A New Landscape for EU Product Liability and Compliance

The EU’s product liability and product safety regimes are undergoing their most significant transformation in decades. The revised Product Liability Directive (PLD) fundamentally redraws the rules governing no-fault liability for defective products. At the same time, the compliance obligations that feed directly into the liability assessment are reshaped by a suite of new and updated product safety regulations, including:

• the General Product Safety Regulation (GPSR);
• the Machinery Regulation, the Cyber Resilience Act (CRA); and
• the Artificial Intelligence Act (AI Act).

Together, these reforms create a tightly interlocked regulatory and liability architecture with far-reaching consequences for businesses.

The New Product Liability Directive

The PLD, which Member States must transpose into national law by 9 December 2026, retains the principle of strict (no-fault) liability but introduces sweeping changes that substantially increase litigation risk for economic operators. As a fully harmonising directive (Article 3 PLD), it sets a uniform standard across the EU: Member States are generally not permitted to fall below or exceed the level of protection prescribed by the PLD, though some limited room for discretion in the details of implementation remains.

Scope: software, AI and digital services

A defining feature of the revised PLD is the explicit inclusion of software, including AI systems and modules, within the definition of “product” for the purposes of strict liability. Under Article 4(1) PLD, software qualifies as a product irrespective of its mode of supply or usage:

• embedded in hardware;
• cloud-based; or
• delivered as software-as-a-service.

Hence, the provider of an AI system, for example, will typically qualify as the manufacturer and is therefore subject to strict product liability.

The PLD also places a stronger focus on components and integrated digital services that are essential to a product’s functions, for example, data processing for navigation, health monitoring or smart home controls (Article 4(3), (4) PLD). Where such a component or service is integrated within the manufacturer’s or provider’s control, it falls within the scope of strict liability. Critically, the provider of a component and the manufacturer of the final product into which it is integrated are jointly and severally liable; the claimant can sue either party directly (Article 8(1) PLD). Contractual exclusions or limitations of liability towards end users are not permitted.

Expanded liability cascade

The PLD significantly broadens the list of potential defendants (Article 8 PLD), ensuring there is always an EU-based entity that can be held responsible for damage caused by a product. Primary liability remains with the manufacturer, followed by the importer, authorised representative or fulfilment service provider (eg, logistics companies) when the manufacturer is based outside the EU. Distributors and providers of online platforms may be held liable in certain circumstances. Liability further extends to parties that substantially modify a product after it has been placed on the market.

Defectiveness: the hinge between liability and regulatory compliance

The PLD revises the test for defectiveness (Article 7(1) PLD) and establishes a connected presumption of defect in Article 10 (2b). Article 7(1) PLD states that a product shall be considered defective, where it “does not provide the safety that a person is entitled to expect or that is required under Union or national law.” The second limb of this provision has been introduced to reflect the relevance of product safety and market surveillance legislation when determining whether a product is defective. Whilst compliance with statutory product requirements has long been considered part of legitimate safety expectations (under the first alternative), the explicit provision in the second alternative of Article 7(1) PLD places greater emphasis on product safety requirements.

Article 7(2) PLD further specifies circumstances that must be considered in this assessment. Relevant product safety requirements, namely safety-relevant cybersecurity requirements, may thus be taken into account by courts and authorities when establishing a product’s defectiveness, while preserving the rights of the defendant (Recital 46). Recital 34 also clarifies that interventions by competent authorities do not in themselves create a presumption of defectiveness, indicating that relevant Union or national safety requirements need to have been adopted to protect consumers from harm, relate to the safety expectations of the public and be substantial on the merits to support establishing a defect in a product. Hence, a breach of purely formal requirements will typically be insufficient to constitute a liability-inducing product defect. Accordingly, the starting point for the rebuttable presumption of a defect is non-compliance with mandatory product safety requirements intended to protect against the risk of damage suffered by the injured person. Ultimately, it will be crucial to identify the mandatory safety requirements specific to the product in question to ensure its safety and distinguish them from other product-related obligations imposed on economic operators under EU and national laws.

For digital products and AI, the PLD introduces additional factors that courts must consider when assessing defectiveness, including the effect of a product’s ability to continue to learn or acquire new features after market placement, the foreseeable effect of other products expected to be used together with it (including through interconnection) and relevant product safety and cybersecurity requirements (Article 7(2) PLD). However, a product shall not be deemed defective merely because a better or improved version, including through subsequent updates or upgrades, is available on the market (Article 7(3) PLD).

The relevant point in time for assessing defectiveness is no longer limited to the moment of placing on the market but extends to the moment the product leaves the manufacturer’s control. A manufacturer retains control if it has the ability to supply updates and since digital products and AI systems are typically subject to continuous learning, updates and patches throughout their lifecycle, defects arising only after market placement can still form the basis of liability (Article 7(2)(e) PLD).

Expanded scope of compensable damage

The PLD extends the scope of protected legal interests in Article 6. Medically recognised damage to psychological health is now expressly recoverable. The destruction or corruption of personal data may also constitute compensable harm, though this is distinct from data leaks or breaches of data protection rules.

The PLD abolishes previous minimum thresholds and financial caps on liability. The removal of minimum thresholds may make it worthwhile to bring smaller-value claims collectively.

Extended limitation period for latent injuries

For personal injuries with long latency periods, where symptoms are, according to medical evidence, “slow to emerge”, the limitation period for claims is extended from ten to 25 years after the product was placed on the market or put into service. This creates obvious challenges for defending claims after such periods and has implications for the insurability of product liability risks.

Procedural mechanisms lowering evidentiary hurdles for claimants

The PLD introduces two closely interlinked procedural mechanisms that are intended to significantly ease the path to recovery for claimants: disclosure obligations and rebuttable presumptions.

Under Article 9 PLD, at the request of a claimant who presents a “plausible” case, courts may order defendants to disclose relevant evidence, which could include:

• design documentation;
• software source code;
• training and validation data; and
• test reports.
• Disclosure is limited to what is “necessary and proportionate”. Courts must consider the protection of:
• confidential information;
• trade secrets; and
• legal professional privilege.

This creates a significant tension for businesses as disclosure orders may require the production of competitively sensitive material.

The disclosure obligation is given teeth by the PLD’s system of rebuttable presumptions under Article 10. A failure to comply with a disclosure order triggers a rebuttable presumption of defect. In practice, defendants faced with such an order will have little choice but to comply or risk losing the case.

Beyond this link to disclosure, the presumptions operate independently. Perhaps most consequential: in cases of “scientific and technical complexity,” courts may presume both defect and causation where the claimant shows that each is merely likely (Article 10(3)(a) PLD). AI systems, with their opaque decision-making processes and complex architectures, are prime candidates for this provision. This significantly lowers the evidentiary hurdles: the claimant needs only to demonstrate a likelihood of a defect and causation and the burden effectively shifts to the manufacturer to disprove both.

Recent Updates in Product Compliance Laws to Target Modern Safety Risks

The GPSR, the Machinery Regulation, the CRA and the AI Act sit at the heart of this interlocked architecture. Each framework imposes its own set of compliance obligations, but together, they set the benchmark against which courts will assess whether a product is defective. Reflecting the additional factors for assessing the defectiveness of digital products in Article 7(2) PLD, these new and updated product safety regulations also address evolving risks arising from technological progress, particularly for interconnected and AI-driven products.

The GPSR: a modernised safety baseline for consumer products

The GPSR, applicable since 13 December 2024, replaces the former General Product Safety Directive and establishes the baseline safety framework for consumer products. Its core requirement is straightforward: economic operators may only place safe products on the market (Article 5 GPSR). What has changed is what safety now requires.

The GPSR broadens the criteria that manufacturers must take into account when assessing whether a product is safe (Article 6 GPSR), now including:

• cybersecurity – products must incorporate appropriate protection against external influences, including malicious third parties, that could affect safety (a cybersecurity vulnerability can now directly constitute a product defect);
• interconnection – the effect a product has on other products and that other products might have on it must be considered; in other words, how it interacts with other hardware or software; and
• AI functionalities – the safety implications of evolving, learning and predictive capabilities must now be expressly considered.

Compliance with revised product safety requirements is not only a regulatory imperative; it is also the frontline defence in any subsequent liability claim for economic operators under the GPSR. For the first time, product safety obligations also extend to online marketplaces.

The CRA: lifecycle cybersecurity for connected products

Even more specific, the CRA introduces horizontal cybersecurity requirements for all products with digital elements throughout their entire lifecycle – covering any hardware or software that is directly or indirectly connected to another device or network. Under Article 6 in conjunction with Annex I CRA, rather than treating cybersecurity as an abstract goal, it translates the concept into concrete, verifiable design and process requirements. Products must:

• ship with secure-by-default configurations;
• protect data confidentiality and integrity through encryption;
• limit attack surfaces; and
• be capable of receiving secure updates.

The CRA imposes a tiered set of pre- and post-market obligations across the entire supply chain – manufacturers bear the most comprehensive duties, including vulnerability reporting and long-term security updates, while importers must verify manufacturer compliance before placing products on the market and distributors must check labelling, with both importers and distributors required to alert manufacturers and market surveillance authorities if they become aware of a significant cybersecurity risk.

Vulnerability and incident reporting obligations apply from 11 September 2026, with full requirements for new products applying from 11 December 2027. Again, non-compliance with the CRA’s essential cybersecurity requirements does more than risk regulatory sanction – it can directly inform a court’s assessment of whether a connected product was defective under the PLD.

The Machinery Regulation: safety obligations for autonomous machines

The Machinery Regulation replaces the former Machinery Directive and applies from 20 January 2027. It modernises safety requirements for machinery and related products and, critically, recognises software (including AI software) explicitly as a potential safety component.

The Regulation introduces specific obligations to address the realities of AI-driven and autonomous machinery. Machines must be designed so that connections to other devices do not create hazardous situations and safety-critical hardware, software and data must be protected against accidental or intentional corruption (Annex III). Manufacturers of machinery with self-evolving behaviour must ensure that safety-relevant decision-making processes are logged and that human intervention remains possible at all times. High-risk AI systems used as safety components are subject to mandatory third-party conformity assessments.

The AI Act: safety obligations for high-risk AI systems and general-purpose AI models

Finally, the AI Act establishes a risk-based framework for AI systems and general-purpose AI models, with the most stringent obligations applying to providers of high-risk AI systems – those used in safety-critical contexts such as medical devices or critical infrastructure, for example. These obligations are designed to ensure that AI systems are safe, transparent, traceable and subject to human oversight throughout their lifecycle. Thus, the AI Act also contains a set of safety obligations specifically for High-Risk AI systems, as well as for General-Purpose AI models, including mandated standards covering:

• the accuracy, robustness and cybersecurity of the AI product;
• AI product’s transparency to deployers/users; and
• the quality of data governance.

Previously, AI systems functioning as safety components of machinery (as per the Machinery Regulation) were automatically classified as high-risk AI systems under the AI Act. However, the Digital Omnibus on AI significantly redraws the relationship between the AI Act and the Machinery Regulation. While political agreement was reached in April 2026, formal adoption by the European Parliament is anticipated at the June 2026 plenary session, paving the way for publication in the EU Official Journal in late June or early July 2026.

Under this agreement, AI systems integrated into machinery will no longer be directly subject to the full obligations for high-risk AI systems under the AI Act. The Machinery Regulation instead becomes the primary compliance framework. The level of protection sought remains consistent with the AI Act – the intent is not to lower safety standards but to put AI-enabled machinery under a single, integrated compliance framework rather than two parallel high-risk AI regimes. That said, any non-compliance with the safety requirements for high-risk AI products, whether under the AI Act or the Machinery Regulation, directly informs a court’s assessment of defectiveness under the PLD. This means that compliance with product-inherent safety obligations for AI systems becomes an integral part of businesses’ product liability risk management.

Conclusion

The reforms described represent the most significant realignment of EU product liability and product safety law in decades. The revised PLD redraws the rules for no-fault liability:

• expanding the scope;
• broadening the pool of defendants;
• easing the evidentiary burden for claimants; and
• extending the time horizon for claims.

At the same time, modernised product safety laws collectively raise the bar for what it means to place a safe product on the EU market. These instruments form a coherent and deliberately interlocked architecture in which regulatory compliance and litigation exposure are directly and explicitly connected. The compliance obligations imposed by the GPSR, the Machinery Regulation, the CRA and the AI Act are not merely regulatory hurdles. They are the evidentiary foundation on which liability claims will be built or defended.

The revised product safety and product liability frameworks comprehensively address the risks associated with modern, digital products. For AI systems and connected products, the presumptions of defectiveness and causation in cases of scientific and technical complexity mean that manufacturers of the most technologically advanced products face the greatest litigation risk and are also subject to additional or stricter product safety requirements.

Product safety and product liability must be treated as two sides of the same coin, governed by the same documentation, risk assessments and governance structures. Supply chain contracts should be revisited to ensure that compliance responsibilities are clearly allocated between manufacturers, component suppliers, software providers, importers and distributors. Insurance contracts should be reviewed to ensure proper coverage. Document retention policies and knowledge management practices should be critically assessed to ensure that businesses can access the key evidence they need to mount the best possible defence against a product liability claim, particularly given that some claims may now be brought up to 25 years after a product has been placed on the market. Finally, businesses are well advised to adopt a proactive approach to risk monitoring:

• mapping applicable safety and compliance requirements;
• tracking regulatory and governmental developments;
• monitoring internal indicators such as:
1. consumer complaints;
2. manufacturing deviations; or
3. the introduction of new processes; and
• establishing cross-functional governance bodies that convene regularly to assess emerging risks.