The New EU Product Liability Directive – Liability and Insurance Protection in the Digital Age

The new EU Product Liability Directive (PLD), adopted on 10 October 2024, marks a fundamental modernization of European liability law.
For the first time, software, artificial intelligence (AI) and digital services are explicitly recognized as products.
This new legal framework creates a broader and stricter liability regime for manufacturers, importers and distributors, while enhancing consumer protection in an increasingly digital economy.

For companies—particularly in the life-science and technology sectors—the PLD introduces new risk dimensions: software updates, cybersecurity obligations and data integrity now play a central role in liability exposure.
Insurers and brokers must adapt coverage concepts accordingly to avoid protection gaps between cyber, professional and product liability policies.

1. Introduction

On 10 October 2024, the European Union adopted a new Product Liability Directive (PLD) that completely replaces the 1985 Directive.
Four decades separate the two, yet the aim remains the same: to achieve a fair balance between the interests of consumers and manufacturers and to strengthen protection against defective products.

The new PLD modernizes the liability framework to address today’s digital and connected environment. It explicitly includes software and AI as products, filling long-standing legal gaps.

The Directive will apply to products placed on the market 24 months after its entry into force, i.e. around December 2026, and must be transposed into national law by all EU Member States before that date.

2. Objectives of the New PLD

The revision of the Directive was driven by three key objectives:

1. Bringing liability law into the digital age by covering software, AI and connected systems.
2. Adapting to new business models such as global supply chains and cross-border digital services.
3. Improving access to justice for injured parties through procedural simplifications and presumptions.

The PLD thus reflects the evolution of products—from purely tangible goods to complex digital systems—and ensures that liability rules keep pace with technological development.

3. The Extended Definition of “Product”

The former Directive was limited to “movable goods,” including components of immovable property.
The new PLD now defines a product as any item, whether tangible or intangible, that is manufactured or integrated into another product, expressly including:

• software,
• AI systems,
• digital design files and raw materials.

As a result, many new market participants – particularly software developers and technology providers – fall within the scope of strict product liability.

4. Digital Products, Services and AI

Software, whether embedded or standalone, is now explicitly treated as a product.
Where a product’s functioning depends on digital services (e.g., data supplied for an autonomous system), such services are deemed components of the product if controlled by the manufacturer.
If, however, a third-party service outside the manufacturer’s control causes damage, it is not covered by the PLD.

Machine-learning systems remain within the manufacturer’s liability sphere: if the system evolves over time and causes harm due to autonomous updates, liability persists.

5. Updates, Modifications and Cybersecurity

Liability also extends to substantial modifications to products after they have been placed on the market, including software updates.
If an update or upgrade changes the risk profile of the product, the manufacturer remains liable for resulting defects.
Conversely, a failure to provide necessary security updates—for example, to close known vulnerabilities—can also trigger liability.

Cybersecurity is now explicitly recognized as part of product safety.
This means that life-science products relying on software (e.g., connected medical devices, diagnostic systems) must maintain cybersecurity standards throughout their lifecycle.

6. Global Supply Chains and Non-EU Manufacturers

The new PLD ensures that consumers can claim compensation even if the manufacturer is located outside the EU.
Liability can therefore attach to:

• importers,
• distributors,
• authorized representatives, or
• (new) service providers and online marketplaces.

If a distributor fails to identify the responsible manufacturer, the distributor itself may be held liable.
Online marketplaces can be considered “economic operators” and thus liable if they exercise control similar to a supplier or retailer.

7. Presumptions and Access to Evidence

To address the imbalance between injured parties and manufacturers, the PLD introduces evidentiary presumptions rather than a full reversal of the burden of proof.
Courts may presume defectiveness or causation when:

• the manufacturer fails to disclose relevant information,
• the product does not meet safety requirements, or
• the complexity of the product makes it unreasonable for the claimant to prove all elements.

In addition, courts may order the defendant to disclose evidence necessary to substantiate a claim—an innovation for many civil law jurisdictions such as Germany and France.

8. Duration of Liability and Time Limits

The limitation period remains 10 years from the date the product was first placed on the market.
However, for latent injuries—particularly health damages that manifest later—the period may extend up to 25 years.

The previous monetary threshold of €500 for damage claims has been abolished.
This change particularly benefits victims of smaller, cumulative losses, such as data corruption or minor device failures that nonetheless cause measurable harm.

9. Implications for Life-Science Products

The PLD applies alongside sector-specific regimes such as the EU rules on pharmaceuticals and medical devices.
While pharmaceutical liability remains subject to national frameworks, the new Directive’s broad definition of “product” and inclusion of digital components will affect many life-science companies.
Software controlling medical or diagnostic devices, as well as AI-driven decision tools, now clearly fall within the scope of strict product liability.

A defect in such software—whether due to faulty algorithms, incomplete updates or cybersecurity breaches—can thus give rise to compensation claims under the new regime.

10. Insurance Implications of the New Directive

The Directive’s broader definition of a product—including software and AI—creates significant challenges for the insurance industry.
Conventional distinctions between general liability, professional indemnity and product liability insurance are increasingly obsolete.

Developers of software or AI systems, as well as manufacturers of digitalised medical devices or laboratory equipment, must verify whether their existing coverages adequately reflect the new risk environment.
Cybersecurity has become an element of product safety itself; therefore, software flaws, missing patches or data breaches may now constitute product defects.

11. General and Product Liability Policies

Liability insurance covers the legal liability under private law arising from the policyholder’s operations and products.
Product liability extensions typically protect against bodily injury or property damage caused by defective goods or completed operations.

Under the PLD, these frameworks remain valid, yet the scope widens to encompass digital components and updates.
German jurisprudence had already interpreted software as a “functional product.”
Article 4 PLD now confirms this explicitly: software is a product in the statutory sense.

Traditional policies continue to cover tangible bodily injury and property damage.
However, pure financial losses, such as data corruption or loss of digital content, often fall outside standard wordings and may require dedicated endorsements or combined policies.

12. Cyber Insurance – Need for Alignment

Many cyber insurance policies are drafted as affirmative covers, meaning they respond only to risks expressly listed in the schedule.
Companies dealing with connected products, cloud services or digital diagnostics should therefore review whether product-related cyber losses—especially those stemming from defective updates or embedded software—are included.

Ambiguous exclusions between cyber and product liability lines can create coverage gaps.
Insurers should clarify whether bodily injury, property damage and consequential losses arising from digital defects are covered under one programme or split across several.

13. Potential Coverage Gaps and Combined Solutions

A key challenge is classifying data loss: is it property damage or a pure economic loss?
To mitigate uncertainty, integrated policies combining professional, general, product and cyber liability are advisable—particularly for life-science companies operating digital devices or software platforms.

The Directive’s explicit reference to psychological health injuries adds another layer of complexity.
Some international policies define bodily injury narrowly, excluding mental or emotional harm unless accompanied by physical injury.
Under German and EU law, however, recognised psychological disorders with clinical significance qualify as health injuries, and thus fall within product liability.
Insurers should ensure their wording reflects this broader concept.

14. Measures to Secure Adequate Coverage

To prepare for the PLD’s implementation, companies and brokers should:

1. Review the insured activities – confirm that policy definitions encompass digital services, maintenance, software updates and cybersecurity measures.
2. Assess the breadth of cover – ensure policies capture claims under the new Directive, possibly through integrated multi-line programmes.
3. Embed cyber protection – harmonise cyber risk with general and product liability.
4. Re-examine exclusions – avoid wording that unintentionally removes coverage for software or AI defects.
5. Include mental and data loss damage – explicitly state that psychological injuries and digital data losses are insured events. 

15. Interaction with Other EU Regulations

The PLD interacts closely with other legislative instruments forming the EU’s new digital safety architecture:

(a) General Product Safety Regulation (EU) 2023/988 – GPSR
In force since December 2024, the GPSR replaces the former General Product Safety Directive.
It strengthens market-surveillance powers and establishes that a product not meeting safety requirements is automatically deemed unsafe—creating a presumption of defect under Article 7 (2)(f) PLD.

(b) Cyber Resilience Act (CRA)
The CRA imposes mandatory cybersecurity standards for products with digital elements.
Manufacturers must address vulnerabilities throughout the product lifecycle—typically up to five years—and report incidents to ENISA within 24 hours.
Non-compliance can not only trigger administrative penalties but also constitute evidence of defectiveness under the PLD.
For directors, failure to meet these duties may result in managerial liability under company law (Sections 43 GmbHG, 93 AktG), potentially invoking D&O coverage.

16. Conclusion

The new PLD represents a paradigm shift in European liability law.
It extends strict liability to the digital sphere, strengthens the position of claimants and expands the obligations of all economic operators within the supply chain.

For insurers and brokers, the Directive demands a strategic realignment:

• Cyber risks, data integrity and AI-related defects become central underwriting criteria.
• Hybrid coverage models combining product, cyber and professional liability will gain importance.
• Policy language must evolve to capture psychological injuries and digital property damage.

For life-science companies, the PLD is more than a legal reform—it is a compliance and brand-trust challenge.
Ensuring continuous product safety, update management and cyber resilience will be critical not only for regulatory compliance but also for maintaining patient and customer confidence.

The Directive marks Europe’s transition from an analogue understanding of defectiveness to a comprehensive digital liability regime—one that links technology, law and insurance in a single ecosystem of responsibility.

Wedel, 25 October 2025
Christian Fuchs, is a certified liability underwriter (DVA) and managing partner of FMP Fuchs Insurance Brokers, specialising in product and cyber liability solutions for the life-science industry.