For the past 40 years, product liability laws have been static while technology has evolved exponentially—but the law is catching up. In early 2024, the EU updated its product liability directive (PLD) to give consumers the legal tools to hold companies liable in court if they sell defective products, including software products. EU member states are expected to enact the directive by 2026. 

This update has significant implications for software companies operating in the EU. Companies must implement robust security and software development practices, which could be challenging given the rapidly approaching deadline. In this blog post, we’ll unpack the biggest changes from the new directive and how companies should approach cybersecurity to best prepare for this regulatory shift. 

Unpacking the new PLD

The new PLD introduces these critical changes for software vendors: 

• Digital products, including AI products, are now covered by the directive. 
• The directive expands the definition of defect to include software-specific issues, like insecure software and planned obsolescence. 
• Consumers can request compensation for non-material losses, like data loss.  
• In litigation, consumers have more legal avenues to prove a product’s defectiveness. 

Let’s take a closer look at each of these changes. 

Widening product scope to software

The new PLD applies to any product operating in the EU, including digital products. However, it excludes free and open-source (FOSS) software products to maintain competitiveness. 

Inclusion of software-specific defects

The regulation defines a defective product as one that “does not provide the safety that a person is entitled to expect or that is required.” It explicitly stipulates software safety issues, including:

• Planned obsolescence: Features or software updates that artificially reduce the product’s life span, durability, or repairability to entice users to move to a new service, tier, or product.
  
• Insecure software: Security flaws that lead to consumer harm.
  
• Improper software update mechanism: Not providing regular updates for fixes and new features or withholding negative information about an update.
  

The directive has also increased the liability period to 25 years—accounting for outlier defects that might slowly emerge. 

Expansion of damage categories

The directive expands the definition of physical damage to include medically recognized damage to psychological health. Additionally, it adds a new property of damage: destruction or corruption of personal data. If the corrupted data was used for professional reasons or a mix of professional and personal reasons, it is not in scope.

Strengthening consumer rights in litigation

The PLD has made several changes to the litigation process to make it easier for consumers to bring forth and defend their claims. Here are the most significant changes: 

• Simplified burden of proof: Claimants maintain the burden of proof but, in some instances, face lower evidence requirements. For example, if the claimant faces “excessive difficulty” in proving a product’s defectiveness due to technical or scientific complexity, the court can presume that the product is defective. Then, the claimant would only need to prove the product caused the specific damages. 

• Forced disclosure: PLD introduces a new mechanism where the court can order the vendor to disclose “necessary and proportionate” evidence about a product’s effectiveness. Vendors can demand an exception if the evidence contains confidential information or trade secrets. If they refuse to comply, the court can automatically rule the product defective. 

• Limit “state of the art” defense: The PLD allows member states to restrict whether they allow the “state of the art defense,” where vendors avoid liability by claiming they couldn’t have had the technical knowledge to identify the defect. For states that allow this defense, claimants can counter it by proving that a software update would have fixed the defect.   

Mitigating PLD risks with crowdsourced security

The new PLD marks a significant evolution in consumer protection regulations for software products, especially regarding safety. Companies bear more responsibility when software vulnerabilities are exploited, and consumers have more avenues to seek compensation for a broader range of damages. Legal experts predict that these changes will likely increase product liability litigation throughout the EU. 

To minimize this heightened liability risk, software companies must rapidly modernize their cybersecurity infrastructure by diversifying their security strategy. Relying only on human-driven point-in-time testing can create windows of exploitability, and continuous scanning will only find the most common vulnerabilities.  . Instead, their security teams need to adopt a comprehensive, continuous approach that layers continuous discovery of critical vulnerabilities on top of point-in-time and automated testing.

Proven approaches include crowdsourced security measures like vulnerability disclosure programs (VDPs) or managed bug bounty programs (MBBs). In these methods, organizations partner with hackers to continuously identify and fix common critical vulnerabilities that traditional testing will often miss. This gives organizations a safety net across all areas of their software product, especially as they ship new code. The diverse security community also brings unique skills and perspectives that can help uncover new or unconventional threats. These measures provide more robust protection against an evolving threat environment, reducing liability risks. 

Companies don’t have to embark on this journey alone. Bugcrowd offers expertise in developing and implementing comprehensive security strategies tailored to meet these evolving regulatory requirements. To get started, chat with a Bugcrowd security expert today.