Software Just Became a Product. That Changes Everything.
For decades, software occupied a legal gray zone. The EU adopted Directive 2024/2853 on October 23, 2024: software is a product. SaaS is a product. AI systems are products. And products that cause harm trigger strict liability.
What Changed from 1985
| Aspect | 1985 Directive | 2024 Directive |
|---|---|---|
| Software status | Unclear/debated | Explicitly a "product" |
| AI systems | Not addressed | Explicitly covered |
| SaaS delivery | Not contemplated | Covered regardless of delivery method |
| Data damage | Not covered | Compensable damage type |
| Psychological harm | Limited | Medically recognized harm covered |
| Updates/patches | Not addressed | Manufacturer remains liable |
| AI learning | Not addressed | Defects from learning covered |
The New Definition of "Product"
Covered
| Category | Examples |
|---|---|
| Software | Operating systems, applications, firmware |
| AI systems | Machine learning models, automated decision systems |
| SaaS | Cloud-delivered software services |
| Embedded software | Software in physical products |
| Digital manufacturing files | 3D printing files, CNC instructions |
Not Covered
Free open-source software (non-commercial only), source code alone, media files, professional services.
Open-source nuance: FOSS is exempt only if developed and supplied outside commercial activity. Your commercial product built on open-source libraries is fully covered.
Who Pays: The "Manufacturer" Is Broader Than You Think
| Role | Who This Covers | Liability |
|---|---|---|
| Actual manufacturer | Company that developed the software | Primary |
| Brand manufacturer | Company that puts its name on the product | Primary |
| Importer | First EU operator for non-EU products | If manufacturer not in EU |
| Authorized representative | EU representative of non-EU manufacturer | Can be held liable |
If you build on another company's AI model β fine-tuning GPT, deploying Claude β you may be the "manufacturer" of the combined product. Foundation model β provider's responsibility. Your product using that model β your responsibility.
When Software Becomes "Defective"
A product is defective when it does not provide the safety the public is entitled to expect. For AI systems, defectiveness can arise from:
- Non-compliance with mandatory safety requirements β presumption of defectiveness
- Learning behavior β defects from machine learning after market placement
- Updates β defects introduced through software updates
- Lack of updates β failure to provide expected security updates
AI Act connection: AI Act non-compliance creates a presumption of defectiveness under the Product Liability Directive. Two liability regimes at once.
What Counts as "Damage" Now
| Damage Type | Coverage |
|---|---|
| Death or personal injury | Fully covered, no minimum threshold |
| Physical property damage | Covered (excludes defective product itself) |
| Data destruction/corruption | NEW: covered |
| Medically recognized psychological harm | NEW: covered if caused by defective product |
The Update Problem: Your Liability Never Freezes
| Scenario | Still In Control? |
|---|---|
| Customer installs your update | Yes |
| AI learns from user data you process | Yes |
| Customer modifies your software | No β control transferred |
| Customer refuses security update | May reduce your liability |
For SaaS startups running continuous deployment, every release is a new product placement under the Directive. Your CI/CD pipeline β a liability pipeline too.
The Burden of Proof Shifted
| Situation | What Happens |
|---|---|
| Technical complexity | Defect may be presumed |
| Scientific impossibility | Causation may be presumed |
| Non-disclosure of evidence | Court may presume against you |
| Regulatory non-compliance | Defect presumption created |
Limitation Periods
| Period | Duration |
|---|---|
| General claim period | 3 years |
| Absolute cut-off | 10 years from market placement |
| Extended (latent injuries) | 25 years |
Practical Preparation Before December 2026
Insurance Review
Product liability insurance, professional indemnity, cyber insurance, and D&O coverage. Review now β premiums will increase.
Compliance Timeline
| Date | What Happens |
|---|---|
| December 9, 2024 | Directive enters into force |
| December 9, 2026 | Member state transposition deadline |
| December 9, 2036 | Commission review |
The Bottom Line
Software is no longer special. It is a product with product liability. Every update you ship, every model you deploy, every SaaS feature you release β it is a product now. Build accordingly.
Related: AI Act High-Risk preparation guide | Founder personal liability for GDPR
