Skip links

The new EU Product Liability Directive (2024/2853) vs Automotive Industry: Challenges and Opportunities

With the revised Product Liability Directive, which was published on 18.11.2024 and comes into force on 9.12.2024, the European Union has presented an ambitious set of regulations that will significantly change the requirements for manufacturers and suppliers in the automotive industry. From software updates, digital services, drones, smart home systems and AI systems to cybersecurity issues, the directive will directly and indirectly affect many aspects of modern vehicle technology. The following section will attempt to shed some light on the specific effects on the industry.

Philipp Veronesi

The updated Product Liability Directive (EU) 2024/2853 (published on November 18, 2024) repeals and replaces the Product Liability Directive 85/374/EEC, which has been in force since 1985. It sounds like a bureaucratic process, but it is highly interesting, as the directive was and still is considered a milestone in consumer rights. Which brings us to an important detail: The directive addresses the protection of private individuals; a car manufacturer cannot apply it to cooperation with suppliers, for example.

What is the EU Product Liability Directive about?

The aim of the directive is to create a clear legal framework for the EU internal market for the liability of economic operators for defective products towards consumers and natural persons. In simple terms, this means that all actors involved in the production process, including of course up to the development stage, are liable if an end product is defective or causes damage.

Safety as a critical aspect of the EU Product Liability Directive

The specification of what is to be understood by a defective product directly affects the area of safety. A product must offer the safety that a consumer can legitimately expect, taking into account the intended purpose, the product characteristics and the specified safety requirements. This is where it becomes directly interesting, as the updated directive formulates this, among other things:

It can also be determined that a product is defective due to its cybersecurity vulnerabilities, for example if the product does not meet the security-relevant cybersecurity requirements.

It was precisely these technological developments and the digitalization of products – especially with regard to software and software updates – that were the starting point for product liability to receive an “update”.

The automotive industry in the focus of EU product liability

The new directive therefore expands the term “product” and explicitly includes software, AI, operating systems (and more). This means that software updates and AI-supported systems in vehicles are also covered by product liability.

Specifically, the directive considers cybersecurity flaws to be potential product defects – a significant step, especially in view of the increasing connectivity and autonomization of vehicles.

The liability chain will be extended considerably: Not only manufacturers, but also importers, fulfillment service providers and retailers can be held liable.

At the same time, the directive facilitates access to evidence for injured parties and explicitly recognizes data loss as recoverable damage.

These changes, combined with the abolition of maximum liability limits and retroactive liability for software updates, pose massive challenges for vehicle and car manufacturers and their suppliers (among many other industries).

Usually completely underestimated in its scope: the role of software updates

With regard to software updates (UN R156 and ISO 24089 should be mentioned here in passing), it is important to be aware of the following: While in the past it was largely sufficient for manufacturers that a product was safe at the time of market launch, this is now changing, particularly due to software and the need for software updates.

If a product becomes unsafe over time, the manufacturer can be held specifically liable. After all, software updates could have been used to check for faults. Software upgrades, i.e. significant changes to the product, or learning systems (also in relation to AI) must also always be assessed as “new”, so that an overall view of vulnerabilities and attackability must be given here.

Even if a third party exploits vulnerabilities in the cybersecurity of a product, the following applies: Liability is not reduced by such actions by third parties.

At the same time, it should be noted: If a software update or upgrade makes a significant change to the product, this is interpreted by the directive in such a way that the product is considered “new” again at the time of the actual change.

Good for end customers: Strengthening for consumer protection and safety needs

The Product Liability Directive promotes a stronger focus on security and data protection within vehicle development. Recognizing data loss as a liability issue forces companies to implement robust cybersecurity measures. ISO/SAE 21434 and other standards will be deeply integrated into development and production processes to better protect connected vehicles from cyberattacks.

The extended disclosure obligations of manufacturers also strengthen consumer protection. The requirements for the disclosure of information and the associated burden of proof have changed compared to the old directive in that more responsibility now lies with the manufacturer. This makes it easier for the consumer to provide evidence; especially in the case of highly complex products, this is intended to counteract the information asymmetry between consumer and manufacturer.

Injured parties can assert claims for damages more easily, which should strengthen confidence in new technologies in the long term.

Harmonization with international standards such as UN R155 and R156 also provides clearer guidance for manufacturers, suppliers and regulatory authorities.

The need for clean and complete documentation should therefore be clearly derived. If disclosure becomes necessary, inadequate documentation or insufficient reviews of security concepts can quickly take revenge. Apart from questions of guilt in specific individual cases, there is then also the risk of serious damage to the company’s image.

Challenge: Additional effort and barriers to innovation?

The downside of this development is the immense effort that companies will have to make. The requirements for documentation, safety checks and tests will increase significantly. Complete traceability is essential, especially for software updates and self-learning systems that can develop new functions after market launch. (See also RXSWIN in accordance with UN R156.) This not only increases development and administration costs, but also the complexity of supply chain management.

Smaller companies and third-party providers could be deterred by the high barriers to market entry.

At the same time, extended liability will lead to higher insurance premiums and more intense competition for cyber security experts. This could put European companies at a disadvantage in international comparison, as regions such as the USA or China have less restrictive product liability laws. Particularly in times when a shift in regulatory efforts and deregulation can be observed worldwide, the overarching question of price vs. quality will have to be discussed anew, especially in the cost-driven automotive sector.

Significance for the automotive industry

The new directive means far-reaching changes for manufacturers and suppliers. The introduction of cyber security management systems (CSMS) and stricter internal audits will be unavoidable. In future, over-the-air updates must not only be functional, but also legally compliant, which requires additional security protocols and rollback mechanisms.

Cooperation along the supply chain is becoming more important than ever in order to meet safety and approval requirements. At the same time, unlimited liability increases the pressure on companies to develop long-term strategies for risk management (NIS-2 should be mentioned here) and insurance cover.

Another aspect is the potential slowdown in the development of electric vehicles and autonomous vehicles. Stricter test procedures and validation processes for self-learning systems could delay the introduction of innovative technologies.

At the same time, a passage on the “state of the art”, which has also been included in the directive, is of particular importance for economic operators:

In the interests of fair risk-sharing, economic operators should be exempt from liability if they prove that the defect could not have been detected in the light of the state of the art in science and technology – based on the most recent objective knowledge available and not on the actual knowledge of the economic operator concerned – during the period in which the product was under the control of the producer.

The application of (otherwise non-mandatory!) industry standards such as ISO/SAE 21434 (and ISO 26262 and others) is likely to become all the more important here, as these always reflect the “state of the art” and serve as evidence in court in case of doubt.

In this context, raising awareness and building skills in the field of vehicle security is of concrete importance, especially with regard to the provision of appropriate proof of qualification, e.g. through automotive cybersecurity certifications.

Outlook: New opportunities for the automotive industry through the EU Product Liability Directive?

Despite all the challenges, the new Product Liability Directive also offers opportunities. It promotes investment in cyber security, strengthens data protection and increases consumer confidence in modern technologies. (Which would be an immensely important step forward, especially in the automotive industry).

Companies that respond to the new requirements at an early stage and develop innovative solutions can secure competitive advantages.

In the long term, the harmonization of standards and the strengthening of norms such as ISO 24089 could raise the automotive industry to a new level of safety. In addition, the need for international cooperation on safety and liability issues could bring the industry closer together and make global supply chains more sustainable.

The future of the automotive industry depends crucially on how flexibly and innovatively companies respond to the new requirements.

One thing is clear: the EU Product Liability Directive marks a turning point in vehicle development – towards greater safety, transparency and responsibility.

Share the Post:

Up to date bleiben?
Newsletter abonnieren

Kostenlos   |   Relevanter Input zur Cybersecurity in der Fahrzeugentwicklung   |   Nicht zu häufig

More resources and insights to strengthen your industry know how

Newsletter abonnieren.

Praxisorientiertes Fachwissen, relevante Einblicke und exklusive Updates zu aktuellen Themen der Automotive Cybersecurity – von den führenden Experten der Branche. Melden Sie sich jetzt an für den CYEQT Knowledge Base Newsletter.

Nicht zu oft, aber regelmäßig erhalten Sie von uns einen Überblick über aktuelle Inhalte zur Implementierung von Cybersecurity in der Fahrzeugentwicklung, direkt in Ihren Posteingang.

Allgemeine Fragen

Schreiben Sie uns direkt.

learn@cyeqt.com

Melden Sie sich hier für den CYEQT Knowledge Base Newsletter an - kostenlos und unverbindlich.