Executive Summary

The EU’s new Product Liability Directive (Directive (EU) 2024/2853), (the PLD) creates a direct bridge between regulatory compliance and product liability exposure. Under the PLD, noncompliance with mandatory safety requirements can trigger rebuttable presumptions of defect. These safety requirements are disseminated in various regulations, for example in the General Product Safety Regulation (GPSR), but also in a variety of product- or sector-specific rules that deal with chemical, physical, mechanical, electrical, flammability, hygiene, and radioactivity hazards. In addition, emerging technologies such as AI may lead to significant safety risks, which are dealt with under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), (the AI Act). Coupled with expanded disclosure powers, lifecycle control over software and updates, and claimant-friendly evidentiary rules, this marks a decisive shift: safety compliance is no longer only about market access – it will soon be a central determinant of strict product liability risk. Against this backdrop, safety requirements in other regulatory instruments increasingly need to be understood through the lens of their potential impact on PLD disclosure. This alert explains how the PLD operationalizes that shift, and uses the GPSR and AI Act as examples to illustrate the new compliance–liability nexus in practice.

The PLD’s recalibrated concept of “defect” and why compliance matters

The PLD retains the core standard that a product is defective if it fails to provide the safety that the public is entitled to expect. It then expressly directs courts to consider relevant product safety requirements – including cybersecurity requirements as well as the more standard health, safety, and environmental standards – and interventions by competent authorities and economic operators. But it goes further: if a claimant demonstrates noncompliance with mandatory safety requirements intended to protect against the risk of harm suffered, courts will presume defect.

In order to reinforce the close relationship between product safety rules and liability rules, non-compliance with such requirements should also result in a presumption of defectiveness.  That includes cases in which a product is not equipped with the means to log information about the operation of the product as required under Union or national law. EU PLD, recital 46.

The result is a tighter coupling between compliance and liability. Demonstrable compliance with applicable regimes and standards, supported by robust technical documentation, monitoring, and incident response records, will be increasingly central to managing litigation risk under the new PLD. 

GPSR: safety-by-design and post-market controls as liability gateways

The GPSR establishes a general safety requirement and a comprehensive suite of obligations for manufacturers, importers, distributors, responsible persons, and online marketplaces. Several GPSR features now function as “liability gateways” under the PLD:

• Risk analysis, technical documentation, and presumption of conformity. The GPSR obliges manufacturers to conduct internal risk analyses and maintain technical documentation, with reliance on European standards providing a presumption of conformity with the general safety requirement. Under the new PLD, documented compliance will inform the safety expectations analysis; conversely, gaps or deviations could feed a presumption of defect where mandatory requirements were not met.
• Lifecycle safety, substantial modification, and new technologies. The GPSR requires consideration of safety across the product’s lifespan, including cybersecurity risks, software updates that substantially modify original functionality, and interconnections with other items. The new PLD similarly attributes liability for substantial modifications and takes into account the ability of a product to learn or acquire new features, including AI behavior.
• Incident reporting, Safety Gate, and recalls. The GPSR mandates accident reporting via the Safety Business Gateway, sets templates and expectations for recall notices, and structures coordination between authorities through the Safety Gate Rapid Alert System. These safety interventions can be considered in a defect analysis under the new Directive. Poor recall execution or failure to notify accidents may exacerbate litigation risk and trigger evidentiary adverse inferences. Indeed, the PLD explicitly provides that “any recall of the product or any other relevant intervention relating to product safety by a competent authority or by an economic operator” should be taken into account when assessing the defectiveness of a product.
• Responsible person and distance sales obligations. The GPSR’s responsible person requirement and online marketplace obligations (e.g., seller identity, safety warnings, traceability) create concrete compliance checkpoints. Under the PLD, where non-EU manufacturers are involved, liability may channel to EU-based importers, distributors, authorized representatives, fulfillment service providers, and online platforms – making the GPSR’s responsibility architecture especially relevant.

While the GPSR’s predecessor already contained some of these potential “liability gateways,” the GPSR represents a significant development in EU product safety standards for all consumer products being placed on the EU market, whether these are low- or high-risk or complex products.

Put simply, the GPSR’s design, documentation, and post-market regimes are not merely regulatory expectations – they will soon be evidentiary anchors with the potential to trigger a presumption of defect under the PLD.

The AI Act: high-risk requirements as safety benchmarks in liability

The AI Act overlays product safety with prescriptive obligations for high-risk AI systems – covering risk management, data governance, technical documentation, human oversight, robustness and cybersecurity, post-market monitoring, and incident reporting. For AI-enabled products, this creates an additional set of “mandatory safety requirements” that can be invoked under the new PLD:

• High-risk conformity and technical documentation. Where AI is a safety component or otherwise high-risk, compliance involves comprehensive technical files and conformity processes (often integrated with sectoral regimes). Under the PLD, deficiencies in these mandatory elements could trigger a presumption of defect.
• Post-market monitoring and incident reporting. The AI Act requires monitoring and prompt reporting of serious incidents. Failure to maintain or act on post-market data, or to report incidents, could undermine defenses in PLD claims and support evidentiary presumptions.
• Cybersecurity requirements and updates. The AI Act embeds robustness and cybersecurity into design and lifecycle obligations. The PLD, in turn, treats failure to supply necessary security updates within the manufacturer’s control as a basis to find defectiveness.

In practice, AI Act compliance documentation – risk management outputs, data governance records, testing evidence, human oversight design, performance metrics, and post-market reports – will double as critical litigation artifacts under the PLD.

Not only are high-risk AI systems regulated under the AI Act, the Act also extensively regulates general purpose AI (GPAI), such as GenAI. In particular so-called systemic GPAI (essentially powerful systems with a very wide reach in the EU market or actual or reasonably foreseeable negative effects on public health, safety, public security, fundamental rights, or society as a whole) are subject to requirements similar to those applicable to high-risk AI systems, such as reporting on any serious incidents, including corrective actions taken, comprehensive risk assessments, cybersecurity, and infrastructure security measures.

Practical implications: from compliance programs to litigation readiness

The convergence of the PLD, GPSR, and AI Act requires more integrated governance across product design, market placement, and post-market phases. In our experience, organizations should at least consider the following workstreams, many of which benefit from legal input:

• Identify and consolidate applicable safety regimes. Rather than starting from the PLD itself, companies within the PLD’s scope will need to gather and combine safety requirements that sit in other instruments (such as the GPSR, the AI Act, and sector-specific rules). A first critical step is to compile a consolidated view of all potentially applicable regulations, and then reconcile overlaps and inconsistencies.
• Translate safety obligations into liability-relevant controls. Once the regulatory landscape is mapped, organizations can begin to “translate” those requirements into concrete design, documentation, and governance measures that will matter in PLD litigation (e.g., how technical files, risk analyses, cybersecurity and update policies, and post-market monitoring processes evidence compliance with the mapped safety standards).
• Design evidence-ready processes and documentation. Given the PLD’s disclosure mechanism and the evidentiary value of regulatory compliance, organizations may wish to structure risk assessments, incident records, Safety Gate reporting, and AI documentation with an eye to how they will be presented in court. This includes thinking about privilege, trade-secret protection, and cross-border disclosure constraints at the design stage, and developing playbooks for presenting complex digital evidence in accessible formats while protecting trade secrets.
• Allocate responsibilities and risk in contracts and insurance. Companies will also need to revisit contractual allocations of compliance and update obligations, incident cooperation, audit rights, and indemnities across the supply chain, as well as the fit between these new exposures and existing insurance programs.

This is the type of work where legal and technical teams can work together: legal teams can help interpret overlapping legal frameworks, structure governance and documentation in a way that is defensible in PLD litigation, and align contractual and insurance arrangements with the new risk profile.

In parallel, several regulatory and market developments will determine how quickly and in what form these obligations crystallize. We are monitoring these developments and providing practical tools and advocacy to support implementation.

What to watch

• Member State transposition and national guidance. Divergent approaches to disclosure thresholds, “excessive difficulties,” and interaction with sectoral regimes will be critical for litigation strategy. We are tracking these developments and can support clients in advocacy around key issues during transposition. Our PLD transposition tracker will be available shortly and updated as national measures and guidance emerge.
• Harmonized standards and codes of practice under the AI Act and GPSR. These instruments may support presumptions of conformity and shape the evidentiary baseline in PLD disputes. We can help companies assess how evolving standards affect their product portfolios and documentation strategies.
• Safety Gate trends and market surveillance activity. Patterns in Safety Gate notifications and enforcement actions can foreshadow PLD litigation themes, especially for consumer products, connected products, and AI systems. We are monitoring these signals and can assist in translating them into adjustments to risk assessments, post-market monitoring, and recall strategies.

Bottom line

Under the new PLD, compliance with safety regulations is no longer adjacent to product liability risk – it is central to it. For products governed by the GPSR, the AI Act, and other regulations governing product safety, demonstrable compliance will be critical to product liability litigation defense, while noncompliance may invert burdens of proof. Companies should align design controls, documentation, post-market surveillance, and cybersecurity update governance to this new reality – and be litigation-ready with records that prove it.