Product Liability Directive

The Product Liability Directive (PLD) establishes a no-fault civil liability regime under which manufacturers are responsible for damage caused by defective products. The original 1985 directive was substantially revised in 2024 (EU 2024/2853) to address digital products and the modern technology landscape. Under the revised PLD, software — including embedded firmware and standalone applications — is explicitly classified as a product. A product is 'defective' if it does not provide the safety that persons are entitled to expect, taking into account all circumstances including its presentation, its reasonably expected uses, and the time it was put into circulation. Cybersecurity vulnerabilities that are exploited to cause damage can constitute a defect under this definition.

The CRA and the revised PLD form interlocking layers of the EU's cybersecurity product regulation framework. The CRA establishes what manufacturers must do (proactive obligations), while the PLD establishes the consequences of failure (reactive civil liability). A manufacturer that fails to meet CRA essential requirements — for example by not providing security updates, not maintaining a CVD process, or shipping a product with known exploitable vulnerabilities — is not only at risk of MSA enforcement under the CRA, but also faces civil liability claims from users and third parties harmed by resulting security incidents. Non-compliance with CRA requirements may be used as evidence of defectiveness under the PLD. This makes CRA compliance a legal risk management imperative beyond mere regulatory obligation.

The 2024 revision of the PLD introduces several changes particularly relevant to cybersecurity and digital products:

• Software included explicitly: Both standalone software and embedded firmware are now unambiguously covered as 'products'.
• Ongoing liability for updates: Where a manufacturer provides (or should provide) security updates, a failure to update — leaving a known vulnerability unpatched — can trigger liability.
• Data loss as damage: The revised directive includes destruction or corruption of data as compensable damage, directly relevant to ransomware and data-destroying cyberattacks.
• Disclosure facilitation: Courts can order defendants to disclose relevant documents (including vulnerability reports and internal security assessments) in PLD proceedings.
• Extended limitation periods: Victims have up to ten years to bring claims for latent defects with long development periods.

The interaction between the PLD and the CRA means manufacturers should treat cybersecurity compliance not just as a regulatory obligation but as a product liability risk mitigation strategy. Practically:

• Document your security decisions: If a vulnerability is known and accepted as a business decision, document the risk assessment. Unexplained gaps are harder to defend.
• Maintain your support period commitments: Stopping security updates before the stated end of life — leaving users exposed — is the clearest route to PLD exposure.
• Respond promptly to CVD reports: Delays in addressing reported vulnerabilities increase the window of exposure and strengthen a claimant's case.
• Keep SBOMs current: Knowing what components are in your product enables rapid response to upstream vulnerabilities, demonstrating due diligence that reduces PLD exposure.