New Product Liability Directive - Introduction
The recently published Directive (EU) 2024/2853 (the "Product Liability Directive" or "PLD") will replace its 1985 predecessor by the 9th of December 2026, modernizing the framework for liability concerning defective products. This new legislation incorporates digital products, artificial intelligence (AI), and Software-as-a-Service (SaaS), ensuring that the liability framework aligns with technological advancements. This article examines the directive’s key provisions and explores its implications for SaaS providers, banks, telecommunications companies, and other sectors.
Brief analysis of some of the most interesting key provisions around liability
- Broad definition of ‘Product’. The Directive extends the definition of a product to include software and digital manufacturing files. As per Article 4(1) and Recital 13, software (including SaaS) qualifies as a "product" for liability purposes, regardless of how it is supplied, via cloud, physical medium, or embedded in hardware. It's also important to note that, Recital 13 emphasizes that liability rules do not apply to mere "information" like e-books or digital media but focus on software that directly impacts safety. It's also worthwhile to know that the Directive as per Recital 26 covers both products placed into the EU market as well as putting into service. Recital 50 further amplifies the nuanced distinction between, placing on the market and putting into service. The directive will not however apply to Products placed into the EU market before 9th December 2026 (unless they are substantially modified after this date).
- Inclusion of Digital and AI-Driven Components. Digital services integral to a product’s functionality are now included under the term "component" (Article 4(4) and Recital 17). For instance, AI systems capable of learning and updating are treated as part of the product itself. If a defective update causes harm, manufacturers remain liable for their products’ safety, even after sale (Recital 40).
- Cybersecurity and Data Destruction. Cybersecurity is again in focus as in other EU laws we have had in the past years. Liability now extends to damages caused by cybersecurity failures. Recital 20 specifically highlights the value of intangible assets and includes data corruption or destruction as compensable damage, a significant addition that addresses digital vulnerabilities of the digital age.
- Burden of Proof and Evidentiary Access. Recognising the complexity of proving defects in digital products particularly software, Articles 9 and 10 introduce provisions for courts to presume defectiveness in certain scenarios, such as obvious malfunctions or failure to meet mandatory safety standards. Claimants may also request disclosure of evidence from manufacturers to prove liability (Recital 42).
- SaaS and No-Fault Liability. SaaS providers fall squarely within the Directive’s scope. Recital 13 clarifies that liability applies to SaaS products, whether accessed through networks or delivered via the cloud. This marks a departure from traditional views that limited liability to tangible goods. Providers must ensure robust safety measures, including secure updates and compliance with cybersecurity standards.
- AI Learning Systems and Updates. The inclusion of AI systems introduces accountability for “learning” behaviours and updates. For instance, a defective algorithm in an AI-driven SaaS product could now expose manufacturers to claims, particularly if harm arises due to the failure of updates to address evolving cybersecurity risks (Recital 40 and Article 11(2)).
- Free and Open-Source Software (FOSS). Recital 14 excludes non-commercially supplied open-source software from liability, but SaaS providers integrating open-source components in commercial contexts remain liable for defects in the final product (Recital 15).
What is the potential effect on banks, financial services and telcos?
The inclusion of software, digital services, and interconnected technologies in the new Product Liability Directive (EU) 2024/2853 directly impacts operators in the financial services industry including banks as well as telecommunications companies who are already heavily regulated under sector-specific regulations. These sectors and its operators are not explicitly excluded or exempted from the Product Liability Directive (EU) 2024/2853. While the Directive primarily targets liability for defective "products," including software, AI, and interconnected digital services, its broad definitions and scope encompass many aspects of modern financial services as well as telcos.
Article 2(4)(b) clarifies that the Directive does not affect "any right which an injured person has under national rules concerning contractual liability or concerning non-contractual liability on grounds other than the defectiveness of a product." This means that liability under other laws (e.g., financial regulations, telcos law or contractual obligations) can coexist with liability under the Directive. However, there is no specific carve out or exemption that specifically excludes banks, financial services or telcos.
Analysis of some hypothetical scenarios
- Inclusion of Software as a Product has a broad scope and covers digital tools used in financial services as well as telcos. Software, including Software-as-a-Service (SaaS), is explicitly defined as a product under the Directive (Recital 13 and Article 4(1)). This inclusion applies regardless of how the software is delivered via cloud, installed locally, or embedded in hardware. For banks, software used in financial services (e.g., online banking platforms, payment processing systems, AI-driven credit scoring tools) is now classified as a product. Similarly, for telcos the inclusion extends to the software underpinning their network operations, customer-facing platforms (e.g., self-service apps), and IoT-based smart devices. By treating software as a product, any defect that causes harm, such as financial loss or service disruption can potentially result in liability for the provider.
- Integration of Related Digital Services. Digital services integrated into or interconnected with a product are also considered components under the Directive (Recital 17 and Article 4(3)). What this means is that liability extends to the services that power financial products, such as real-time fraud detection, digital wallets, algorithms or customer credit risk assessment tools. If a bank’s AI-powered credit scoring algorithm makes erroneous calculations due to a defect in its code resulting in harm, liability could be triggered. While digital tools and services are covered, the Directive does not include purely financial products or advice as "products", errors in financial advice or regulatory non-compliance which arise out of distinct lex specialis would in my view be addressed under other liability regimes of these laws not this Directive. For telcos, services like voice over IP (VoIP), smart home integrations, or real-time network monitoring can also potentially fall under this provision should harm arise, or if a telecom company’s smart home service fails to secure a device.
- Cybersecurity Vulnerabilities. The Directive specifically addresses damage caused by cybersecurity vulnerabilities (Recital 20, Article 7(f), and Article 11(2)). This is particularly relevant for telcos, which are central to providing secure connectivity, and financial services like banks, which process sensitive financial transactions. A failure to address vulnerabilities in any product or digital service captured under this Directive, could also lead to liability.
- Liability for other defects due to updates including AI Evolution. Banks and players in the financial services industry frequently deploy software updates for compliance or security purposes, while telcos rely on AI driven systems for customer service, fraud detection, and network optimisation. The Directive also holds manufacturers (which also has a broad definition) liable for defects that arise after a product is placed on the market due to updates, upgrades, or AI systems’ continuous learning (Recital 40, Recital 32, and Article 7(2)(c)).
- Damage to Data as Compensable Harm. Players in the financial services industry and telcos store and manage vast amounts of customer data. The Directive includes data destruction or corruption as compensable damage (Recital 20 and Article 6(1)(c)). This provision extends liability beyond physical damages.
- Liability for Defective Components. The Directive imposes liability on manufacturers of defective components, including software. (Article 8(1)(b)). If a financial services operator including a bank integrates third-party software into its systems or a telecom operator uses third-party components for its network, they can be jointly liable for damages caused by the defects. This also extends to online platforms that facilitate transactions. (Recital 38 and Article 8(4)). If a financial services provider including a bank or a telecom company operates a platform allowing third-party products or services to be sold under its branding, it could be held liable for those products.
Conclusion
Directive (EU) 2024/2853 reflects the EU’s ambition to harmonize product liability laws while addressing the complexities of digital transformation. For SaaS providers, financial services banks, and telecom operators, the Directive brings both challenges and opportunities. Banks, financial service providers and telcos should assess their software supply chains, cybersecurity practices, and update protocols to ensure compliance and mitigate risks under this new legal framework. By embracing compliance and proactively managing risks, businesses can not only avoid liabilities but also build consumer trust in a rapidly evolving digital ecosystem.
Article by Dr Ian Gauci