Companies that sell software that can be used or downloaded by anyone in the European Union are facing a major new liability. Late last year, the European Commission finalized fundamental changes to the EU Product Liability Directive (PLD) — changes that have far-reaching ramifications. While the changes won’t apply broadly until 2026, they will likely lead to a significant change in how companies think about and handle software security. Let’s dive into what these changes entail and what they mean for you.
What is the EU PLD?
Before getting into the changes, it’s helpful to understand what the PLD actually is. The directive itself is longstanding, having been first established back in 1985. As the European Commission has noted, the PLD “ensures that victims can claim compensation from manufacturers when they suffer damage caused by a defective product.”
What does the EU PLD do?
According to the European Commission, “Any person who has suffered a damage caused by a defective product (e.g. the owner of the product, a bystander, family member, etc.) can bring a claim before a national court.” In short, the PLD provides the legal framework for providing compensation to those who are damaged as a result of a defective product.
For example, let’s say you buy a toaster within the EU. If that toaster is defective and gets too hot — so hot, in fact, that you burn your hand trying to take out a piece of toast — then you would be able to bring a claim against the toaster manufacturer in a national court in the EU.
Now, based on the new direction, the same will be true for software, allowing for individuals to easily make a claim.
What areas does the PLD cover?
Only people can file claims, not companies. So if a company purchases a defective product, it cannot seek redress under the PLD.
Should a court agree that a product is defective, then the victim would claim compensation from the manufacturer — even if that manufacturer is not within the EU. In some instances, the importer or the authorized representative, the fulfilment service provider or even the distributor may be found liable, according to the European Commission.
What are some key points about the EU PLD?
One thing that is unique about the PLD is that it is considered a “no-fault” rule. That means even if the manufacturer said they did everything they were supposed to do — i.e., complied with all local laws, had robust quality standards and checks in place, etc. — and if the end product was defective, then they can still be held liable. It doesn’t matter how the product is made, just how it performs.
What are the new PLD amendments?
While the EU PLD is decades old now, the European Commission recently updated the directive to “specifically clarify that all types of software are covered by the new directive, including applications, operating systems and AI systems.”
This is big news, as it means that any person or company selling software in the EU could be liable if that software is defective or causes damage.
For example, let’s say you make and sell marketing automation software, and some of your customers are in the EU. You take cybersecurity seriously, running regular scans using Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools. You then protect the software once it’s in production using Web Application Firewalls (WAFs) and empower your Security Operations Center (SOC) with Extended Detection and Response (XDR).
So far, you’re in good shape. Most existing compliance standards would say you’re on the right track.
And then you’re hit with a devastating data breach, with attackers accessing and stealing highly sensitive data. You find out later on that the attackers used a zero day to breach your systems, which is why your existing security didn’t catch the incident.
Under the new EU PLD, companies can still be liable for this breach. Even though you had all of these safeguards in place, your customers suffered and thus could seek compensation from you under the new EU PLD amendments.
It’s not enough to be “good enough” or to use “industry best practices” and hope for the best. Rather, your software needs to be exceptionally secure.
The need to be secure, especially from zero-day attacks, requires a fundamental shift in how you approach software security. Instead of perimeter defenses that rely on known signatures, compliance with the EU PLD requires solutions that can detect and respond to anomalous behavior in real time, even when an attack leverages a zero-day exploit.
For more insights on how the new changes to the EU PLD will impact software and what you can do about it, check out this video featuring Jeff Williams, Founder and CTO of Contrast Security.
Read more:
