The new EU Product Liability Directive 2024/2853 came into force on 8 December 2024 - a big milestone for consumer redress. The new Product Liability Directive aims to modernise the product liability rules and remove obstacles for consumers. It also changes the current product liability risk landscape significantly. What should companies using AI in products, such as a medical app, know about the new product liability rules?
Strict liability regardless of fault
The new Product Liability Directive is relevant to all companies placing products on the EU market. It will replace the existing Product Liability Directive 85/374/EEC from nearly 40 years ago.
It sets out the liability framework for when companies are liable for damage caused by a defect in their product. A product is defective when it does not provide the level of safety that a person is entitled to expect. Importantly, the test remains one of strict liability, meaning that consumers do not have to prove negligence or fault of the company. Product liability only requires that:
- a product was defective
- a person suffered damage
- there was a causal link between the defect in the product and the damage suffered.
Software and AI integrated products fall under the new rules
Whether software constitutes a product within the meaning of product liability law has been controversial until now. The new EU Product Liability Directive intends to close this gap and extend the scope of the new product liability rules. Software and AI-integrated products are therefore explicitly considered a 'product' within the scope of the new directive. This applies both to software that is embedded in another product (eg in a radiotherapy device) or connected to another product (eg digital health monitoring services that use the sensors of a physical product to collect data).
Liability for insufficient software updates or weak cybersecurity protection
The new Product Liability Directive clarifies that manufacturers and providers of digital products such as AI apps can, in the future, also be held liable for damage caused by a faulty software update or weaknesses of the product’s cyber security. Product liability, therefore, extends beyond the time of simply placing the product on the market.
In addition, the definition of defect in the new Product Safety Directive focuses even more strongly on the requirements of product safety law. This will include compliance with the safety requirements of the AI Act. Non-compliance or measures by regulatory authorities due to product safety, such as a product recall, could indicate a product defect.
Adapting the product liability regime to the digital age
The new Product Liability Directive aims to modernise the product liability rules and adapt them to the digital age. Further amendments regarding digital products, therefore, also include that claimants can sue for wider damages including destruction or corruption of data. In addition, the current deductibles and maximum liability limits are removed.
Presuming a product defect in complex cases
A further aim of the new Product Liability Directive is to remove obstacles of consumer redress. The new Directive therefore makes it significantly easier for claimants to bring product liability claims for defective products:
- The new Directive eases the burden of proof for the plaintiff by establishing a presumption of defectiveness and a causal link if:
(i) proof is 'excessively difficult' due to the technical or scientific complexity of the product
(ii) a product defect and/or causality is at least 'likely'. This could be particularly important for AI products, as it will often be difficult for plaintiffs to prove a defect due to the complexity and lack of transparency of how the product works (black box). It will then be up to the company to rebut the presumption.
- Under the new Product Liability Directive, courts can oblige defendants to disclose relevant evidence in their power or disposal if the injured party has made a sufficiently plausible claim for damages. This aims to address potential disadvantages of the injured party regarding access to information on the manufacture and functioning of the product. Importantly, the courts must take measures to protect the defendant's business secrets.
New: withdrawal of the EU plans for an AI liability directive
The European Commission initially proposed an AI Liability Directive in September 2022 as part of a package with the AI Act and the new Product Liability Directive. While the latter two have since been adopted, the legislative process for the AI Liability Directive stalled. On 19 September 2024, the European Parliamentary Research Service last published a study on the draft of the AI Liability Directive and suggested many amendments.
On 11 February 2025, in its final work programme for 2025, the EU Commission added the directive to the list of proposals it intends to withdraw. The reason given is that it sees no foreseeable agreement on the proposal. The Commission will, however, assess whether another proposal should be tabled or another type of approach chosen.
This decision is understandable, as the scope of the new directive would have been limited. However, there were also differences between the directives: Under the new Product Liability Directive, manufacturers or providers of defective AI systems that cause physical harm, property damage or data loss to individuals are liable without fault, if there is a product defect. The draft AI Liability Directive, on the other hand, had covered non-contractual fault-based liability, in case of a breach of a duty of care, for any type of damage (including pure financial losses and non-material damages) and in favour of any type of injured party, including legal entities. After the withdrawal of the AI Liability Directive, it becomes even more important that the new Product Liability Directive also covers software and AI products.
Conclusion and how to prepare in 2025
The new EU Product Liability Directive introduces a more claimant-friendly product liability regime in the EU and reduces legal certainty for businesses. This can have a significant impact on AI medical devices companies as it will make it easier for consumers to bring claims in the EU for defective products. This is particularly the case where there are evidential difficulties caused by complex scientific and technological concepts, as likely with AI products.
The new Product Liability Directive will have to be implemented by Member States by 9 December 2026. The old Product Liability Directive 85/237/EEC will continue to apply to products already on the market by then. Companies should use the time to conduct thorough risk assessments, also with a view to cyber security protection. It will be essential to establish and show regulatory compliance including with the requirements of the AI Act. In addition, companies should review their product liability risk profile, their insurance coverage and existing monitoring and recall systems.
