EU Product Liability Directive: AI as a Defective Product | TLY

AI Regulation Tracker  /  Regulation effective soon

EU Makes Software and AI a "Product": Revised Liability Directive Hits December 9 Deadline

The EU's revised Product Liability Directive treats software and AI systems as products and imposes strict, no-fault liability for defects. Member states must transpose it by December 9, 2026.

EU Makes Software and AI a
The Leveraged Years AI Regulation Tracker

The European Union has redrawn the map of who can be sued when software fails. Directive (EU) 2024/2853, the revised Product Liability Directive, replaces the 1985 regime and, for the first time, states plainly that software and AI systems are "products." That single reclassification pulls software makers, AI developers, and integrators into a strict, no-fault liability framework that member states must write into national law by December 9, 2026. The directive applies to products placed on the market after that date.

What the reclassification does

Under the old directive, "product" meant a tangible object, and software occupied a gray zone that let many developers argue they fell outside product liability entirely. That argument is gone. By naming software and AI as products, the directive exposes their makers to the same no-fault standard long applied to cars and appliances. A claimant does not have to prove the developer was negligent. They have to show the product was defective and that the defect caused harm. For a licensed professional buying or deploying AI tools, this changes the risk calculus of the whole supply chain, because liability now attaches to the software itself rather than only to how it was used.

A duty that outlives the sale

The directive does not treat a product as finished at the moment of release. It contemplates a continuing duty to keep products defect-free and cybersecure through updates. A vulnerability that emerges after launch, or a model that degrades in a way that produces harm, can be treated as a defect the maker was obligated to address. This is the part that reaches deepest into engineering practice. Security patching and post-market monitoring stop being good hygiene and become a legal exposure. Firms that ship and forget carry more risk than firms that maintain, document, and remediate.

The burden of proof moves

The directive also eases what a claimant must prove. It provides for disclosure of evidence, so a defendant can be ordered to hand over technical documentation, and it establishes presumptions of defectiveness and causation in cases that are excessively complex or technical. In practice, when the workings of an AI system are opaque even to experts, a court may presume defect or causation rather than force the claimant to reverse-engineer a black box. The practical effect is that thin documentation cuts against the maker, and the ability to show a sound, recorded development and update process becomes a core defense.

What it does not do

The directive is a civil-liability instrument. It does not license or approve AI systems, and it does not set the technical standards that the EU AI Act governs separately. It creates a route to compensation for people harmed by defective products, not a regulatory penalty regime. It also does not stand alone by accident. The European Commission's separate AI Liability Directive, which would have addressed fault-based AI claims, was withdrawn. That withdrawal leaves the revised Product Liability Directive as the principal civil-liability exposure for defective AI in the EU, which raises its practical weight.

The cross-border angle

For a US reader, the reach is direct. The directive does not stop at EU-headquartered firms. Any company that places software or AI on the EU market can face this strict-liability regime, and importers and distributors can be pulled in where the maker sits outside the EU. A US software or AI company selling into the EU should assume it is in scope for products placed on the market after December 9, 2026, and should treat the directive as a de facto standard for how liability for defective software will be argued. National transposition laws will vary in detail, so the exact contours will depend on each member state's implementation, but the strict-liability core and the December 9, 2026 deadline are set by the directive itself.

Frequently Asked Questions

What changed under the revised EU Product Liability Directive?

Directive (EU) 2024/2853 revises the EU's product liability rules and brings software and AI systems within the definition of "product." It applies strict, no-fault liability for defects, adds a duty to keep products defect-free and cybersecure via updates, and eases the claimant's burden of proof through evidence disclosure and presumptions of defect and causation in complex cases. Member states must transpose it by December 9, 2026.

Who does this affect?

Software makers, AI developers, system integrators, and importers or distributors that place software or AI on the EU market. It reaches non-EU companies, including US firms, that sell software or AI into the EU.

Does this apply to software already on the market before the deadline?

The directive applies to products placed on the market after the date it takes effect, following transposition by December 9, 2026. Products placed on the market before that point remain under the prior regime.

Is this the same as the AI Liability Directive?

No. The separate AI Liability Directive was withdrawn. The revised Product Liability Directive is now the main civil-liability exposure for defective software and AI in the EU.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.