The European Union's Product Liability Directive (EU) 2024/2853 (the Directive) marks a watershed moment in product safety and liability regulation, modernising the product liability framework to address current challenges, particularly those posed by digital technologies and AI systems. This is particularly relevant for technology companies and software developers who may not have previously fallen under product liability regulations.
This article examines the implications of the Directive on UK businesses, especially those trading with the EU, in light of a post-Brexit environment and forthcoming UK legislative changes.
Background
The Directive, which repeals Council Directive 85/374/EEC and which came into force on 9 December 2024, must be implemented into national law by Member States by December 2026. While the UK is no longer bound by EU directives, the Directive will be crucial for UK businesses trading with the EU.
The Directive emerges from a rapidly evolving technological landscape where traditional product liability frameworks have struggled to address modern challenges. The previous legislation, Council Directive 85/374/EEC, worked well for physical products but proved inadequate for digital innovations and interconnected systems.
Traditional product safety focused primarily on physical characteristics and immediate hazards. However, modern products often incorporate complex software systems, AI capabilities, and interconnected features that create new categories of risk. For instance, a smart home device might be physically safe but could pose significant risks through cybersecurity vulnerabilities or privacy breaches. We wrote an article about the new requirements for consumer "smart" products last year.
This legislation represents a significant overhaul of the EU's product liability regime, expanding its scope to encompass modern technological developments whilst maintaining the principle of strict liability for defective products.
Key changes and their impact on UK businesses
1. Extended scope: digital products and AI systems
The Directive now explicitly includes digital products and AI systems under strict liability provisions, creating sophisticated safety requirements for emerging technologies and ongoing safety obligations that continue as long as the product is in use.
This includes:
- Software and digital services – software update management becomes a critical safety consideration, with clear requirements for security patches and feature updates that could affect product safety, creating ongoing obligations for manufacturers. Consider a connected vehicle's navigation system - manufacturers must ensure both its initial safety and maintain its security through regular updates.
- AI systems and AI-enabled products – AI system safety now includes requirements for transparency and explainability. Manufacturers must demonstrate that their AI systems make decisions in ways that can be understood and audited. AI systems require continuous monitoring and assessment, as their behaviour may evolve through learning. This creates new challenges in defining and maintaining product safety standards. For example, an AI-powered medical diagnostic tool must maintain consistent safety standards even as it learns from new data. Businesses need monitoring systems capable of real-time performance tracking, security vulnerability scanning, usage pattern analysis and error detection systems, and to ensure appropriate safety controls, such as performance boundaries, learning limits and emergency stops are effectively implemented.
- Products that are substantially modified during their lifetime – a modification is considered substantial when it significantly changes how the product functions, its safety characteristics, or its intended purpose. The key test is whether the modification takes the product outside its original risk assessment and safety parameters – if so, the manufacturer (if they provide the upgrade) and potentially the company performing the modification becomes liable for the safety of these new capabilities just as they would for a new product. Companies need clear policies on what modifications they allow, and to ensure that insurance coverage is reviewed to cover modified products.
- Digital manufacturing files and related outputs - this is a groundbreaking inclusion that recognises how modern manufacturing often starts with digital files. The Directive creates liability for defects in these files just as it does for physical products, covering:
- CAD files for 3D printing
- CNC machine programming files
- Digital product designs
- Manufacturing instructions and parameters
- Associated software and control systems
- Digital producers need to ensure that they are confident in their version control and modification tracking procedures and have sufficient documentation regarding safety validation, testing and quality control. There should also be clear terms of use, and modification restrictions where appropriate.
UK manufacturers and exporters to the EU must comply with these expanded requirements when selling into the EU market.
The key is understanding that safety is now a continuous obligation, not a one-time certification. Businesses need to think of these products as living systems that require constant attention and care to maintain their safety standards.
2. Enhanced consumer protections
The Directive also introduces more rigorous safety requirements that reflect modern technological complexities; for example, cyber security has been elevated to a fundamental safety consideration. A product that is physically safe but vulnerable to cyber attacks is now considered defective under the Directive. This represents a crucial evolution in product safety thinking.
In addition, psychological harm recognition acknowledges that product defects can cause non-physical injuries, particularly relevant for AI systems and digital services. For instance, an AI chatbot providing mental health support must be evaluated for potential psychological impacts on users.
Other notable developments include the introduction of an easier burden of proof for consumers in complex cases, with a 'presumption of causality'. Under traditional product liability rules, consumers needed to prove exactly how a product was defective and how that defect caused their damage. This was often practically impossible with modern digital products.
Under the Directive, the consumer must now show just three basic things:
- The product failed to perform as a reasonable person would expect
- They suffered damage
- It is technically possible that the type of defect they suspect could cause the type of damage they suffered
At this point, an important shift occurs. The Directive creates a presumption that the product was defective and that this defect caused the damage. The manufacturer must then rebut this presumption by proving either that their product wasn't defective or that something else caused the damage.
Going forward, this is likely to require more robust documentation of product performance, well-documented testing procedures and detailed logs of product monitoring systems.
There are also new provisions for compensating data loss, recognising this as physical property damage, for example in the event of a cloud storage service failure, or a manufacturing control system crash.
3. Supply chain responsibilities
The Directive creates a more comprehensive framework for supply chain safety. Traceability requirements now extend throughout the product lifecycle, including software updates and modifications. This means UK manufacturers must maintain detailed records of component sources, software versions, and modification histories - essentially a digital paper trail for every product.
Online marketplaces face new obligations to verify product safety documentation, affecting how UK businesses can sell through these platforms to EU consumers.
These new responsibilities include:
- Verifying seller identities thoroughly
- Checking basic product safety documentation
- Responding quickly to reported safety issues
- Maintaining records of seller verification
- Cooperating with recall procedures
The role of authorised representatives has also now been significantly expanded, acting as a company's legal proxy in the EU, with real responsibilities rather than just a mailbox address. The enhanced requirements for authorised representatives includes maintaining documentation such as technical files and safety certificates, interfacing with authorities, for example in respect of safety enquiries or investigations, and handling recall procedures.
UK businesses need to review their supply chain agreements and potentially restructure relationships with EU partners to ensure compliance, including appointing EU-based authorised representatives where necessary.
UK legislative context
The UK's regulatory framework is evolving in parallel, though not identical ways: the UK's Product Security and Telecommunications Infrastructure Act 2022, coupled with the forthcoming Product Regulation and Metrology Bill, suggests the UK is moving in a similar direction to the EU but takes a slightly different approach to implementation.
If selling to European customers, UK businesses can't ignore the EU directive and must navigate these differences while maintaining compliance with both regimes and keeping track of diverging requirements. This may require separate safety documentation systems for UK and EU markets, different risk assessment procedures to satisfy both jurisdictions and distinct labelling and information requirements.
There are also likely to be post-Brexit complications in cross-jurisdictional enforcement and legal proceedings which will require careful navigation.
Recommended actions for UK businesses
- Immediate steps:
- Review product portfolio against new liability requirements - conducting a comprehensive safety audit that includes an assessment of digital components and their safety implications
- Assess EU market exposure and compliance needs
- Update risk assessment procedures
- Review insurance coverage
- Medium-term actions:
- Implement measures identified during the risk assessment procedures, including any enhanced documentation systems
- Review and update supply chain agreements
- Develop compliance strategies for digital products
- Consider EU representative appointments
- Long-term planning:
- Monitor UK legislative developments
- Develop parallel compliance frameworks for UK and EU requirements
- Implement robust product safety management systems
The expanded scope and enhanced protections represent a significant shift in product liability landscape, particularly for digital and AI products. While creating compliance challenges for UK businesses, it also provides a framework for addressing modern product safety concerns comprehensively. Success in this new regulatory environment requires understanding not just the letter of the law, but its underlying safety principles.
Companies must carefully evaluate their exposure to EU markets and implement appropriate compliance measures. The forthcoming UK legislation may align with EU approaches, but businesses should prepare for potential divergences and the complexity of dual-market compliance.
The investment required for compliance should be viewed as an opportunity to develop robust safety systems that can serve as a competitive advantage in both UK and EU markets. As technology continues to evolve, these enhanced safety measures will become increasingly important for business success and consumer protection.
The new directive can be accessed in full on the European Union's website.
Read the original article on GowlingWLG.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
