The updated European Union Product Liability Directive (hereinafter, “PLD”) entered into force on 8th December 2024 and modernises existing framework to include new technologies and software, clarifying the scope of product liability rules in the EU.
The provisions relating to AI are of particular interest given the AI boom and major, rapid advances in machine-learning technology. The number of EU businesses using AI systems is increasing steadily, with over 20 per cent of Spanish businesses using AI in 2025, and 55 per cent of large EU businesses using it.[1] The extent of the use of AI by ordinary EU consumers cannot be overstated either – OpenAI’s ChatGPT, one of the industry’s flagship chatbot models, attracted 120.4 million average monthly active users in the bloc between April and September 2025, representing over a quarter of the 450 million population of the EU. The integration of AI into both business and private life is therefore well and truly under way, and legislation is racing to catch up to such a transformative economic force while juggling the so-called AI race with China and the US. The EU faces a balancing act of regulation and allowing for innovation, seeking to foster a competitive AI market without opening Pandora’s box on a technology whose economic and social consequences may be as difficult to contain as they are transformative.
This update to the PLD is just one piece of the puzzle in the EU’s regulation of emerging technologies. It complements the EU Regulation (2024/1689) of 13 June 2024 on AI (hereinafter, “AI Regulation”), which is the first horizontal regulation of AI in the bloc, establishing a risk-based framework for AI systems by grading them on a scale from posing “minimal risk” to “unacceptable risk”. Yet, whereas the AI Regulation is largely preventative, imposing obligations to manage risks before AI systems cause harm, the PLD is more remedial. It determines when those harmed by AI products may obtain compensation and, for businesses, this is particularly important. It regulates whether responsibility for harm caused by an AI system can be attributed to actors in the supply chain, and who bears the cost when it fails.
AI software as “products” capable of causing harm
Regarding the specific provisions for new technologies, the first important update to the PLD is the confirmation that AI systems are classified as “products”, irrespective of their mode of usage. This makes the provider of an AI system a manufacturer, subjecting them to strict product liability regulations.
The PLD places emphasis on the continued control that manufacturers of software have over the product, in contrast with the typical “factory gate” principle. Control is still considered exercisable when it is possible to install updates or upgrades to the product and, since AI products are typically updated and upgraded periodically, it is likely that this provision would apply to most, if not all, of them.
The PLD draws particular attention to the ability of products to “learn or acquire new features after it is placed on the market” as it stipulates that there is a legitimate expectation that software and algorithms are designed to prevent hazardous behaviour. Even if true continual learning of AI is not yet deployed in the sense of AI systems autonomously acquiring and retaining new knowledge, the risks identified by the PLD are not merely theoretical. AI-enabled products can still behave in unexpected and harmful ways within their operational environment, for instance, when an AI agent reportedly deleted a company’s entire production database and backups despite instructions intended to prevent destructive action.[2] This does not mean that current AI systems are fully autonomous, self-preserving or self-teaching machines. It does, however, demonstrate that they may exercise a sufficient degree of functional autonomy and produce outcomes which stray from their intended use, particularly when integrated into live infrastructure. The PLD is therefore significant because AI-related harm may well arise from a defect present at the point of release, but importantly, it may also arise from the way in which the AI operates, is updated, or interacts with its environment after being placed on the market. Importantly, the PLD states that a manufacturer that designs a product with the ability to develop unexpected behaviour “should remain liable for behaviour that causes harm.” The obligation to ensure that effective guardrails are in place to prevent harm is therefore likely to become increasingly important as AI systems become even more autonomous in the near future.
The same logic applies where AI is deployed as part of a manufacturer’s production or quality-control process, rather than forming part of the final product itself. A manufacturer may, for example, rely on an AI inspection system to detect defects, verify compliance with technical specifications or approve products before they leave the production line. This creates a particular risk where the AI system produces a false positive – in other words, where it wrongly indicates that a product is compliant or safe, allowing an unnoticed defect to escape the final quality-control process. In this scenario, the use of AI does not displace the manufacturer’s responsibility for the safety of the final product. The fact that an AI system approved the product is unlikely, by itself, to shield the manufacturer from liability if the product is ultimately defective. On the contrary, the use of AI in the production process may become part of the factual assessment of how the defect arose, whether the manufacturer had appropriate safeguards in place, and whether there was adequate human oversight of the AI-enabled quality-control process. This is particularly important because the PLD expressly requires the assessment of defectiveness to take account of all relevant circumstances, including the product’s design, technical features, reasonably foreseeable use and applicable safety requirements. Where AI is used to approve products before they leave the production line, the failure to detect a defect may therefore be relevant to the assessment of whether the final product provided the required level of safety. If litigation arises, the manufacturer may also be required to disclose evidence concerning the AI-enabled quality-control process, including how the system was tested, monitored and relied upon when approving the product.
Liability in the supply chain
This focus on AI as a component within products also has consequences for liability within the supply chain. Article 12(2) provides that a manufacturer integrating a software component into a product will not have a right of recourse against the manufacturer of the defective component where the latter is a microenterprise or small enterprise, and where the integrating manufacturer had contractually agreed to waive that right. Article 12(2) may offer micro and small software developers a degree of protection from recourse claims by larger integrating manufacturers, where such recourse has been contractually waived. However, this does not remove the need for careful contractual risk allocation, nor does it necessarily shield smaller developers from all forms of liability.
Additionally, in terms of litigation, Article 9 of the PLD states that once a claimant presents facts and evidence supporting a plausible claim, the manufacturers being sued must disclose relevant evidence at their disposal and may be required to present such information in an “easily understandable” format. Crucially, pursuant to Article 10 of the PLD, if the manufacturer refuses to disclose this evidence – which may well include information about algorithms and software coding – the product shall be presumed defective.
The practical importance of these provisions is reinforced by the CJEU Case C-203/22, Dun & Bradstreet Austria GmbH of 27 February 2025. Although decided under the GDPR rather than the PLD, it shows the CJEU’s reluctance to allow algorithmic opacity to prevent scrutiny of automated systems. The Court held that meaningful information about automated decision-making must explain, in a concise and intelligible way, the procedure and principles applied to an individual’s data – vague or purely technical references to an algorithm will not suffice, and trade secrets cannot justify a blanket refusal to disclose information. The PLD strengthens this position in the context of product liability by creating a dedicated disclosure mechanism for technical evidence and by assigning a concrete consequence to non-disclosure (i.e. presuming defectiveness).
National transposition of the PLD
As of May 2026, the Member states that have published bills transposing the PLD are Germany, the Netherlands, Denmark, Finland, the Czech Republic, Slovakia, and Sweden, while Hungary has already adopted its transposing law. Key differences have already emerged in the bills transposing the PLD. For example, the PLD leaves it up to Member states to decide whether compensation should extend to non-material losses such as pain and suffering, with Germany’s draft law allowing for the recovery of non‑material damage in accordance with general civil‑law principles.
The PLD must be transposed by all Member states into national law by 9th December 2026, and the level of harmonisation for liability damages remains to be seen. The PLD will fundamentally alter the EU’s product liability landscape, and it will be crucial for businesses to monitor the divergence across Member states as it is further transposed in the coming months.
Amelia Gibbins
Vilá Abogados
For more information, contact:
29th of May 2026
[1] https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Use_of_artificial_intelligence_in_enterprises#Source_data_for_tables_and_graphs
[2] https://www.theguardian.com/technology/2026/apr/29/claude-ai-deletes-firm-database