Navigating EU Product Liability Directive (PLD) with SBOM

Between 1957 and 1962, more than 10,000 babies were born with physical abnormalities caused by the drug thalidomide. Out of this came stricter regulations for approving new drugs and vaccines that remain in effect to this day.

Following the thalidomide disaster, the European Commission - introduced the Product Liability Directive (PLD) as a cornerstone of consumer protection. This directive ensures that individuals harmed by defective products can claim compensation.

Recent updates to the PLD aim to modernize its scope, tackling challenges posed by emerging technologies and holding producers of digital products accountable for potential harm, much like the physical impact of thalidomide. This underscores the need for businesses, particularly in the digital sector, to understand its implications and adapt proactively.

Brief History

The Product Liability Directive 85/374/EEC, adopted in 1985, was groundbreaking for its time. It introduced the concept of Strict Product Liability for manufacturers, meaning claimants did not need to prove negligence—only that the defect in the product caused harm. This marked a shift towards stronger consumer protection across - then European Communities - and eventually European Union.

Key milestones in the evolution of the PLD include:

• The Original Directive (1985):
  • The directive aimed to harmonize product liability laws across EU member states. Its focus was on physical products like consumer goods, machinery, and pharmaceuticals.
  • Liability was assigned to manufacturers, importers, and distributors within the EU.
• 1999: Implementation Deadline for Member States:
  • By 1999, all EU countries were required to align their national laws with the PLD, ensuring a unified approach to product liability.
• Early Challenges:
  • Courts faced difficulties interpreting the directive in cases involving intangible goods like software, which were not explicitly covered in the original text.
• Digital Economy Creates Pressure for Reform (2000s):
  • The rise of software-driven products, IoT devices, and AI systems exposed gaps in the directive’s coverage. High-profile incidents involving defective software and cybersecurity breaches emphasized the need for modernization.
• Reform and Modernization (2020s):
  • In response to rapid technological advancements, the European Commission proposed updates to the PLD. These revisions aim to explicitly include digital products, services, and emerging technologies like AI and autonomous systems.

The updated PLD, adopted in October 2024, underscores the EU's dedication to tackling risks in the digital economy while staying true to its core mission: guaranteeing fair compensation for consumers injured by defective products.

Impacted Entities

The PLD affects a broad spectrum of stakeholders, including:

• Manufacturers
  • Companies producing goods or software-based products marketed within the EU are the primary focus. These include both traditional physical products and digital components, such as software embedded in medical devices, vehicles, or consumer electronics.
• Importers and Distributors
  • Entities bringing products into the EU or distributing them are liable if the product's manufacturer is located outside the EU or is unidentifiable. Importers must ensure compliance with the directive when dealing with non-EU manufacturers.
• Resellers, Authorized Representatives and Online Platform for Digital Products
  • The updated directive increasingly applies to resellers, authorized representatives, fulfillment service providers and online platform if the product is made by a non-EU manufacturer. However, online marketplaces are exempt from liability unless they act in a way that makes average customer to believe they are the product's manufacture or supplier.
• Businesses Leveraging AI and Emerging Technologies
  • AI-driven platforms, autonomous systems, and other cutting-edge technologies must meet rigorous safety and transparency requirements. Liability extends to issues like algorithmic bias, misuse of data, or unforeseen behaviors of AI systems.

These changes aim to guarantee that, regardless of product's origin, there will always be an EU-based business accountable for damages caused by a defective product including digital products.

Implications of PLD

Expanded Scope of Application

The PLD now explicitly includes software, digital services, and emerging technologies including:

• Operating Systems
• Firmware
• Standalone Software
• Software as a Service (SaaS)
• Connected devices - Internet of Things (IoT)
• AI-enabled services (AISaaS)
• AI-enabled devices (AIIoT)
• Commercialized open-source software

At the same time, following have been left out of scope

• Digital "non-manufacturing" files such as text or image files
• Source code
• Non-commercialized open-source

Updated Definition of Defect

The PLD extends strict liability to defects arising from software updates, AI, machine learning, and more. Additionally, a product can now be deemed defective due to cybersecurity vulnerabilities, including instances where the producer fails to provide necessary software updates to address these issues. This is true even in the case of vulnerability is exploited by a third-party such as a cybercriminal.

Easier Burden of Proof

Previously, the burden of proof requirements constituted more than 53% of claim rejections. The PLD update reforms it to make it easier for people to win their claims by shifting the burden of proof in some cases.

Specifically, the updated rules allow for defect or causation to be assumed when the product doesn’t comply with relevant EU product safety standards and when proving the defect or the link between the defect and damage is too challenging due to the product's technical or scientific complexity.

Stricter Compliance Requirements

Businesses must demonstrate robust product safety mechanisms, maintain detailed documentation, and ensure transparency in their development processes, particularly for AI systems.

Financial Implications

The PLD revision covers not only physical damage but also certain medically recognizable damage such as psychological health as well as data destruction or corruption, which means broader claim eligibility. Therefore, non-compliance can lead to significant financial penalties, increase in legal disputes, and reputational damage.

Risk Management Obligations

The updated directive introduces rules requiring both claimants and defendants to share necessary and relevant evidence during legal proceedings, helping to address any imbalance in access to information.

This change underscores the need for stakeholders to ensure full regulatory compliance and to have robust processes for managing documents and internal communications.

Navigating the Product Liability Directive

1. Adopt Robust Risk Management Practices
   • Implement comprehensive quality assurance processes, regular risk assessments, and post-market surveillance for defects, including software vulnerabilities.
2. Leverage SBOMs for Transparency and Compliance
   • A Software Bill of Materials (SBOM) offers visibility into a product's software components, enabling proactive vulnerability management. SBOMs can also serve as evidence of due diligence in the event of a liability claim.
3. Prioritize Cybersecurity
   • Ensure compliance with standards like ISO/IEC 18974:2023 (OpenChain Security Assurance Specification) to mitigate risks associated with software vulnerabilities. This can demonstrate that reasonable efforts were made to deliver secure products.
4. Engage Legal and Compliance Experts
   • Collaborate with legal teams to interpret the directive's implications for your specific product portfolio. This can help establish a clear liability chain and mitigate potential disputes.
5. Invest in AI Governance
   • For businesses using AI, establish governance frameworks to address algorithmic transparency, data usage policies, and ethical considerations, ensuring that systems are fair, safe, and secure.
6. Stay Ahead of Regulatory Updates
   • Monitor developments in EU regulations and directives, as the legislative landscape continues to evolve. Active engagement with industry bodies and policy discussions can provide early insights into changes.

Role of SBOM

Given how PLD expands to software and AI products, makes cybersecurity a key part of consumer protection, the Software Bill of Materials (SBOM) will play a pivotal role in helping organizations meet its requirements.

To meet PLD requirements, limit consumer harm and defend against litigations, organizations must work towards:

Documenting software composition, vulnerabilities and exploitabilities

For software manufacturers, the proposed Product Liability Directive (PLD) extends liability to include exploitable vulnerabilities originating from open-source and third-party components. Since modern applications heavily rely on the open-source ecosystem for common functionalities, the choice of each open-source component must be justifiable.

By leveraging Software Bill of Materials (SBOM) to document the composition of each software version and associated vulnerabilities, organizations can establish a routine of conducting risk assessments. These assessments can be invaluable in defending against liability claims if litigation arises. For instance, promptly addressing a newly discovered exploitable vulnerability, providing a patch, and ensuring it is made available to customers serve as the strongest defense against liability claims stemming from harm caused by such vulnerabilities.

Implementing software change monitoring

Under the PLD, software vulnerabilities are legally classified as defects, making it crucial to maintain a clear record of patches and mitigations. This is especially critical for software deployed in external environments like IoT devices or on-premises solutions, which are often at risk of being overlooked for updates. Such scenarios create a significant potential for these systems to be mistakenly viewed as liabilities.

By adopting an SBOM automation program, software developers can seamlessly integrate documentation into the SDLC, automatically tracking software changes as they move through the development lifecycle and beyond. By comparing the state of software at any point of time as well its most recent revision, it will be easier to prepare defense against invalid claims.

Facilitate consumer transparency

When considered alongside the Cyber Resilience Act (CRA)'s requirements for vulnerability reporting, user-friendly information disclosure, end-of-life/service communication, and security labeling, it’s clear that digital products are entering an era of greater transparency and accountability.

Leveraging SBOMs to communicate these requirements directly to consumers and customers enables organizations to stand out from the competition and reduce their exposure to potential litigation.

Enhance post-market monitoring

Product liability doesn’t end once the product is created; it requires ongoing monitoring for defects identified after release. An SBOM with unique identifiers for each component offers the most effective solution for systematically tracking open-source and third-party components that make up the final product, eliminating the need for ad-hoc monitoring.

Conclusion

The updated European Union Product Liability Directive reflects the realities of a digital-first economy and the risks associated with emerging technologies. Businesses must view compliance not just as a regulatory requirement but as a strategic imperative to build trust and resilience. By adopting proactive measures like SBOM implementation, robust cybersecurity practices, and comprehensive risk management, organizations can navigate the directive's challenges and turn them into opportunities for innovation and growth.

If you’re looking for tools to simplify compliance with EU regulations, including SBOM management and vulnerability tracking, Interlynk offers solutions designed to ensure transparency and security while streamlining compliance processes. Contact us to learn how we can help you stay ahead of the curve.

‍