The complete guide to the new EU product liability directive: what every business needs to know in 2025
December 9th 2026, a revised Product Liability Directive will apply, marking a significant evolution in how businesses are held accountable for defective products. For the first time, liability extends beyond traditional physical goods to include software, digital services, and cybersecurity risks. This directive is designed to reflect the realities of a connected and digital world while enhancing consumer protection.
At 24hour-AR, we understand that navigating these changes can feel overwhelming, particularly for non-EU manufacturers entering the EU market. This guide breaks down the directive, compares it to the previous framework, and provides actionable steps to help your business achieve compliance.
Comparison of the previous and new product liability directive
Understanding how the 2024 directive differs from its predecessor is essential for businesses selling into the EU. The table below summarises the key changes and highlights why this new framework matters.
|
Aspect |
Previous Directive (85/374/EEC) |
New Directive ((EU) 2024/2853) |
| Product definition | Covered only physical goods | Expanded to include software, digital manufacturing files, and digital services integrated into products |
| Digital services | Excluded digital services and software | Includes liability for digital services integral to product safety, including software updates and AI functionalities |
| Liability for economic operators | Focused mainly on manufacturers and importers | Expands liability to authorised representatives, fulfilment service providers, online platforms, and distributors in some instances |
| Cybersecurity | Did not address cybersecurity risks | Considers products defective if they fail to meet cybersecurity requirements and pose safety risks |
| Substantial modifications | Did not address modifications post-sale | Introduces liability for substantial modifications made after the sale, including changes via software updates |
| Evidence disclosure | Limited guidance on disclosure in liability cases | Requires businesses to disclose relevant evidence, with presumptions of defectiveness if they fail to comply |
| Damage doverage | Covered only physical harm (personal injury and property damage) | Expands to include data destruction/corruption for non-professional (personal) data |
| Liability period | 10-year limit for liability claims | Retains 10-year limit, with a 25-year extension for products with latent health risks |
Why these changes matter
The directive fundamentally shifts how liability is assessed for modern products, introducing no-fault liability for manufacturers, importers, and other operators. This means businesses can be held accountable for defective products — physical or digital — even without proof of fault. Liability now also extends to economic operators, like authorised representatives (ARs), who play a critical role in ensuring product compliance within the EU.
Key changes in the 2024 product liability directive
No-fault liability
Under the new directive, businesses are responsible for defective products even if no negligence is proven, i.e., they can be held liable regardless of fault. This applies to both physical and digital goods, ensuring consumer protection irrespective of the product type.
Extended product scope
Liability now includes software, digital manufacturing files (e.g., 3D printing blueprints), and related digital services. Products are also deemed defective if they fail to meet cybersecurity standards, posing safety risks.
Liability for digital services and AI features
The directive explicitly includes liability for digital services integral to a product’s function and safety, such as cloud systems or AI-driven updates. It also considers a product’s ability to learn or acquire new features through AI when assessing defectiveness.
Broader economic operator liability
The responsibility now extends across the supply chain, including importers, ARs, and fulfilment service providers. Online platforms presenting themselves as sellers are also liable if they fail to identify the manufacturer or importer.
Data and property protection
Compensation under the directive includes personal injury, property damage, and data loss or corruption. Mixed-use property — used for both private and professional purposes — is also covered, broadening the scope of eligible claims.
Presumptions of defectiveness
Courts may presume defectiveness if mandatory safety requirements are not met (i.e. the product is incompliant), if a product malfunctions in obvious ways, or if technical complexity prevents claimants from accessing evidence.
Substantial modifications
Products significantly altered after the sale, including through software updates or upgrades, are treated as new products. Businesses making these modifications assume liability for resulting defects.
Industry-specific impacts of the product liability directive
Manufacturing and consumer goods
Manufacturers must address cybersecurity risks, ensuring that IoT and connected products and machinery meet cybersecurity standards. Clear instructions for installation, use, and maintenance are crucial, particularly for products relying on software updates.
Digital and software providers
Software is now treated as a product. Providers must ensure their offerings are secure, functional, and updated regularly. Liability applies to standalone software as well as software integrated into physical products.
AI-driven and connected devices
AI products capable of learning or evolving post-sale are subject to new liability rules. Manufacturers must monitor these products’ ongoing safety and provide documentation detailing their capabilities and safeguards.
Importers, ARs, and distributors
ARs and importers may now face direct and potentially primary liability, especially when the manufacturer is based outside the EU. Distributors may also face liability if they fail to identify the responsible party.
Steps for businesses to ensure compliance
Strengthen product design
Integrate cybersecurity protections into product design and ensure that connected or AI-driven features are tested thoroughly. Address potential risks before market entry.
Maintain comprehensive documentation
Keep detailed records of compliance, including safety testing, software updates, and cybersecurity measures. This documentation will serve as critical evidence in liability claims.
Coordinate across the supply chain
Work with suppliers, importers, and distributors to define roles and responsibilities. Regularly audit partners to ensure they meet EU compliance standards.
Invest in legal protections
Consider liability insurance, particularly for digital and AI products, to reduce business risk.
Key takeaways for non-EU businesses selling into the EU
Non-EU manufacturers should designate an EU-based AR or importer who can partner with the manufacturer to ensure compliance. Reliable partners like 24hour-AR help mitigate financial exposure and streamline compliance, although statutory liability under the PLD remains with the AR.
FAQs
What qualifies as a “substantial modification”?
Any change that significantly alters a product’s safety, functionality, or intended use, including through software updates, is considered a substantial modification.
How does cybersecurity impact liability?
Products that fail to meet cybersecurity standards are deemed defective, particularly if vulnerabilities lead to harm.
Can an AR be fully liable for a defective product?
Yes, if the manufacturer is outside the EU and appoints an AR, the AR may assume direct and potentially primary liability alongside the manufacturer.
Conclusion
The Product Liability Directive reflects the realities of a digital, connected world, holding businesses accountable across the supply chain. At 24hour-AR, we specialise in helping businesses navigate these changes, ensuring compliance and reducing liability risks. Contact us today to learn how we can support your compliance efforts and protect your business under this updated framework.
