Directive (EU) 2024/2853: Product Liability Enters the Digital Age

June 24, 2026

How Are Ex Gratia Payments on Termination of Employment Now Taxed?

Cyprus’s Social Insurance Debt Regulation: What Employers and the Self-Employed Must Know Before September 2026

Article 102 TFEU: The Prohibition of Abuse of Dominant Position

On 18 November 2024, Directive (EU) 2024/2853 on liability for defective products was published in the Official Journal of the European Union, repealing Council Directive 85/374/EEC and bringing to a close nearly four decades of largely unchanged product liability law in Europe. Member States must transpose it by 9 December 2026.

The new Directive constitutes one of the most significant developments in the field of European liability law, as it seeks to adapt a legislative framework dating back to 1985 to the demands of the digital economy, artificial intelligence, and modern technological products. The 1985 framework was built for a world of tangible goods; it was never designed to grapple with software, algorithms, cloud services, or artificial intelligence. As these technologies have come to define how modern products function, the gap between the law and commercial reality has widened considerably. The new Directive closes that gap, modernising the rules for the digital age while preserving a high level of consumer protection and providing the legal certainty that businesses operating in the European market need.

Expanding the Definition of a Product

One of the most significant innovations introduced by the Directive concerns the expansion of the concept of a “product”. For the first time, software is expressly recognised as a product for the purposes of product liability rules, encompassing operating systems, applications, firmware, and artificial intelligence systems. This removes longstanding uncertainty regarding the treatment of damage caused by digital components, reflecting the understanding that a software defect may be just as harmful as a manufacturing defect in a physical product and should therefore be subject to the same liability regime.

The inclusion of AI systems is particularly significant. Unlike conventional products, AI systems learn, adapt, and modify their behaviour autonomously, meaning the cause of damage may lie not in a physical defect but in an erroneous algorithmic decision. The Directive addresses this directly, ensuring that the same liability principles apply regardless of the technology underpinning the product.

The Directive also addresses products that continue to evolve after being placed on the market through software updates or connected digital services, adopting a more dynamic conception of liability. Notably, cybersecurity vulnerabilities may be taken into account when assessing whether a product is defective.

Expanding the Range of Liable Parties

Beyond the producer, the Directive extends liability to authorised representatives, importers, fulfilment service providers, and online marketplace operators. This is particularly significant in e-commerce, where a producer is not established in the EU, and there is no authorised representative or importer, an online marketplace operator may itself be treated as the liable party; as such, ensuring that consumers always have an identifiable defendant within the EU.

Expanding the Scope of Compensable Damage

The Directive broadens the categories of recoverable damage to include, for the first time:

Loss or corruption of data: The deletion or alteration of digital data not used exclusively for professional purposes is now a recoverable head of damage.
Medically recognised psychological harm: Such harm is compensable even where it is not accompanied by physical injury.

Strengthening Consumer Protection: Presumptions and Disclosure

The complexity of modern technological products can make it difficult for an injured consumer to establish liability. The Directive addresses this by introducing:

A rebuttable presumption of defectiveness applies in particular where a producer fails to comply with a court order to disclose relevant evidence.
A rebuttable presumption of causation, where defectiveness is established, and the associated risk corresponds to the type of damage suffered.
Judicial disclosure powers: Courts may order producers to disclose relevant technical documents and data; non-compliance may be drawn upon adversely.

The Development Risk Defence and AI Systems

The Directive retains the development risk defence, by which a producer may escape liability if it proves the defect could not have been discovered given the state of scientific knowledge at the time of placing the product on the market. However, defects arising or worsening as a result of a post-market software update or modification fall outside the scope of this defence — a significant limitation for producers of remotely updated technological products.

Limitation Periods

The three-year limitation period and ten-year long-stop period are both retained. An important innovation is the extension of the long-stop period to twenty-five years in cases of personal injury that manifests at a later stage — a provision of particular relevance to damage associated with AI systems or technological products whose harmful effects may not become apparent until years after market placement.

What Businesses Should Do Now

Ahead of transposition into Cypriot law in December 2026, businesses should consider:

Reviewing product liability policies to ensure coverage extends to software and AI systems.
Assessing the cybersecurity posture of products placed on the market.
Re-examining commercial agreements with suppliers, importers, and fulfilment service providers.
Reviewing data management policies in light of data loss being recognised as a recoverable head of damage.
Assessing liability exposure for operators of online marketplaces selling products from non-EU producers.
Reviewing product liability insurance to ensure digital and cyber risks are adequately covered.

Conclusion

Directive (EU) 2024/2853 is one of the most significant reforms of European liability law in recent decades. The recognition of software as a product, the expanded range of liable parties and recoverable damage, the introduction of rebuttable presumptions and disclosure mechanisms, and the direct engagement with AI all reflect the EU’s commitment to ensuring that technological progress is matched by a correspondingly modern framework of accountability. Its forthcoming transposition into Cypriot law will mark an important step in modernising the existing product liability regime.

Author:

Ronika Bilali

Trainee Lawyer

ronika.bilali@patsalides.com.cy