Software supply chain vulnerabilities are a multimillion-dollar problem, according to a study by Juniper Research, and it’s not going away. The cost of software supply chain attacks is expected to increase from US$45.8 billion in 2023 to US$80.6 billion in 2026. As such, regulations are beginning to hold software vendors accountable.
With the new European Union (EU) directive on liability for defective products, for instance, software vendors operating and selling in the region could face more cyber risk impact.
Following this directive, consumers can demand compensation not only for damages resulting in death, physical injury, income loss, or property damage. People are also entitled to compensation if their data is deleted or corrupted. The amount of compensation ultimately depends on each Member State’s calculations, which could be straightened out before the directive takes effect on 9 December 2026.
This post sheds some light on the new directive and aims to help organizations scrutinize current processes and ensure software development and deployment aligns with the new EU rule.
What Is the New Directive All About?
The newly adopted Directive (EU) 2024/2853 of the European Parliament and the Council on Liability for Defective Products repeals and expands the previous directive (i.e., EU Product Liability Directive 85/374/EEC) to take into account recent developments in technologies that introduced new types of products.
It essentially modernizes existing rules to better protect consumers in the digital age. One of the most significant takeaways from the directive is the stricter liability standards for manufacturers, as the burden of proof falls on them when consumers seek compensation. We’ll dive deeper into some of the details you need to know.
Who Should Pay Attention to the New Directive?
Among the major changes to the directive is the broader definition of the term “product.” Considering that the digital age has both tangible and intangible products, the rules now encompass software products, such as operating systems (OSs), firmware, computer programs, applications, artificial intelligence (AI) systems, cloud applications, and software-as-a-service (SaaS) solutions. As such, new types of organizations are now under the scope of the product liability directive.
Software Development Companies
Under the directive, software is explicitly considered a product, putting the developer or producer of software products on the same footing as traditional manufacturers. As a result, software companies will be held liable for defects in their products, regardless of how these are accessed (e.g., downloaded onto or stored on a device, accessed through the Internet, or delivered via the cloud).
Once a product is released, the manufacturer is responsible for providing software updates and upgrades, either directly or through a third-party partner. The manufacturer continues to be liable for these software updates, so testing bug fixes and new features becomes more critical than ever.
However, the manufacturer can’t be held liable for any product or service recommendation that turns out defective. For example, if an OS provider recommends a specific antivirus software, but that software has a problem, the antivirus company is responsible, not the OS provider. The OS provider is only responsible for its own software, not for the products or services it is connected to.
Digital Service Providers
Digital services tightly integrated into a product are also covered by the directive since they are part of the product and should be held to the same safety standards.
Some examples of these services include the continuous supply of traffic data to a car’s navigation system, a health monitoring service relying on a physical product’s sensors to track a user’s physical activity and health metrics, or a temperature control service that monitors and regulates the temperature of a smart fridge.
Certain Digital File Providers
Digital content is generally not covered by the product liability rules. After all, reading an e-book with typos can be annoying, but doesn’t cause physical harm.
However, the creators or publishers of digital files used to create physical objects (e.g., 3D printing files) can be held liable under the new EU directive. That said, if a defective digital file leads to a harmful physical product, the user can sue the provider and seek compensation.
Direct-to-Consumer E-Commerce Platforms
The new EU rules intend to make online selling platforms more liable. If the platform acts as a traditional store and sells its own products, the business is accountable for any harm caused by any product defect.
However, the directive does not cover online marketplace platforms or those that merely connect buyers and sellers.
What Digital Products Are Not Covered?
Some of the exemptions were already mentioned in the previous sections. For example, digital content like e-books and online marketplaces are not under the purview of the new EU directive.
Free and open-source software contributed outside the course of a commercial activity is also exempt. However, any manufacturer that integrates open-source software as a component of its product could be held liable.
Finally, the directive’s coverage is limited to software products used by individuals. Those used for professional purposes are excluded from the directive’s scope. Therefore, only individuals, not companies, can seek compensation.
What Does the Directive Mean for Companies?
It’s clear that the EU parliament recognizes the increasing importance of digital assets and the need to secure them to protect consumers. The new directive has significant implications for targeted organizations, requiring them to:
- Intensify attack surface discovery and monitoring: Now more than ever, companies that develop and distribute their own digital products need extensive visibility over all their assets and related vulnerabilities to ensure that all digital touchpoints are well-protected.
- Implement robust testing and quality assurance: Companies that sell and operate software products in the region should adopt rigorous testing procedures, such as static application security testing (SAST) and dynamic application security testing (DAST), during the early stages of the development life cycle to identify and fix defects before product releases. After launching the product, software providers can leverage external attack surface management (EASM) to continuously monitor all their Internet-facing assets.
- Adhere to secure software development processes and standards: The EU has several regulations dictating secure software development, including the Network and Information Systems (NIS2) Directive, the General Data Protection Regulation (GDPR), and the Cyber Resilience Act (CRA). Embedding these security standards throughout the entire software development process can significantly help affected companies avoid the repercussions of the new product liability directive.
Monitor external assets and vulnerabilities tied to your software with Attaxion to ensure compliance and avoid product liability impacts. Schedule a customized demo now.