How do you prove a self-learning AI product is defective? The revised EU Product Liability Directive brings answers that could reshape how manufacturers approach liability for digital and AI-enabled products.
This analysis will be crucial for manufacturers, importers, and product developers working with AI, IoT devices, or any products that receive software updates after market placement. Understanding these new liability criteria helps you assess risks and adjust product development strategies before the 9 December 2026 implementation deadline.
The foundation remains, but details matter
The revised EU Product Liability Directive 2024/2853 (RPLD) came into force on 8 December 2024, replacing legislation from 1985. The core principle stays the same: a product is defective if it fails to provide expected safety or required legal standards. However, the RPLD introduces detailed new criteria for assessing defectiveness that significantly extend liability, particularly for digital products and AI systems.
Nine new factors that determine defectiveness
The RPLD establishes specific elements courts must consider when determining if a product is defective. These create new obligations and risks for manufacturers.
1. Presentation and characteristics expanded
The directive now explicitly includes labelling, design, technical features, composition, packaging, and instructions for assembly, installation, use, and maintenance. This comprehensive list means every aspect of your product presentation could influence liability decisions.
2. AI learning creates ongoing liability
Perhaps the most significant change addresses products that “continue to learn or acquire new features after placement on market.” If your AI-driven product learns dangerous behaviour, you remain liable even if the harm wasn’t foreseeable at launch.
This means manufacturers of learning systems must design safeguards to prevent hazardous behaviour patterns. Simply claiming the AI “learned” harmful behaviour won’t absolve liability.
3. Interconnected products bring shared risks
The directive recognises that digital products rarely work in isolation. You must now consider “reasonably foreseeable effects” when your product interacts with others through interconnection.
This poses particular challenges for software developers whose products integrate with multiple platforms or devices. Your liability could extend to harm caused by these interactions.
4. Control equals ongoing responsibility
Under the old directive, liability was assessed based on knowledge available when the product entered circulation. The RPLD fundamentally changes this approach.
If you retain control over a product after market placement – through software updates or upgrades – you must keep pace with advancing scientific and technical knowledge. This creates ongoing obligations to monitor developments and respond through updates.
For many digital and AI products, this means liability doesn’t end at the factory gate but continues throughout the product’s connected life.
5. Cybersecurity becomes explicit liability factor
The directive explicitly includes “safety-relevant cybersecurity requirements” in defectiveness assessments. This resolves previous uncertainty about whether cybersecurity failures constitute product defects.
Poor cybersecurity that enables third-party interference causing harm could now establish product liability. This includes inadequate protection against hacking, data breaches, or malicious software.
6. Recalls signal potential defectiveness
Product recalls or safety interventions by authorities now factor into defectiveness assessments. While recalls don’t automatically prove defectiveness, they create additional evidence courts can consider.
This integration of product liability with product safety law means regulatory actions could influence private liability claims.
7. Special user groups get protection
The directive allows consideration of specific user groups’ needs, particularly relevant for high-risk products. This codifies existing case law stating that products with high harm potential can be deemed defective without proving the specific unit’s defectiveness if similar products in the production series have proven defective.
This particularly affects medical devices and other products serving vulnerable populations.
8. Prevention products face stricter standards
Products designed to prevent damage – smoke alarms, safety equipment, protective gear – face automatic defectiveness findings if they fail their primary purpose.
Implementation timeline and practical steps
- Member states must implement the RPLD by 9 December 2026. This gives manufacturers time to adapt but requires immediate strategic planning.
- Start by reviewing your product portfolios for AI components, learning capabilities, or ongoing software updates. Assess which products retain manufacturer control post-market and what ongoing monitoring obligations this creates.
- Strengthen cybersecurity measures and documentation. Poor cybersecurity could now directly establish liability rather than being a secondary consideration.
- Review interconnection risks where your products work with others. Consider contractual arrangements to manage shared liability exposure.
- Update quality management systems to account for ongoing knowledge monitoring requirements for products under your continued control.
The competitive advantage perspective
While these changes increase compliance burdens, they also create competitive opportunities. Companies that proactively address these requirements could gain market advantages as customers increasingly value safety and security.
Strong cybersecurity, robust AI safety measures, and comprehensive interconnection testing could become key differentiators in B2B markets where buyers face their own liability exposure.
The directive’s focus on vulnerable user groups also creates opportunities for companies serving specialised markets with enhanced safety requirements.
Ready to navigate the new product liability landscape? Our team at Alura Group can help you assess your exposure under the revised directive and develop strategies to manage AI, cybersecurity, and interconnection risks. Contact us today to ensure your products meet the new standards before the 2026 deadline.
