EU Product Liability Directive: Responding to Software, AI and Complex Supply Chains

Client Alert  |  March 23, 2026

To guarantee consumer protection for rapidly evolving digital technologies and the growing use of software and AI across industries, the EU has adopted a new Product Liability Directive (EU) 2024/2853 (the Directive).

The Directive introduces disclosure obligations for litigants, significantly expands the reach and practical impact of Europe’s strict liability regime to software-driven products, stand-alone software and digital elements, and creates a new liability for online platforms.

By December 9, 2026, EU Member States will have to implement the Directive into their national laws.  We analyze the key changes and how companies can prepare for the new regime.

The key changes include the following:

1. Timeline

The Directive will apply to products placed on the Union market or put into service after December 9, 2026. Products placed on the market or put into service before this date remain subject to the old regime. However, any substantial modification or update to such a product after this date may bring it within the scope of the new Directive.

EU Member States might have slight variations in how the Directive will be implemented in their national laws. So far, only Germany and the Netherlands have published legislative proposals which track the Directive’s provisions closely.

2. Broadened Scope of Recoverable Damage

The Directive significantly broadens the types of compensable harm, reflecting the risks of the digital age. The previous regime focused primarily on physical injury and tangible property damage. The new framework now includes compensation for psychological harm and destruction of personal data. The following damages fall under the Directive:

  • Death or personal injury, now expressly including medically recognized and medically certified damage to psychological health;
  • Damage to, or destruction of, property, excluding the defective product itself and property used exclusively for professional purposes; and
  • Destruction or corruption of data that are not used for professional purposes.

The Directive covers all material losses resulting from these damages and, to the extent available under national law, non-material losses (e.g., pain and suffering). Notably, the previous EUR 500 threshold for property damage and any financial liability caps for personal injury have been eliminated, significantly lowering the barrier for smaller claims which can be brought in Europe as a representative action by consumer protection organizations.

Conversely, other forms of harm, such as pure economic loss, privacy infringements, or discrimination, do not constitute compensable damage under the Directive.

3. Expanded “Product” Definition

In response to rapid technological advancement and the increasing digitization of products across all sectors, the Directive significantly broadens the definition of “product.” It expressly includes stand-alone software, digital manufacturing files and integrated digital elements, reflecting that many products are software-driven or continuously updated after sale.  Therefore, liability may arise from defective software, unsafe digital functionalities or the failure to provide necessary security updates.

4. Expanded Circle of Liable Economic Operators

To ensure that injured persons have a reachable counterparty within the EU, the Directive significantly broadens the chain of potentially liable economic operators.

Where the manufacturer is established outside the EU, strict liability may extend to:

  • Importers placing the product on the market in the EU;
  • The manufacturer’s authorized representative, where designated;
  • Fulfilment service providers, where no manufacturer, importer or authorized representative established in the Union can be identified; and
  • Distributors, where they fail, upon request, to identify the relevant economic operator in the supply chain within one month of a claimant’s request.

Further, any person who substantially modifies a product after it has been placed on the market may be deemed a manufacturer and held liable insofar as the defect results from that modification.

5. New Liability of Online Platforms

The Directive introduces a new liability for online platforms (e.g., marketplaces), where the platform presents the product in a way that may lead an average consumer to believe that the product is supplied by the platform itself or by a trader acting under the platform’s authority or control.

In those circumstances, the consumer can request that the platform provider identify its distributor, the importer or the manufacturer of the product within one month. If the platform provider does not disclose that information within a month, it may be held strictly liable like the manufacturer of the defective product.

6. Disclosure

For the first time, a procedural disclosure requirement will allow plaintiffs in all EU Member States to seek access to information which was previously only available in discovery or disclosure in the US, the UK, and other common law countries.

Defendants can be required to disclose evidence in case a claimant has made a plausible claim for compensation. In turn, defendants have the right to seek disclosure from the claimant if they demonstrate the need for evidence to rebut the claim.

7. Claimant-friendly Liability Regime

The Directive maintains a system of strict liability. A claimant bears the burden of proof to establish that

(1) his product was defective,

(2) he suffered damage; and

(3) there is a causal link between the defect and the damage.

The Directive establishes (rebuttable) presumptions for the defectiveness of the product and the causal link between the defectiveness of the product and the damage, substantially lowering the burden of proof for claimants, in case the

  • Defendant fails to disclose relevant evidence;
  • Damage is caused by obvious malfunction during reasonably foreseeable use;
  • Claimant faces excessive difficulties due to technical or scientific complexity (particularly relevant for AI as a black box; applies to defectiveness and causal link); or
  • Product does not comply with mandatory requirements laid down in EU or national law that are intended to protect against the risk of the damage suffered.

Where several defendants are liable for the same damage, they are jointly and severally liable.

8. How Companies Can Prepare

First, companies will need a clear understanding of their supply chains. In particular, the Directive introduces mechanisms that might require a defendant, within a relatively short timeframe (including a one-month period in certain contexts), to identify other potentially liable economic operators.  To comply with such obligations and manage litigation risk effectively, companies should ensure that the full supply chain is mapped and documented and procedures to provide consumers with this information are established.  Preparing a structured overview of all potentially relevant operators in the supply chain from manufacturer to distributor, especially outside the EU, will significantly reduce response times in contentious proceedings.

Second, documentation will become even more critical. Given the enhanced disclosure obligations and evidentiary presumptions, companies should review their technical documentation, risk assessments, cybersecurity measures, update policies and compliance files.  Documentation should be sufficiently detailed, centralized and accessible to enable a prompt and coherent response to disclosure requests and to rebut allegations of defect or causation.

Finally, contractual arrangements should be reviewed. Clear allocation of responsibilities for product safety, updates, monitoring obligations and information-sharing will be essential, as will effective indemnity and recourse provisions.

The following Gibson Dunn lawyers prepared this update: Markus Rieder, Alexander Horn, Julian von Imhoff, and Carla Baum.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Product Liability practice group, or the authors:

Markus S. Rieder – Co-Chair, Munich, Transnational Litigation Group, (+49 89 189 33 260, mrieder@gibsondunn.com)

Alexander Horn – Frankfurt (+49 69 247 411 537, ahorn@gibsondunn.com)

Julian von Imhoff – Munich (+49 89 189 33-264, jvonimhoff@gibsondunn.com)

Carla Baum – Munich (+49 89 189 33 263, cbaum@gibsondunn.com)

© 2026 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.