1. Expanded Definition of “Product”
The directive introduces a significantly broader definition of “product”:
- In addition to the existing definition of “movable goods,” it now includes electricity, digital design documents, raw materials, and—critically—software, including AI systems, as “products” within the meaning of the directive.
- The only exception is non-commercial open-source software.
- Products that are supported or controlled by digital services (“connected services”) are also considered products.
This adjustment reflects increasing digitization and the development of the Internet of Things: manufacturers of apps, software tools, or smart devices will henceforth be subject to the same liability rules as traditional industrial manufacturers.
2. Who Is Liable? – Expansion of Economic Operators
Previously focused mainly on manufacturers, importers, and retailers, the new directive significantly broadens the range of potentially liable parties:
- Manufacturers and so-called quasi-manufacturers (e.g., due to branding).
- Importers (for manufacturers located outside the EU).
- Authorized representatives if no importer exists.
- Fulfillment service providers that handle storage, packaging, or shipping, provided no other responsible party exists in the EU.
- Online platforms or suppliers are secondarily liable if the other parties have no EU presence.
Thus, potentially every party along the supply chain bears responsibility. This significantly broadens the scope of liability.
3. Evidence and Burden of Proof
A key objective of the directive was to facilitate access to compensation for injured parties. It includes two major innovations:
- Disclosure Obligation: Courts can now require companies to disclose specific information or documents related to production, testing, or safety. This mirrors the “discovery” process known from Anglo-American legal systems.
- Burden of Proof: While the burden of proof for defect, damage, and causation remains with the claimant, it is eased by a reversal of burden if the claimant makes a plausible case for a product defect.
4. Legal Tightening on Definition of Defects, Cybersecurity & Exemptions
- Definition of Defect: A product is considered defective if it does not provide the safety that a buyer is reasonably entitled to expect—this includes aspects such as AI learning behavior, recalls, or interfaces with other products.
- Cybersecurity: Manufacturers are explicitly liable for damages caused by security vulnerabilities; missing updates or patches can become grounds for liability.
Germany is expected to implement the directive through a comprehensive amendment to the Product Liability Act (ProdHaftG), accompanied by changes to the Code of Civil Procedure to reflect the new disclosure and evidentiary rules. Particularly interesting will be how the disclosure-like obligations are integrated into German civil procedure law.
Conclusion
EU Directive 2024/2853 marks a paradigm shift: In addition to physical goods, it now covers software-based products and AI; liability extends further along digital supply chains, underpinned by robust rights of evidence and disclosure for injured parties. The goal is a modern, harmonized consumer protection regime for the digital age. For Germany, this entails far-reaching reforms—with the national implementation due by December 9, 2026. However, those involved in the manufacture and distribution of products should use the remaining time to prepare for the new rules in a timely manner.
Do you have any questions? Please feel free to contact us!
