The 2024 revision of the EU Product Liability Directive pulled software, digital services, and AI squarely into strict product liability — and the UK has its own evolving product safety regime. This checker walks the key questions to tell you whether the regime applies to your product, who the liable producer is, and what to document.
How it works
The tool follows the decision logic of the revised PLD and UK product safety framework:
Is it software / a digital service / connected hardware / a tangible good?
→ If software or a digital service that affects a product's safety → PLD applies
→ If connected hardware → PLD + cyber/update obligations apply
Who placed it on the market, and is the manufacturer outside the EU?
→ Determines whether you are producer, importer, or authorised representative
Does it receive updates or contain AI?
→ Missing security updates can themselves be a "defect"
Each branch resolves to a classification: whether you carry producer liability, your role in the chain, and the records that help rebut the directive’s presumption of defectiveness.
What changed in the 2024 revision
The original 1985 Product Liability Directive was designed for physical goods. Software was a grey area — courts debated whether it was a “product” at all. The 2024 revision removes that ambiguity by explicitly extending the definition of “product” to include:
- Standalone software (including apps and operating systems)
- Digital manufacturing files (for example, files used to 3D print a component)
- AI systems
- Software embedded in or integrated with hardware
Digital services that affect how a physical product works can also trigger liability. This means a SaaS company whose service controls an industrial machine, or an app that manages a medical device, can be in scope.
The update obligation — a new source of liability
Perhaps the most consequential change is the update defectiveness rule. Under the 2024 PLD, a product that was safe when released can become defective after sale if the producer:
- Becomes aware of a vulnerability that poses a safety risk, and
- Fails to release an appropriate patch within a reasonable time, and
- That failure was within their control
This creates a continuing obligation, not just a release-time assessment. For software teams, it means vulnerability management is not just a security best practice — it is a legal obligation with potential product liability consequences.
Who counts as the producer
For EU purposes, the liable producer is:
- The manufacturer (or developer, for software) who places it on the market
- Anyone who puts their name or trademark on it
- The importer, where the manufacturer is outside the EU and the product is placed on the EU market
- An authorised representative named by a non-EU manufacturer
Documentation that helps defend a claim
If a claim arises, the producer must show the product was not defective when placed on the market, or that the defect arose after and was not due to their failure. Useful documentation includes:
- Technical design and safety decision records
- Testing and quality assurance evidence from the time of release
- The update and patch history and the vulnerability-handling process
- Evidence of the state of the art at release (what safety measures were standard practice)
This is an educational aid, not legal advice. National transposition of the PLD varies across EU member states, and the UK product safety reform is developing separately. Confirm your obligations with qualified counsel in the relevant jurisdiction.