1. Initial Situation and Legal Background
With the entry into force of Directive (EU) 2024/2853 of 23 October 2024, European product liability law has undergone a fundamental modernization. The new Directive replaces Directive 85/374/EEC, on which the German Product Liability Act (Produkthaftungsgesetz, ProdHaftG) is based. Member States are required to transpose and apply the Directive in national law by 9 December 2026.
The reform is primarily driven by technological developments, particularly in the fields of software and artificial intelligence. Under the previous legal framework, the classification of digital products often gave rise to legal uncertainty. In addition, increasing technical complexity has significantly impeded the effective enforcement of damages claims.
The legislator seeks to preserve incentives for innovation while ensuring effective protection for injured parties. Against this background, companies are faced with the question of how responsibilities will be allocated in the future and how liability risks can be limited.
2. New Connecting Factors in Product Liability Law
2.1 Inclusion of Software and AI
In the future, software will qualify as a product within the meaning of product liability law regardless of its technical form. It will no longer be decisive whether software is embodied in a physical medium or locally installed. Cloud-based applications and digital services also fall within the scope of the Directive insofar as they form an integral part of a product or control or influence its functions. This also includes AI systems, as the concept of software is deliberately formulated in an open and technology-neutral manner.
It is expressly clarified that software modified after being placed on the market through updates or machine learning is also covered. Such post-market modifications are of particular relevance from a liability perspective, as they may give rise to new defect risks.
2.2 Extended Concept of Damage
In addition to traditional personal injury and property damage, damage to privately used data will now also be covered, provided that such data is not used for professional purposes. Damage to commercially used data remains excluded. This new category of claims differs from data protection claims, as it does not require unlawful data processing and focuses primarily on the manufacturer.
Pure economic loss (e.g., loss of profit) continues to be excluded. In this respect, the Directive maintains the existing approach.
2.3 Reorientation of the Concept of Defect
A product is defective if it does not provide the safety required by law or reasonably expected by users. In assessing defectiveness, the following factors must be taken into account, inter alia:
- Foreseeable use, including reasonably foreseeable misuse;
- The product’s capacity for learning and adaptation (in particular in the case of AI systems);
- Interactions with other products;
- Cybersecurity requirements.
As a result, the concept of defect is significantly expanded and more closely aligned with the characteristics of digital systems.
Of particular importance is the restriction of the development risk defence. Under the previous regime, manufacturers could invoke the so-called development risk defence, arguing that the defect was not discoverable at the time the product was placed on the market according to the state of scientific and technical knowledge.
While this defence remains available in principle, it will no longer apply where the manufacturer continues to exercise influence over the product after it has been placed on the market—particularly through software updates or other modifications—and fails to eliminate existing security risks despite reasonable remedial options. In such cases, reliance on the development risk defence is excluded.
This significantly increases the pressure on manufacturers to actively provide security updates and to ensure continuous product monitoring.
2.4 Expansion of the Circle of Liable Parties
The manufacturer remains the primary liable party, including so-called quasi-manufacturers (entities that market products under their own name). In addition, the Directive establishes a multi-tiered liability chain that may also encompass importers, fulfilment service providers, authorised representatives, suppliers, and platform operators.
The objective is to ensure that injured parties always have an identifiable liable party within the EU. Furthermore, in cases involving defective components, multiple parties may be held liable in parallel, including providers of connected digital services.
Another significant change is the abolition of previous liability caps (previously up to EUR 85 million for personal injury caused by identical products). Under the new Directive, no statutory monetary ceiling applies, which may substantially increase corporate liability exposure.
2.5 Burden of Proof and Disclosure Obligations
The new disclosure regime is intended to reduce information asymmetries between the parties. Injured parties are granted enhanced rights to seek judicial disclosure of relevant documents, provided that such disclosure is necessary and proportionate for the enforcement of their claims. In addition, the Directive introduces rebuttable legal presumptions under which, subject to certain conditions, both the existence of a defect and causation are presumed.
These presumptions apply in particular where:
- the manufacturer fails to comply, or fails fully to comply, with a court-ordered disclosure obligation; or
- the claimant substantiates that a connection between the product and the damage is plausible and that, in light of the product’s technical complexity, further proof cannot reasonably be expected.
These provisions lead in practice to a significant easing of the burden of proof in favour of injured parties, as statutory presumptions regarding the existence of a product defect and its causal link to the damage apply under certain conditions. While the formal burden of proof in principle remains with the claimant, it is in effect partially shifted to manufacturers and suppliers, who must rebut these presumptions.
3. Practical Implications for Companies
The reform results in a substantial expansion of potential liability risks. Particularly problematic is the reliance on the “state of scientific and technical knowledge,” as binding standards are lacking in many areas. Companies must therefore define and implement safety requirements without clear regulatory benchmarks.
In addition, indirect participants in the supply and distribution chain may now also be held liable. Responsibility is no longer limited to the original manufacturer. At the same time, the previous monetary liability cap has been abolished, significantly increasing financial exposure, especially in cases of mass harm.
Finally, the strengthened disclosure obligations place considerable pressure on internal documentation: Companies that fail to maintain adequate development and product documentation risk not only liability but also the loss of evidentiary advantages in litigation.
4. Organisational Measures and Recommendations
4.1 Cross-Cutting Measures
Companies should adapt their internal processes and, in particular, consider the following measures:
- Inventory and Risk Mapping: Assess whether your products and services contain software or AI components and fall within the scope of the Directive. Develop a risk map focusing on high-risk areas (e.g., autonomous AI systems, safety-critical applications).
- Insurance Review: Examine your product liability insurance for coverage gaps, particularly in light of the abolition of liability caps and new categories of digital damage (data-related losses). Engage with insurers at an early stage.
- Contractual Safeguards: Review and revise supplier, cooperation, and platform agreements. Recourse clauses, indemnities, and liability allocation mechanisms along the supply chain should be updated and renegotiated.
- Documentation Framework: Implement a structured system documenting the entire product lifecycle—from development and testing to post-market modifications. Particular attention should be paid to the traceability of security-related decisions and update processes.
- Update Management: Establish binding procedures for the provision of security updates. As failure to deploy available updates may invalidate the development risk defence under the new regime, robust patch management is essential.
- Training and Compliance: Raise awareness among development, sales, and legal teams regarding the new liability rules. Integrate product liability requirements into existing compliance programmes and AI governance structures.
4.2 Specific Considerations for Manufacturers
Manufacturers should integrate security considerations into product development at an early stage (“security by design” and “safety by design”). Risks arising from use, learning capabilities, and interactions with other systems must be systematically assessed.
Where available, harmonised standards should be followed in order to benefit from potential liability privileges. Comprehensive documentation of the entire product lifecycle is indispensable, including structured management of AI systems to ensure evidentiary readiness in the event of disputes.
Moreover, regular security updates must be ensured and organisationally safeguarded. Under the new regime, failure to provide available updates may lead directly to liability by excluding the development risk defence.
4.3 Specific Considerations for Suppliers and Platform Operators
Suppliers and platform operators must ensure transparency throughout their supply chains and be able to identify liable parties within short timeframes. Third-party products should be clearly designated to avoid own-account liability. Clear external allocation of responsibilities is therefore of growing importance.
5. Concluding Remarks
The reform of product liability law comprehensively addresses the specific characteristics of digital and AI-driven systems for the first time. Software is now expressly recognised as a liability-relevant product, the concept of damage is expanded, the liability chain is extended, and liability caps are abolished. For companies, this represents a new level of regulatory compliance requirements. Although the new regime has not yet entered into force, affected stakeholders should use the transitional period to adapt their technical, organisational, and contractual structures. Only in this way can the growing liability risks be managed effectively in the long term.
Contact:
Jens Borchardt