New EU Product Liability Directive: Impact on Software Producers with Real-Life Examples

user profile
Co-Founder & CTO

The updated EU Product Liability Directive (PLD) marks a significant shift in consumer protection by expanding liability to digital products and services. This directive responds to technological advancements by making commercial software producers accountable for defects that affect the safety and functionality of products. For additional context, “commercial software producer” refers to any entity or business that develops, sells, distributes, or otherwise provides software as a commercial product. The proposed updates to the EU PLD expand the scope of product liability to cover digital products, including software, especially when it’s integrated into a product or provided as a standalone service.

Below are key areas of impact, along with examples drawn from the directive.

1. Commercial Software and Its Impact on Product Safety

Software integrated into physical products will now trigger liability if it contributes to defects that cause harm. For example, an update to a smart home thermostat that results in overheating could lead to property damage and manufacturer liability under the new rules.

“If software or a related service, such as a health monitoring service relying on sensors, contributes to the functioning or malfunctioning of a product, that service is considered a component of the product itself.” – New PLD, Article 17​

Consilium Data

Software companies must ensure that updates, patches, or maintenance services do not degrade performance or compromise safety over time.

2. Open-Source Software Use in Commercial Products

While non-commercial open-source software is exempt, liability shifts to companies when these components are used in profit-making products. For instance, if a 3D printer company integrates open-source firmware and that firmware malfunctions, causing the printer to overheat and catch fire, the company, not the open-source developer, would be liable.

“Open-source software supplied outside the course of a commercial activity is not covered. But liability applies when it is used in commercial contexts, for example, if integrated by a manufacturer into a product.” – New PLD, Article 15​

Consilium Data

This incentivizes companies to thoroughly vet open-source components before including them in their offerings.

3. Liability for Software-Enabled Services and Connectivity

With many products relying on integrated digital services, manufacturers and software providers will face increased accountability. A voice-controlled device connected to other smart products, such as a light or oven, will need to maintain safety even in the event of lost connectivity.

“If a product that relies on digital services fails to function safely due to a service disruption, it may be deemed defective.” – New PLD, Article 18​

Consilium Data

This provision ensures that software-integrated products are reliable throughout their lifecycle, even during interruptions or downtime.

 

4. Compensation for Data Loss and Corruption

The directive extends compensation to data loss or corruption, recognizing the importance of digital assets. For example, if a software malfunction in a cloud platform erases personal photos or financial records, the company responsible can be held liable.

“Destruction or corruption of data, including recovery costs, will now be compensable under the new framework.” – New PLD, Article 20​

Consilium Data

This change places greater emphasis on backup strategies and secure software development practices to protect users from data loss.

Conclusion

The new EU Product Liability Directive represents a major shift for software producers and digital service providers, introducing stricter requirements for product safety, data protection, and the responsible use of open-source software. To comply with these updated regulations, companies will need to implement more rigorous monitoring and risk assessment practices. 

This is where a complete Application Security Posture Management (ASPM) platform like Cycode can play a pivotal role. 

Cycode offers complete visibility into the software development lifecycle, enabling proactive identification and mitigation of vulnerabilities. Its suite of proprietary scanners—including Software Composition Analysis (SCA), Static Application Security Testing (SAST), Infrastructure as Code (IaC) security, secrets detection, and more—ensures comprehensive coverage of potential risks. These tools facilitate robust remediation processes, allowing companies to address issues promptly and efficiently. And, because Cycode integrates various security functions into a single tool, it effectively streamlines security efforts and reduces complexity.

For more information about the directive, you can view the complete text here. Or, if you want to learn more about how Cycode can help you achieve compliance and strengthen your security posture, book a demo.