IAA 2025 may be over, but the legal changes are just beginning: The draft bill to modernise product liability law translates the vehicle's digital transformation into a stricter liability regime for manufacturers and suppliers. In future, not only will software and AI systems be subject to product liability, but manufacturers will also be responsible for cybersecurity throughout the entire product life cycle. New rules of evidence under product liability law and the requirements of the Cyber Resilience Act for the supply chain pose additional challenges. Our article analyses the key areas of heightened risk and derives strategic recommendations for action.
The context: Between the technological advancement of the car and cybersecurity gaps following the BSI warning
IAA 2025 has impressively demonstrated that value creation in automotive engineering is relentlessly shifting from hardware to software. This technological vision, however, confronts a stark reality: cybersecurity vulnerabilities. The new situation report, "Cybersecurity in Road Traffic 2025," from the German Federal Office for Information Security (BSI) paints a clear picture of the threat landscape: successful attacks on infotainment systems, remote control of vehicle functions, and massive data breaches in backend systems are no longer theoretical scenarios but documented facts.
Until now, the legal classification of such cyber incidents has often been a grey area. The draft of the new Product Liability Act makes it clear: technological risks identified by the BSI will henceforth lead directly to product liability claims. The IAA showcases innovation, the BSI report highlights the risks, and the draft legislation outlines the consequences. Cybersecurity now also means product safety.
Analysis: What the new product liability law specifically means for the automotive industry
For OEMs and suppliers, the draft law presents three key areas of heightened risk that demand immediate reassessment:
The 'Software-Defined Car' becomes the 'Liability-Defined Product'
Perhaps the most fundamental change is the explicit inclusion of software and AI systems within the legal definition of a 'product' (Section 2, ProdHaftG-E).
The Consequence: Every software component—from the firmware of a control unit to the AI algorithm of a driver-assistance system—is now an independently liable product. A programming error or security vulnerability can directly result in a product defect. The hack described in the BSI report, where a vehicle was compromised via its Bluetooth interface, would be a textbook case of such a potential liable software defect. Crucially, liability falls not only on the OEM as the manufacturer of the final vehicle but also explicitly on the manufacturer of a defective component (Section 4, ProdHaftG-E)—that is, the supplier.
Ongoing responsibility beyond the date of placing on the market
The upcoming law breaks with the previous principle that the question of whether a product is safe is based on the time it was placed on the market. As long as a manufacturer retains "control" over the product, for example through software updates, its product liability extends beyond the date of placing on the market (Sections 8, 9 ProdHaftG-E). And that where other laws come into play: While the vehicle as a whole is exempt from the Cyber Resilience Act (CRA) due to UNECE R 155, the CRA has a significant impact on the supply chain: numerous digital components are directly subject to its stringent requirements. These include, among others, control units (ECUs), aftermarket telematics systems, third-party firmware, and cloud or backend services. These regulatory obligations also have an impact on civil liability: a component that fails to meet the CRA's requirements for effective vulnerability management – typically for a support period of at least five years – can hardly be considered non-defective in the event of a claim.
The Consequence: Manufacturers are not only liable for faulty updates regardless of fault, but also for omitted security updates in particular. The BSI's statement that cyber security is an "ongoing task" therefore becomes justiciable. Ignoring a known vulnerability is no longer a business decision, but a conscious acceptance of strict liability under the Product Liability Act.
The End of the 'Black Box': New Rules of Evidence Heighten Litigation Risk
The most significant operational change for legal departments comes from the new rules of evidence, which are specifically designed for complex digital products (Sections 19 & 20, ProdHaftG-E).
The Consequence: Courts may require manufacturers to disclose internal documents (e.g. safety audits). oblige The prerequisite is that the claimant must make a claim for damages sufficiently plausible, i.e. there must be a certain probability in its favour. However, this does not mean that manufacturers are left completely unprotected: the draft law explicitly stipulates in Section 19 (4) ProdHaftG-E that the procedural protection mechanisms of Sections 16 ff. of the Trade Secrets Act (GeschGehG) apply. The court may order certain protective measures. Nevertheless, defendant companies should file applications themselves. It is therefore no longer possible to simply hide behind the "black box" of one's own systems. However, manufacturers can continue to protect valuable knowledge.
In addition, in cases of "technical complexity" – especially with AI systems – the burden of proof for plaintiffs is greatly reduced; proving the probability of a causal product defect may, under certain circumstances, be sufficient to establish a legal presumption of such a defect.
Keeping an Eye on New Supervisory Structures
Alongside this new civil liability framework, the legislator is also establishing a new, powerful supervisory structure. The Draft AI Implementation Act, also published on 11 September, designates Germany's Federal Network Agency (Bundesnetzagentur) as the central market surveillance authority for many AI applications. This means that, in addition to the risk of damages claims, non-compliance with the AI Act could also trigger direct intervention from regulators with extensive powers.
Strategic Outlook: Recommendations for a New Era of Liability
Time is running out. The new Product Liability Act is set to come into force on 9 December 2026. What manufacturers should bear in mind in order to counter the new cyber liability risks:
- Embed Cybersecurity & AI Governance as a Legal Principle: 'Security by Design' is no longer a technical slogan but the first and most critical line of defence against future liability claims.
- Establish Robust Security Lifecycle Management: Implement binding processes and dedicated teams for continuous vulnerability monitoring and the rapid deployment of security updates.
- Optimise Documentation for Defence: The disclosure of internal security and AI development documents in court is imminent. Meticulous documentation is essential for a successful defence.
- Prepare procedural lines of defence: In view of the new disclosure requirements, companies must act proactively. This means clearly defining trade secrets internally and, in the event of legal proceedings, submitting an application for classification as confidential at an early stage. On this basis, the protective measures of the GeschGehG (e.g. access restrictions) can then be applied for in order to ensure a controlled and protected flow of information within the framework of the ZPO.
- Prepare procedural lines of defense: Given the new disclosure obligations, companies must act proactively. This involves clearly defining trade secrets internally and, in the event of litigation, promptly applying for a classification of information as confidential. On this basis, the protective measures of the Trade Secrets Act (e.g., restricting access) can be requested to ensure a controlled and secure flow of information within the civil procedure.
- Check supply chain contracts: Review all contracts with suppliers, particularly of software and AI components. Explicitly clarify liability, indemnification, and recourse arrangements in light of the new joint and several liability provisions.
The IAA 2025 showcased the technological future of the automobile. The new Product Liability Act ensures that legal responsibility keeps pace with this future. Proactive adaptation is not an option; it is a necessity.
We would also like to refer you to three further articles on product liability:
To the EU-wide Impact of the EU Product Liability Directive on the automotive industry.
To an EU-wide Overview of the most important changes to the underlying EU Product Liability Directive.
