Companies that place products on the EU market—including manufacturers, distributors, and retailers established outside of the EU, such as in the United States and Asia—should take note. The European Union has enacted a sweeping revision of its product liability regime with its new Product Liability Directive (EU) 2024/2853 (the “PLD”), which Member States must transpose into national law by December 9, 2026. The PLD fundamentally modernizes product liability law and will directly affect automotive manufacturers, suppliers, and technology innovators, including those developing autonomous vehicles (AVs), advanced driver-assistance systems (ADAS), and connected car technologies. The new PLD introduces broader liability, an expanded definition of “product,” lower evidentiary barriers for claimants, and new procedural and compliance obligations, all of which will constitute a game-changer concerning the handling of product liability cases in the EU moving forward. Companies in the automotive sector will be significantly affected by this new legal landscape. Here’s what you need to know.
Expanded scope: digital, software, and AI now squarely in focus
The PLD explicitly brings software—including embedded, stand-alone, and cloud-based applications—within the definition of a “product.” This includes firmware, operating systems, AI systems, and digital manufacturing files. For the automotive industry, this means that not only physical vehicle components but also software updates, over-the-air (OTA) upgrades, and digital services (such as navigation, health monitoring, and voice assistants) are now subject to strict liability. The Directive also covers related digital services that are integrated into or interconnected with a product in such a way that their absence would prevent the product from performing one of its functions.
Cybersecurity and software updates: new defect triggers
Another major innovation of the PLD is the explicit recognition that cybersecurity vulnerabilities and failures to provide necessary software updates can constitute product defects. For example, if a vehicle’s software is not updated to address a known security vulnerability, and that vulnerability is exploited to cause harm, the manufacturer may be strictly liable—even if the defect arises after the vehicle was first placed on the market. The new PLD also covers harm caused by the autonomous or adaptive behavior of AI systems, including post-sale changes resulting from machine learning or OTA updates.
Broader range of liable parties
The revised PLD formalizes a cascading liability hierarchy for products manufactured outside the EU. If the manufacturer is not established in the EU, liability first falls to the importer, then to the authorized representative, and, if neither exists, to the fulfillment service provider. This structure ensures that an EU-based entity is always available as a defendant, even for products originating outside of the EU.
The inclusion of fulfillment service providers (such as warehousing, packaging, and shipping companies) as potentially liable parties is new. These entities are only liable if there is no importer or authorized representative established in the EU. This reflects the evolving nature of supply chains and the increasing role of logistics providers in cross-border commerce.
The new PLD also introduces liability for online platforms, but only under specific circumstances—namely, when the platform presents products or enables transactions in a way that would lead an average consumer to believe the product is provided by the platform itself or by a trader acting under its authority or control, and the platform fails to promptly identify a relevant economic operator established in the EU.
In addition, any party that substantially modifies a product after it is placed on the market outside the manufacturer’s control (including through software updates or AI-driven changes) can now be deemed a manufacturer and held strictly liable. This is a new and important expansion, particularly for digital and smart products.
Lowered barriers for claimants: presumptions and burden of proof
The PLD introduces several rebuttable presumptions that make it significantly easier for claimants to establish liability compared to the current procedural scheme:
- Defectiveness is presumed if the manufacturer fails to disclose relevant evidence, if the product does not comply with mandatory safety requirements (including cybersecurity standards), or if there is an “obvious malfunction.”
- Causation is presumed if it is established that the product was defective and the damage is of a kind typically consistent with the defect—seemingly akin to the res ipsa loquitur doctrine in the U.S.
- Defectiveness and/or causation are presumed where the claimant faces “excessive difficulties, in particular, due to technical or scientific complexity”—a scenario likely to be present in cases involving AVs, ADAS, and/or complex vehicle software.
Expanded definition of compensable damage
The PLD broadens the scope of recoverable damages to include:
- Death or personal injury, including medically recognized psychological harm
- Property damage (excluding the defective product itself and property used exclusively for professional purposes)
- Destruction or corruption of non-professional data (e.g., loss of personal data due to a vehicle software failure)
Procedural changes: disclosure and evidence
National courts are now empowered to order the disclosure of relevant evidence from both claimants and defendants, provided the request is necessary and proportionate. Courts may also require that evidence—especially technical evidence relating to digital products—be presented in an easily accessible and understandable manner. This marks a significant shift toward more robust discovery obligations more akin to U.S.-style discovery, and increases the risk that sensitive internal documents, including internal and external legal advice, may be subject to disclosure.
Collective redress and increased litigation risk
The PLD operates alongside the EU’s Representative Actions Directive, which provides a mechanism for legal actions brought by representative entities on behalf of consumers. Qualified entities (such as consumer organizations) can now bring collective claims, increasing the risk of large-scale litigation. The rise of litigation funders in the EU further compounds this risk.
Limited defenses and extended liability periods
- Members States have discretion to omit the “state-of-the-art” defense (i.e., that a defect could not have been discovered given the scientific and technical knowledge at the time), potentially exposing companies to even greater liability.
- The standard liability period is 10 years, but for latent injuries, the period is extended to 25 years.
Action Steps for Automotive and AV Companies
- Review Product Portfolios: Identify which products, software, and services fall within the expanded definition of “product” and assess exposure across the supply chain.
- Enhance Cybersecurity and Update Protocols: Implement robust cybersecurity measures, ensure timely software updates, and document compliance with evolving EU standards (including the Cyber Resilience Act and NIS2 Directive).
- Strengthen Documentation and Evidence Management: Maintain comprehensive records of product safety, software updates, and incident response processes to facilitate defense in the event of litigation.
- Review and Update Contracts: Ensure that agreements with suppliers, software developers, and distributors address the expanded liability framework, including indemnities and insurance coverage.
- Prepare for Disclosure Obligations under the PLD: Develop document retention and evidence management systems to preserve and produce relevant evidence, while protecting trade secrets and privileged communications to the extent possible.
- Keep a Close Eye on Legal Privilege and Confidentiality Frameworks: European regulation is not uniform in that respect, and specific risks of “forum shopping” should be prevented.
- Monitor Litigation and Regulatory Developments: Stay abreast of evolving case law, Member State implementation, and regulatory guidance, particularly regarding the application of presumptions and the state-of-the-art defense.
- Engage in Policy and Advocacy Efforts: Participate in advocacy to shape the implementation of the PLD, especially regarding proportionality in disclosure, the standards for the rebuttable presumptions, the adoption of the state-of-the-art defense, and the regulation of litigation funders.
Conclusion
The new EU Product Liability Directive marks a paradigm shift for the automotive industry, especially for companies innovating in autonomous, connected, and software-driven vehicle technologies. The expanded scope, broader liability, and claimant-friendly procedural rules will require proactive risk management, enhanced compliance, and careful review of supply chain relationships. As national implementation of the Product Liability Directive is ongoing, closely monitoring this progress in key jurisdictions with a view toward working on a comprehensive strategic approach to this new set of regulations will be of the upmost importance.
Client Alert 2025-257
