Reed Smith Client Alerts

Key takeaways

  • The PLD explicitly includes software, AI, and digital services within the definition of “products” subject to strict liability.
  • Non-compliance with cybersecurity requirements or failure to provide security updates can constitute a product defect.
  • Companies cannot contractually exclude or limit their liability for software or cybersecurity defects.
  • Increased litigation risk is expected because of expanded liability and collective redress mechanisms.

The EU has adopted Directive 2024/2853 (the “Product Liability Directive” or “PLD”), which will take effect on December 9, 2026. This new Directive represents a fundamental overhaul of the EU’s product liability regime, with far-reaching consequences for technology companies, software developers, and any business placing digital products—including software, AI systems, and digital services—on the European market.

Software as a product: A paradigm shift

One of the most significant changes under the new PLD is the explicit inclusion of software—whether embedded, stand-alone, or delivered as a service—within the definition of a “product.” This means that software, firmware, applications, AI systems, and even digital manufacturing files are now subject to the same strict liability regime as traditional physical goods. The Directive clarifies that software is a product for the purposes of no-fault liability, regardless of how it is supplied or accessed (e.g., device storage, cloud, or SaaS models). Integrated and interconnected digital services, such as health monitoring services that rely on physical sensors, are also covered. As a result, any defect in software, including vulnerabilities or failures in digital services, may trigger liability if it leads to harm.