The EU Directive 2024/2853, of 23 October 2024 (the “Directive”), sets out the new European framework for product liability, with the double objective of strengthening protections for injured physical persons and, at the same time, homogenising the rules that apply in all Member states to avoid distortions in the internal market. It does so by maintaining the logic of strict liability for product defects, while updating concepts and evidentiary rules to adapt them to a digital economy, connected products, software and, in general, more complex supply chains.
Its application is tied to the transposition schedule and the transitional rule: it will be applicable to products placed on the market or put into service from 9 December 2026, while the previous regime will remain applicable to products before this date.
- When it begins to apply
A practical and decisive aspect is the temporal one: the Directive replaces Directive 85/374/ECC with effect from 9 December 2026, but preserves the application of the repealed regime in respect of products placed on the market or put into service before that date; therefore, in damage claims, it will be essential to precisely determine the date on which the relevant product was “placed on the market” or “put into service” in order to identify the applicable regime, which will affect not only the liable parties and the burden of proof, but also the time limits and available defences.
- What changes in the approach to liability
The text sets out common rules on the liability of economic operators for damage suffered by natural persons caused by defective products, aimed at ensuring a high level of protection and the proper functioning of the internal market, in practice, the reform results in an expansion of the material and personal scope of liability and in the strengthening of procedural tools (especially as regards evidence) designed to balance the information asymmetry between injured parties and companies in highly technically complex cases.
- What damages are compensable and which are excluded from the harmonised regime
The right to compensation under the Directive extends only to (i) death or personal injury, including medically recognised psychological harm, (ii) damage to or destruction of property, subject to important exclusions (there is no compensation for the defective product itself, or for damage to a product caused by a defective component that is integrated into it or interconnected with it under the manufacturer’s control, nor for goods used exclusively for professional purposes) and (iii) destruction or corruption of data not used for professional purposes.
Moreover, it is expressly confirmed that compensation covers material losses and also non-material damage to the extent that it is compensable under national law, while coexistence with other national liability regimes for other types of damage remains in place (e.g. pure economic loss, privacy, or others) where these may be pursued through other avenues.
- What constitutes a defective product in the digital age and how the defect is assessed
A defect is defined by a reference to the lack of safety that a person is entitled to expect or that is required under EU or national law, and its assessment requires an overall judgment “in all the circumstances”.
Among the relevant assessment criteria are, in particular, presentation and instructions, reasonably foreseeable use, the effects of the product’s ability to learn or acquire new functionalities after being placed on the market or put into service, interaction with other products (including interconnectivity), the relevant moment when the product leaves the manufacturer’s control where the manufacturer retains subsequent control, and, especially significantly, the relevant safety requirements, including cybersecurity requirements relevant to safety.
Likewise, the mere existence of a better version or later updates does not automatically render an earlier product defective.
- Who may be liable
The core of liability remains with the manufacturer of the defective product and the manufacturer of the defective component where that component is integrated or interconnected under its control and has caused the product to be defective, but the effectiveness of claims in cross-border settings is reinforced: if the manufacturer is outside the EU, the importer, the authorised representative and, where there is no importer or authorised representative established in the EU, the logistics service provider may be liable. In addition, if no liable economic operator established in the EU can be identified, the distributer may be liable if, when requested to identify the relevant operator, it fails to identify that operator or its own distributor within one month. This provision is also extended, under conditions, to online platforms that enable distance contracting where the requirements laid down in the applicable regime are met.
- Substantial modifications: the “new manufacturer”
The Directive expressly introduces the figure of the person who substantially modifies a product outside the manufacturer’s control and subsequently places it on the market or puts it into service: that person is deemed to be the manufacturer for liability purposes. This requires a reassessment, in refurbishment, remanufacturing, retrofit or significant update operations, of both the contractual allocation of risk and the design of technical and documentary traceability in order to determine responsibility in the event of damage.
- Evidence and disclosure
One of the most significant changes for litigation practice is the introduction of a specific rule on disclosure of evidence: if the claimant presents sufficient facts and evidence to make the claim plausible, the court may require the defendant to disclose relevant evidence in its possession. Symmetrically, the defendant is also recognised as having the possibility of requesting disclosure from the claimant, subject to strict limits of necessity and proportionality and with particular attention to the protection of confidential information and trade secrets, enabling the court to adopt specific measures to preserve confidentiality and, where proportionate, to require that the evidence be presented in an accessible and comprehensible form.
- Exemptions from liability and limits
The Directive recognises grounds for exemption, for example where the product was not placed on the market or put into service by the defendant, or the so-called “development risk” defence linked to the objective state of scientific and technical knowledge. However, it introduces a rule of major significance for digital and connected products: the exemption based on the defect not existing at the time of marketing does not apply where the defect is attributable, while under the manufacturer’s control, to a related service, software (including updates or upgrades), the failure to provide updates or upgrades necessary to maintain safety, or a substantial modification. This provision shifts the focus to the governance of the product life cycle and the manufacturer’s real control over updates, “upgrades” and integrated or interconnected services that affect safety.
- Joint and several liability
When two or more operators are liable for the same damage, they may be held jointly and severally liable, which strengthens the injured party’s position and shifts the question of allocation to the internal stage (recourse/contribution). In addition, a specific scenario is provided for in which the manufacturer incorporating a software component will not have a right of recourse against the manufacturer of the defective component where the latter is a micro-enterprise or a small enterprise at the time the component is placed on the market and there is a contractual agreement waiving such recourse. This rule should be taken into account in software integration negotiations and supplier management.
- Key time limits
Although the Directive establishes a common framework, it also introduced a ten-year expiry period from the time the product that caused the damage was placed on the market or put into service, or from the time it was placed on the market or put into service following a substantial modification, unless proceedings were brought within that period, and it provides for a twenty-five year exception in cases of latent personal injury that prevented the claim from being brought within the general period. This requires, for claim or defence strategy, a precise reconstruction of the product’s life cycle and the emergence of the damage.
- Implications for companies
From a compliance and risk-management perspective, the new framework reinforces the importance of (i) technical documentation and traceability of versions, components and updates, (ii) control of suppliers and the supply chain (including importers, authorised representatives and logistics providers), (iii) governance of updates and cybersecurity as an element of product safety, and (iv) readiness for litigation involving requests for disclosure of evidence and confidentiality measures.
Additionally, the Directive does not alter the coexistence with other regimes, so it is advisable to coordinate product incident management with general product safety rules and with the response to claims and accidents, preserving evidence from the earliest stages.
- Coexistence with national law and other regimes
The EU regime on defective products operates without prejudice to the rights that the injured person may have under national rules of contractual or non-contractual liability for reasons other than the defect, and also without affecting the applicability of EU law on the protection of personal data.
In particular, in the digital economy, it should be remembered that claims for damage linked to data protection infringements have their own compensation route, since any person who suffers material or non-material damage as a result of GDPR infringement is entitled to compensation from the controller or processor, under specific rules on liability and exoneration. This makes it necessary to assess, on a case-by-case basis, whether the harm falls within a product defect (safety) or a data protection compliance breach (lawfulness of processing), or within both frameworks with cumulative or coordinated claims.
Shameem Hanif
Vilá Abogados
For more information, contact:
29th May 2026