European Union member states have until December 9, 2026, to implement a new Product Liability Directive into law. The Directive is a complete overhaul of the EU's current product liability regime with, among other things, an expanded definition of “product” which will impact companies at every step of the supply chain. The definition includes software sold as a standalone product or integrated into other products and clearly includes AI systems.

This means more potentially liable parties – manufacturers, importers, authorized representatives, fulfilment service providers, and “any person who substantially modifies a product outside of the manufacturer’s control." It also means an expanded definition of product defect, to include labeling, design, and technical characteristics, interactions with other products, and compliance with safety requirements (including cybersecurity). Indeed, a product can be considered defective if it has cybersecurity vulnerabilities that compromise its safety.

These same issues are currently the subject of a vigorous, high stakes debate both in legal academia and in the courts here in the United States. Whereas in many instances EU product liability law has historically evolved to follow US principles, the question now is will US law adopt some or all of the principles found in the new Product Liability Directive. Stay tuned.