What is the revised EU Product Liability Directive and when does it apply?

The revised EU Product Liability Directive (PLD) was formally adopted in November 2024 and published in the Official Journal of the EU on December 18, 2024. Member states have until December 9, 2026 to transpose it into national law. The revised Directive explicitly extends product liability to software and AI systems, a major departure from the 1985 original, which many courts interpreted as not covering software. Once transposed, a person who suffers damage because an AI system was defective can bring a strict liability claim without needing to prove the developer or deployer was negligent.

What does "strict liability" mean for AI systems under the PLD?

Under strict liability, the claimant does not need to prove the AI developer or deployer was careless or at fault. They only need to establish three things, that the AI system was defective (it did not provide the level of safety a person is entitled to expect), that they suffered damage, and that the defective AI caused the damage. This is a lower bar than negligence-based tort claims. The burden of proof assistance provisions in the revised PLD also help claimants by allowing courts to presume defect or causation in cases where a claimant faces excessive difficulty in proving those elements without access to the defendant's technical documentation.

Who is liable under the EU Product Liability Directive for AI damage?

The PLD's primary target is the manufacturer, the entity that places the product on the market. For AI systems, that typically means the AI developer. But the revised Directive also imposes liability on importers (entities that bring a product to the EU market), distributors who modify a product, and, critically, any person who makes a "substantial modification" to a product after it is placed on the market. An organization that takes an off-the-shelf AI model and fine-tunes it, integrates it into a new workflow, or combines it with proprietary data in ways that change how the AI behaves may be treated as a manufacturer for PLD purposes. Deployers who do not substantially modify the AI are generally not primary PLD defendants, but they may still face claims under national tort law or the proposed EU AI Liability Directive.

Does the EU Product Liability Directive apply to AI-as-a-service?

Yes, under the revised Directive, software delivered as a service (SaaS, API) counts as a product if it is distributed in the course of a commercial activity, even when no physical medium is involved and nothing is "placed on the market" in the physical sense. This was one of the most contested issues in the revision, and the final text resolves it by including digital manufacturing files and software delivered online within the definition of product. An AI system accessed via API, a chatbot accessed through a web interface, and AI features embedded in a SaaS product are all covered.

EU Product Liability Directive and AI: What…

Q: What damages can be claimed under the EU Product Liability Directive for AI damage?

The revised PLD covers death and personal injury (as before), but also property damage and, importantly for AI cases, destruction or corruption of data (where the data is not used exclusively for professional purposes) and medically recognized psychological harm. Economic loss alone (without accompanying physical or data damage) remains outside PLD scope and would need to be pursued under national tort law or, eventually, the AI Liability Directive.

EU Product Liability Directive and AI: What Deployers Must Know Before December 2026

The revised EU Product Liability Directive takes effect December 9, 2026, and treats software and AI systems as "products" subject to strict liability. AI deployers, not just developers, can face liability claims when AI outputs cause damage. What this means, who is exposed, and what governance controls reduce your risk.

EU legal documents representing the Product Liability Directive and AI regulation framework

TL;DR: The revised EU Product Liability Directive covers software and AI systems as "products" subject to strict liability. Transposition deadline for EU member states is December 9, 2026. AI deployers who substantially modify or integrate AI into their services can be treated as manufacturers and bear primary liability. No fault-proof needed, claimants only need to show the AI was defective and caused damage.

December 9, 2026 is the transposition deadline for the revised EU Product Liability Directive (PLD). After that date, every EU member state must have incorporated the Directive into national law, making it directly actionable. For AI deployers, the significance is straightforward but often missed in compliance planning: for the first time, software and AI systems are explicitly treated as "products," and the full force of strict product liability, developed over 40 years of consumer protection law, now applies to them.

This guide explains what the PLD's extension to AI means, who bears liability in the AI supply chain, and what governance controls reduce your exposure.

What changed from the 1985 Directive

The original EU Product Liability Directive was adopted in 1985, before the commercial internet existed. It applied to tangible goods, cars, pharmaceuticals, industrial machinery. Software was never explicitly covered, and European courts in different member states reached inconsistent conclusions about whether software counted as a product.

The revised Directive, formally adopted in November 2024 and published in the Official Journal on December 18, 2024, resolves this ambiguity: software is a product, regardless of whether it is embedded in hardware or delivered online. The revision was specifically designed to address AI.

The key changes:

Software and AI explicitly covered. Any software, including AI systems, models, algorithms, and digital manufacturing files, is a product for PLD purposes when distributed in the course of a commercial activity. This includes SaaS delivery, software accessed via API or browser without a physical medium.

Strict liability, not fault-based. The claimant does not need to prove the developer or deployer was negligent. They need to prove the product was defective, that they suffered damage, and that the defect caused the damage. This is the same standard that applies to a car manufacturer whose brake system fails.

New damage categories. The revised Directive adds destruction or corruption of data (not used exclusively for professional purposes) and medically recognized psychological harm to the categories of compensable damage, alongside the existing death, personal injury, and property damage.

Burden of proof assistance. Courts may now presume defect or causation where a claimant faces excessive difficulty in proving those elements due to technical complexity or asymmetric access to information. This is directly targeted at AI cases where the claimant cannot reverse-engineer the model to prove what caused a particular output.

Disclosure obligations. Defendants must disclose relevant evidence, including technical documentation about how the AI system was designed, tested, and monitored, as part of litigation. AI companies can no longer shield model documentation as trade secrets in cases where that documentation is necessary to establish whether a defect existed.

What makes an AI system "defective"

The core test for PLD liability is whether the AI system provides the level of safety a person is entitled to expect. This is an objective standard that courts assess by looking at:

How the product was presented to users and what it was marketed to do
The reasonably foreseeable use of the product
The time at which the product was placed on the market

For AI systems, this translates into several practical questions: Did the AI system perform the function it was marketed for, with the accuracy and reliability a reasonable user would expect? Were foreseeable failure modes addressed in the design? Were users warned about limitations that could lead to damage if ignored?

An AI diagnostic tool that generates incorrect clinical recommendations, an AI hiring filter that systematically misclassifies candidates, an AI credit-scoring model that generates racially biased scores, or an AI chatbot that gives incorrect legal or medical advice, any of these could constitute a defective product under the revised PLD if the damage results from a failure to meet the expected safety level.

The "state of the art" defense remains available: a manufacturer is not liable if it proves the defect was unknowable given the state of scientific and technical knowledge at the time the product was placed on the market. But this defense is narrower for AI than for physical goods, because AI systems are typically updated post-release. An AI defect that was knowable but not addressed in a model update is unlikely to succeed with a state-of-the-art defense.

Legal scales representing product liability standards and the burden of proof for AI system defects

Who is liable in the AI supply chain

The PLD's liability framework follows the product supply chain. For AI, that chain typically runs: foundation model developer → API provider → integrator/deployer → end user. The Directive assigns liability at multiple points.

AI developer (manufacturer). The entity that develops and places the AI system on the market is the primary defendant. For foundation model developers (major AI companies), this means their models are subject to PLD strict liability in EU deployments. They will argue that a customer's modification or integration, not the base model, caused the defect. That argument may succeed, but it does not eliminate their exposure as the original manufacturer.

Importers. Any entity that imports an AI system from outside the EU to place on the EU market is treated as a manufacturer for PLD purposes. A US-headquartered AI company that sells into the EU is typically not the "importer", it places the product on the EU market directly. But a European company that resells or redistributes a non-EU AI product may be.

Substantial modifiers. This is the most significant change for AI deployers. Any entity that makes a "substantial modification" to a product after it has been placed on the market, and those modifications create or increase a risk above the original product's risk level, is treated as a new manufacturer and bears primary PLD liability for damage attributable to that modification.

For AI, substantial modification likely includes:

Fine-tuning a base model on proprietary data that changes its behavior
Integrating an AI model with other data sources in ways that affect its outputs
Deploying an AI model in a context significantly outside its intended use case
Removing or disabling safety guardrails included by the original developer
Combining multiple AI components into a new AI-driven workflow

An organization that takes a general-purpose language model, fine-tunes it on internal documents, and deploys it as a customer-facing AI assistant has almost certainly made a substantial modification. That organization may be the primary PLD defendant, not the foundation model developer, for damage caused by the fine-tuned model.

Distributors who do not substantially modify the AI remain outside PLD primary liability, but must cooperate in claims by identifying the manufacturer or importer within one month of a request.

EU PLD versus EU AI Liability Directive

The revised PLD and the proposed EU AI Liability Directive (AILD) address related but distinct legal problems.

The PLD is strict liability for defective products. No fault required. Covers physical injury, property damage, data damage, and psychological harm. Targets manufacturers and substantial modifiers.

The AI Liability Directive, still at proposal stage as of mid-2026, focuses on fault-based claims, negligence by AI providers and users. It would make it easier for claimants to prove fault-based claims against AI operators by allowing courts to presume causation in negligence cases where the AI provider violated an EU law obligation (such as EU AI Act requirements) and where there is a plausible causal link between the violation and the damage.

The two instruments are designed to complement each other. The PLD handles strict liability for defective products. The AILD handles negligence claims against AI operators who violated applicable rules. Together they close most of the gap between AI damage and available remedies.

For now, with the AILD not yet final, the PLD is the operative strict liability instrument for AI damage in the EU.

What this means for AI deployers

Audit your AI integrations for substantial modification. For each AI system your organization deploys, assess whether your customization, fine-tuning, or integration activity constitutes a substantial modification. If it does, you may be the primary PLD defendant for damage caused by that AI. Your vendor indemnification protections may not cover PLD claims against you as a manufacturer.

Review vendor contracts. AI vendor contracts typically limit vendor liability and require deployers to indemnify the vendor for claims arising from the deployer's use. Those provisions may be negotiated against a background assumption that the deployer is not a PLD manufacturer. Re-examine those allocations. The AI vendor contract redline template includes provisions for PLD liability allocation that standard vendor agreements do not address.

Maintain technical documentation. The revised PLD's disclosure obligations mean that in litigation, your technical documentation about how the AI was designed, tested, monitored, and updated will be discoverable. Courts may also require you to disclose whether you performed conformity assessments, how you assessed foreseeable misuse, and what post-deployment monitoring you conducted. Maintaining contemporaneous documentation is both a compliance requirement (under the EU AI Act for high-risk AI) and a litigation defense.

Implement post-deployment monitoring. The "state of the art" defense is weaker for AI systems that are updated post-deployment, because defects that emerge after release are attributable to the current maintainer, not the original developer. Monitoring for unexpected model behavior, documenting when issues are identified and addressed, and maintaining incident records are defensive practices that also demonstrate good governance.

Assess product liability insurance. Standard professional indemnity and cyber liability insurance may not cover PLD strict liability claims for AI-generated damage. If your organization deploys AI in contexts where physical harm, property damage, or data damage to end users is a foreseeable risk, confirm with your insurer that your coverage extends to PLD claims.

Timeline

The revised PLD has been in force since December 18, 2024 (date of publication in the Official Journal). Member states must transpose it into national law by December 9, 2026. After that date, national courts apply the Directive's rules to claims involving AI-caused damage.

For AI deployers, December 9, 2026 is the date by which your governance framework should reflect the PLD's requirements. In practice, if an incident occurs in January 2027 and litigation follows, your documentation posture, vendor contracts, and monitoring practices as they existed in December 2026 will matter.

The AI regulation deadline calendar at AI regulation deadline calendar 2026 tracks both the PLD transposition deadline and EU AI Act milestones in one place.

Connection to the EU AI Act

The EU AI Act and the revised PLD are separate legal instruments, but they interact. EU AI Act compliance for high-risk AI systems requires many of the same documentation and monitoring practices that reduce PLD exposure: technical documentation (Annex IV), conformity assessments, post-market monitoring systems, and incident reporting.

For teams working through EU AI Act compliance, the governance work you are doing for Annex IV documentation and post-market monitoring is also building your PLD defense posture. The two frameworks reinforce each other, and a single governance programme can satisfy the documentation and oversight requirements of both.

See EU AI Act GPAI codes of conduct 2026 for the AI Act compliance picture and agentic AI liability, who is responsible when AI causes harm for the broader liability allocation question across AI supply chains.