"Software as a product" - What does the revised EU Product Liability Directive mean for automotive manufacturers? | TWheel

1. Is "software" as a product subject to the provisions of the revised EU Product Liability Directive?

Digital technologies are playing an increasingly important role in modern products and therefore bring with them new risks and liability potential. The revised EU Product Liability Directive 2024/2853, which came into force in December 2024, makes it easier for consumers to bring forward product liability claims and extends its scope of application - now also explicitly - to software and AI-based products. It also eases the burden of proof and provides for the “disclosure of evidence”.

The definition of software also includes integrated or connected digital services, which have played an increasingly important role in the automotive industry in recent years. According to the revised Product Liability Directive, examples of this include the continuous provision of traffic data in navigation systems or voice assistants.

2. What are the liability risks for car manufacturers under the revised EU Product Liability Directive for software products?

The revised Product Liability Directive is a turning point for liability in the automotive industry.

Pursuant to the directive, companies are liable for defective products that they manufacture or sell in the EU. A product is deemed to be defective if it does not offer the safety that can reasonably be expected. Product liability means strict no fault liability. It is therefore sufficient to prove that (i) a product was defective, (ii) a person has suffered damage as a result and (iii) there is a causal link between the product defect and the damage suffered. Negligent or even intentional behaviour on the part of the entrepreneur is not required.

Car manufacturers are liable (alongside the software manufacturer) for faulty software (such as integrated or connected digital services) if it is under the control of the car manufacturer. Pursuant to the revised Product Liability Directive, the manufacturer is no longer only liable until the product is placed on the market, but also beyond that point until the product leaves the "control of the manufacturer”. Liability therefore covers both the original software and any subsequent updates or upgrades.

Car manufacturers are therefore responsible for any errors or security vulnerabilities in their digital products beyond the time they are placed on the market. The ability of digital products to learn or acquire new functions must also be taken into account.

From now on, cyber security also means product safety.

3. What are the implications for the burden of proof in the event of a dispute? Does the manufacturer now have a duty to disclose evidence?

The revised Product Liability Directive provides for a lighter burden of proof for the plaintiff and the disclosure of evidence:

• Defectiveness and causality are presumed if (i) proof is “excessively difficult” due to the technical or scientific complexity of the product and (ii) a product defect and/or a causal link between product defect and damage is at least "probable".
• At the request of the plaintiff, defendant companies can be obliged to “disclose” relevant evidence if the plaintiff has made a claim for damages sufficiently plausible.

4. What else do car manufacturers need to know about "Liability for software"?

The technologization of vehicles not only plays a role in the context of the product liability regime, but also affects other legal aspects:

• Defective software products and services trigger warranty claims under digital warranty law in accordance with the provisions of the German Civil Code (BGB). This includes, among other things, manufacturers' warranty update obligations, which apply over the typical useful lifespan of the product. There no longer are fixed warranty periods (e.g. 24 months).
• From a regulatory perspective, vehicle manufacturers must comply with the international regulations UN ECE R-155 (cybersecurity of vehicles) and UN ECE R-156 (requirements for a vehicle software update management system) in order to obtain type approval. This includes, among other things, the implementation of a comprehensive vehicle cybersecurity management system. If new software, an update or an upgrade is subsequently introduced into the vehicle, this can have an impact on the existing cybersecurity system and therefore on the current type approval.
• Depending on the product / function, car manufacturers may also have to comply with additional IT security requirements, including the NIS-2 Regulation and its national implementation laws as well as the Cyber Resilience Act (CRA).
• If AI is used, the relevant regulations for the use of AI in the regulated vehicle environment (in future in Regulations 2018/858 and 2018/2144, among others) and the AI Regulation apply in addition, provided that these are not regulated products or functions.
• Finally: Collective redress in the EU has been enriched by a mass action vehicle due to the EU Directive on representative actions. Germany implemented the representative actions directive into national law at the end of 2023, meaning that redress actions (actions for direct payment to consumers) can now be brought forward. With regard to its scope of application, the EU representative actions directive expressly refers to product liability cases.

5. What should car manufacturers do?

The revised Product Liability Directive must be implemented into national law in the EU member states by 9 December 2026. In order to minimise their liability risk and protect their business in an increasingly plaintiff-friendly product liability system, it is essential for car manufacturers to review their existing systems, processes and contracts now. To be reviewed are:

1. The in-house compliance system to ensure that robust systems are in place. Regulatory changes to the cyber security system must also be taken into account.
2. The product liability risk profile in relation to the extended product definition.
3. Development and documentation processes against the background of the impending burden of proof and disclosure obligations, including software update protocols.
4. Existing monitoring and recall systems.
5. Cybersecurity risk assessment and compliance with data and cybersecurity standards and laws to ensure that mandatory and industry-specific requirements are met.
6. Scope of the insurance cover.
7. Supply contracts with regard to the distribution of product liability risk.