Cybersecurity vulnerabilities as product defects

The new PLD’s approach to cybersecurity is closely intertwined with the EU’s broader regulatory framework for digital product security, including the Cyber Resilience Act (CRA) and the Network and Information Systems Directive (NIS2). Under the new PLD, non-compliance with mandatory cybersecurity requirements can form the basis for a finding of product defectiveness. NIS2, for example, significantly expands the scope of EU cybersecurity regulation and introduces differentiated requirements based on the type of activity and sector. For instance, organizations involved in pharmaceutical production or diagnostic equipment manufacturing will generally be classified as “essential entities” under NIS2, leading to heightened cybersecurity obligations. NIS2 also covers entities involved in the manufacturing of medical devices and classifies those activities as both “essential” and “important”, making such entities subject to stricter compliance requirements at the national level. Additionally, the CRA requires manufacturers to implement security-by-design, conduct risk assessments, provide security updates, and ensure secure default configurations for products with digital elements. Under the new PLD, non-compliance with these and the other requirements set forth in these regulations may be used to establish defectiveness. Manufacturers should also be aware that the EU Medical Devices Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) also impose specific cybersecurity requirements, the non-compliance with which may form the basis of defect under the new PLD.

The PLD and the CRA also impose ongoing obligations to provide software security updates throughout a product’s life cycle. A product may be deemed defective if the manufacturer fails to supply necessary updates or patches to address vulnerabilities, provided such updates are within the manufacturer’s control. The failure to update software or address known vulnerabilities can therefore expose companies to strict liability if a cyberattack exploits an unpatched vulnerability and causes injury or property damage.

Additionally, both NIS2 and the CRA require companies to have processes for vulnerability management, coordinated disclosure, and incident reporting. The PLD’s new rules on evidence and presumptions mean that if a company cannot demonstrate compliance with these processes, courts may presume defectiveness or causation in favor of the claimant—especially in technically complex cases involving digital products or AI.

Procedural changes: Lowering the bar for claimants

The PLD introduces several procedural changes that make it easier for claimants to bring and succeed in product liability claims involving software and cybersecurity:

• Rebuttable presumptions. If a claimant faces “excessive difficulties” in proving defectiveness or causation due to technical or scientific complexity (as is often the case with software or AI), courts can presume defectiveness and/or causation if the claimant can show it is likely that the product was defective or that there is a causal link. The Directive instructs courts to consider factors such as the complexity of the product, the technology used (e.g., machine learning), and the complexity of the information and data to be analyzed.
• Disclosure of evidence. Courts can require companies to disclose relevant evidence in their possession if the claimant makes a plausible case. Additionally, courts can require evidence “to be presented in an easily accessible and easily understandable manner.” The Directive explicitly calls out digital products as those embodying the sort of complexity envisioned.
• No contractual waivers. Companies cannot contractually exclude or limit their liability under the PLD, and disclaimers for software defects or security vulnerabilities are not valid.

Increased litigation risk and strategic considerations

The combination of an expanded definition of “product,” broader liability, and lower evidentiary thresholds is expected to increase both the frequency and success rate of product liability claims in the EU. Additionally, the PLD will operate alongside the EU’s Representative Actions Directive, which facilitates consumer class and mass actions, further increasing litigation risk.

Given these changes, companies should:

• Review and enhance product safety, cybersecurity, and post-market surveillance practices
• Ensure robust documentation of compliance with security requirements and update protocols
• Review and update contractual arrangements, indemnities, and insurance coverage in light of the new liability landscape
• Monitor for vulnerabilities and issue timely security updates

Conclusion

The new Product Liability Directive marks a paradigm shift for digital product liability in the EU. Companies placing software, AI systems, or other digital products on the EU market should begin preparing now to ensure compliance with the new legal framework ahead of the December 2026 implementation deadline. Proactive risk management, enhanced compliance, and careful review of supply chain relationships will be essential to mitigate exposure under the new regime.

Client Alert 2025-172