Smart homes, smart cars, smart health, smart wearables, smart banking, etc. Everything around us is gaining a "smart" element. Definitions on the Internet-of-Things (IoT) are plentiful but all refer to the connection of embedded computing capability in everyday objects, which forms a more and more coherent digitally coined environment of our daily life. The very idea of IoT means an omnipresent ICT pervasion and accompaniment of our daily life, either as an active user or as a passive beneficiary. IoT has grown from a theoretical concept to a disruptive technology for organisations and individuals alike. Organisations generate new business opportunities by integrating IoT devices into their network infrastructure to improve productivity, implement predictive analysis and rapid responses. For example, smart meters track and record energy consumption to balance demand and supply for accurate billing and timely repairs. In the agriculture sector, drones observe lands to improve production and satiate the demand of the population. IoT enhances the daily lives of individuals through easy monitoring and quick access to information at a distance, personalisation, cost and time savings, and better decision making. For example, a digital pill can alert physicians and clinical researchers when patients have – or have not – taken their medicine.

In 2021, there were more than 10 billion active IoT devices and it is estimated that the number of active IoT devices will surpass 25 billion in 2030. IoT technology has already walked the long road from supply-chain helpers to applications in surveillance, security, healthcare and transport with its ability to locate people and everyday objects. The ability to monitor and control distant objects will only increase with network sustainability and miniaturisation of power-efficient actuators and sensors. Integration of 5G technology and IoT is already taking place in telesurgery, in order to allow surgeons to operate on patients from distance through optimization of visual display and haptic feedback technology at almost zero latency time.

IoT is about using computer tools to automate real-world processes, and like all automation tasks, it is expected to reduce the need for direct human participation. Nonetheless, these devices are in need of human(-like) judgments and decisions. That is where AI can step in and improve the IoT system significantly by learning from their data and experience. AI is already embedded in IoT systems since any application that uses software to generate a response to a trigger event is at least a basic form of AI. Therefore, the question for IoT users and developers is not whether or not to use AI, but to which extent and how AI can be used in new applications. This depends on the complexity and variability of the real-world system IoT intends to automate.

Legal uncertainty hampers the development and uptake of IoT as the Digital Single Market requires a rigid framework to recover losses sustained by individuals and businesses alike. This raises the question: how should EU Member States' liability regime deal with assessing the responsibility of IoT for irresponsible responses? This contribution intends to highlight the harms which could be caused by IoT in this digitally coined environment of our daily life, whereby we take servitization and critical (smart) infrastructure as examples, and to identify possible roadblocks which could impede the way to the Digital Single Market.

Types of harm

Whereas IoT could help us to make our live and work smarter and healthier, as well as gain complete control over our lives, this comes at a price indeed. The flip-side of omni-present functionality is security and liability. Since IoT concerns interrelations between object and humans, there is a strong need to consider the philosophical, ethical and legal issues of IoT cohabitation with humans. Are the benefits of smart home assistants such as Amazon's Alexa and Google's Nest – worth trading privacy and freedom for? Datafication of individuals in the always-on era and mass-aggregation in databases may lead to function creep, profiling, tracking, surveillance, discrimination, etc. Can governments and/or corporations be trusted with such huge data sets on all our interactions in private and public spaces?

Privacy aspects and information security is not the only challenge in this environment. IoT can interact with objects in the physical world through physical devices or actuators. Their actions and the consequences thereof are not necessarily limited by a digital environment. What happens if there is a mistake in the system and IoT devices actuate on this prompt? They can have a physical impact, potentially implying material/physical damage/harm. For example, what if the digital pill wrongfully analyses the health status of a subject by neglecting important biochemical and physiological information? What if smart fire or carbon dioxide alarms do not function in case of an emergency? This stand in sharp contrast to only informational/psychological harm resulting from other traditional data-driven technologies.

Another important issue is that smart and connected devices often are composed of elements from different producers and developers. When something does go wrong, it may be more difficult to establish the responsible party that caused the damage. Often such devices are also cheap and do not contain sophisticated security components.

Revising the Product Liability Directive to the Digital Age

The features of digital technology - IoT and AI in particular - challenge the application of traditional rules in the contractual sphere - such as transparency obligations - and in the sphere of tort law.
The liability regime, governed by the 1985 Product Liability Directive ("PLD") and the national liability rules, may create a degree of legal uncertainty for businesses and consumers. Therefore, the Commission has held a public consultation in 2022 on adapting the EU civil liability regime to new technologies in the digital age and circular economy, including on a possible revision of the PLD.

First of all, can the same rules be applied in situations where the owner or user may have no reasonable way of knowing how their property will behave? As AI and IoT-based products become more and more autonomous, their behaviour becomes difficult to predict. A product could change during its life cycle as a consequence of corrupt data sets feeding the algorithm or software updates, obscuring the traceability and explainability of the decision-making process. Software updates may cause bugs or loopholes, exposing the system to be hacked. Apart from data sets and software updates, cybersecurity risks often stem from interactions with other products and services, which directly or indirectly compromise the safety of the product. It could be questioned whether these cyber vulnerabilities should be covered by the notion of "defect". This would make IoT-product based producers more prone to liability as they often produce low cost products with high security risks.

Secondly, the autonomous nature of IoT devices is not the sole cause of the problem. We may understand what IoT does, but not how it does it. The technological complexity of the devices make it difficult to assess potential safety and liability issues. IoT is fundamentally data driven and complexities can occur in the stages of the initial collection of data, the processing activities and the actuation. This complexity is intensified by the interdependency of the devices. Billions of eyes, ears and hands will execute actions computers have decided upon and will then again be seen, heard and measured by other computers leading to further computed actions. Interaction with other devices, software and data streams makes it difficult to determine where a defect has occurred, even after harm has been clearly established. A potential solution could be to revisit the notion of "putting into circulation" to take into account that products may change and be altered after they have been put into circulation. This could clarify who is liable for any changes that are made to the product.

Lastly, features of IoT and AI can make it difficult to not only identify the potentially liable person but also to prove that person's fault or the defect of a product. The PLD harmonises one specific group of claims at EU level for a vast range of products, i.e. claims against the producer for damage caused to a consumer due to the defectiveness of a product put into circulation. The producer is held liable for damage caused by a defect in its product, provided that the injured party proves the damage, the defect and the causal link between the two. The limited predictability coupled with a lack of transparency stemming from the algorithms' autonomous learning capabilities may hinder the establishment of a causal link with the damage.

These challenges corrode the fault-based pillar of the liability system which is based upon an assumption of static products whose use is predictable for their owner or user. In this respect, key concepts such as the burden of proof and the definitions of a "product", "damage", "defect" or "producer" must be clarified, updated or revised. For an in-depth review of the adaptation of the EU liability regime to the Digital Age and AI, please see the contribution of Steven De Schrijver at

(Critical) smart infrastructure

Recent trends see critical infrastructures migrating toward smart infrastructures by deploying IoT. The quality of service provided by smart transport, homes, hospitals, and grids is improved by investing in remote management and big data. The telecommunications industry providing 5G services will be at the centre of automation networks with their critical infrastructure serving as the bridge to other smart infrastructure systems. However, this opportunity comes at an increased risk to liability. After all, due to more potential entry points and software reliance, the risk of attacks on a 5G network may be higher. For example, who would be liable for the power outage as a result of exploiting the smart energy grids' network infrastructure? Although the proposal on a revision of the NIS Directive ("NIS 2.0") expands the scope of envisaged critical infrastructure, it repeats the omission of its predecessor by neglecting to address the issue of liability.

Servitization of IoT products in the circular economy

Servitization refers to industries using their products to sell services. As part of servitization, companies offer additional services associated with reuse and recycling materials and components, such as maintenance to supplement their traditional products. They increasingly apply IoT to monitor the functioning of industrial assets (or any assets), collecting detailed condition data in a way that facilitates long-term maintenance, thus extending machine lifespans. The circular economy has become a policy priority at the EU level. But legislative action has so far neglected the way in which circular economy may have an impact on the rights and obligations of companies and consumers under general civil and consumer law.

This shift from ownership towards use in product-as-a-service models raises questions regarding the application of specific product liability laws. Who would be liable for damage as a result of a defect located in IoT-devices or the way in which they are applied by a service provider? For example, what if an IoT device does not detect deterioration of an industrial machine which leads to downtime of the production line? Can a user refuse to return the product ("retain") to which access is supplied as-a-service until all alleged damages have been compensated?


The further introduction of IoT products in our lives will fuel the further growth of the digital age. However, where new technology appears, novel legal issues do too. IoT will add a complete new dimension of our existing physical world that cannot be switched off at our desire. It is clear that the existing legal framework shows multiple apparent gaps when dealing with the effects of harmful events caused by smart devices, some of which have been described in this summarized contribution. A call for further action by EU legislators is therefore more than ever necessary to establish updated liability rules that protect consumers and other IoT users while providing certainty for the industry regarding the financial consequences of an event causing damage. This in turn may also boost confidence in the application of IoT devices in ever more essential aspects of modern life.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.