Preparing for the EU Product Liability Directive (EU) 2024/2853

Executive Summary

The European Union has modernized its product liability framework through Directive (EU) 2024/2853. The Directive replaces the original 1985 Product Liability Directive and reflects the realities of modern digital and connected product ecosystems.

The revised framework expands the legal definition of products to include software, artificial intelligence systems, digital manufacturing files and digital services that are integral to a product’s operation.

For businesses operating within the EU market, these changes significantly increase liability exposure. Manufacturers, technology providers, and importers must reassess product safety governance, supply chain transparency, and insurance coverage.

This paper examines the Directive’s regulatory changes, emerging risk exposures, insurance implications, and strategic actions organisations should take before the implementation deadline in December 2026.

Over the past four decades, the nature of products has changed dramatically. Modern products increasingly combine physical components with software systems, artificial intelligence, and cloud‑based services. Connected vehicles, smart home devices, robotics, industrial automation platforms and medical devices all rely on complex digital ecosystems.

Traditional product liability frameworks were not designed to address the risks associated with software defects, algorithmic errors, cybersecurity vulnerabilities or remote updates. The EU’s revised Product Liability Directive aims to close these gaps by expanding liability rules to reflect the realities of the digital economy.

Key regulatory changes

The Directive introduces several structural reforms that affect how liability is assigned.

Expanded Product Definition Software, AI systems and digital manufacturing files are now legally recognised as products.

• Liability for updates
  Manufacturers may remain liable where software updates or patches introduce defects.

• Expanded economic operator responsibility
  Importers, distributors and authorised representatives may be held liable where a manufacturer cannot be identified within the EU.

• Burden of proof
  Taking into account all the relevant circumstances of the case, courts may presume defectiveness where consumers face excessive technical barriers to proving the defect.

• Damages expansion
  The Directive will expand the range of damages to include medically recognised psychological health and damage to data.
•  Expiry period
  The expiry period for latent injury/damage claims will increase from 10 years to 25 years.

These provisions significantly increase potential exposure for organisations involved in technologically enabled products.

Industry risk landscape

The Directive introduces new categories of risk that organisations must address:

• • Software reliability risk
    Defects in firmware or application code may lead to operational failures.

• Cybersecurity vulnerability risk
  Security weaknesses could allow malicious actors to compromise products and cause damage.

• AI decision-making risk
  AI models may produce outputs that lead to unsafe product behaviour.

• Digital supply chain risk
  Complex supply chains involving multiple software vendors increase accountability challenges.

Insurance market implications

The insurance sector is expected to adapt to increased product liability risk driven by the Directive. Historically, product liability insurance focused primarily on manufacturing defects. The inclusion of software as a product introduces a hybrid exposure combining technology risk and product risk.

Insurers are expected to evaluate several factors when underwriting technology-enabled products:

1. Software quality assurance processes
2. Cybersecurity controls
3. Patch management and update governance
4. Supplier and component traceability
5. Product safety engineering standards

Associated insurance costs may reflect increased uncertainty around emerging technologies such
as AI.

Product liability insurance considerations

Risk managers should review current product liability insurance policies to ensure that coverage adequately reflects modern digital exposures.

Areas requiring careful review include:

• Coverage breadth
  Whether software defects or algorithmic failures are treated as product defects

• Cyber-physical incidents
  Whether cyber events leading to physical damage fall under product liability or cyber insurance

• • Claims-made vs occurrence triggers
    Software defects discovered years after sale may require extended reporting coverage.

• Policy limits
  Increased litigation risk may require higher liability limits.

Insurance coverage solutions

To address emerging risks, organisations may consider a layered insurance strategy.

• Enhanced product liability insurance
  Policies specifically designed for technology-enabled products.

• Technology errors and omissions (Tech E&O)
  Coverage for software development errors and system failures.

• Cyber liability insurance
  Protection against security breaches affecting connected products.

• Integrated product-cyber policies
  Some insurers now offer blended policies addressing cyber‑physical risk.

Risk mitigation framework

Insurance should complement — not replace — operational risk management.

Best practice frameworks include:

• Secure product design
  Security-by-design and safety-by-design engineering practices.

• Software lifecycle governance
  Structured processes for patch management and software updates.

• Supply chain risk oversight
  Due diligence and contractual controls for component suppliers.

• Compliance documentation
  Detailed technical documentation supporting product safety decisions.

Implementation timeline

The Directive will be implemented through national legislation across EU member states.

Key milestones include:

1. Directive adoption – 2024
2. Member state transposition deadline – December 2026
3. Application to products placed on the market – December 2026 onward

Organisations should begin preparation well before national legislation enters force.

Strategic recommendations

To prepare effectively, organisations should adopt a structured readiness strategy.

1. Conduct product liability exposure assessments
2. Review digital product architectures
3. Strengthen cybersecurity governance
4. Evaluate insurance coverage gaps
5. Update supplier agreements and liability clauses
6. Implement enhanced product testing and safety assurance.

Emerging product liability risk matrix

The Directive represents one of the most significant reforms of European product liability law in decades.

By recognising software and digital services as products, the Directive reflects the realities
of modern technology ecosystems while strengthening consumer protection.

Organisations that proactively strengthen governance frameworks, risk management processes and insurance programmes will be best positioned to manage the expanded liability landscape.

Read the 10 key questions on the EU Product Liability Directive article here.

For any more information on this topic, please reach out to one of our team:
Sally Roberts, Head of Corporate Casualty, London: [email protected]
Christian Crozier, Head of Corporate Casualty, UK: [email protected]