commercially brings a defective digital product into the EU market faces unlimited liability for the resulting damages.

What happens if a German law is not yet finally passed by December 2026? 

Even if the final German law should be delayed beyond the current draft bill: After the implementation deadline expires on December 9, 2026, consumers can directly rely on the consumer-protecting provisions of the EU directive in court under certain conditions (direct effect of directives). Relying on delays is therefore highly risky.

Does liability also apply to AI systems that are offered for free? 

The decisive factor is whether the provision takes place within the framework of a "commercial activity". If a tool is free but serves lead generation, is monetized through advertising, or is meant to promote a paid pro-version, product liability applies fully.