What changes on 9 December 2026

The revised EU Product Liability Directive, Directive (EU) 2024/2853, has to be written into each member state's national law by 9 December 2026, and it applies to products placed on the market or put into service after that date. The headline change for any owner who ships anything digital is the definition of a product. Software is now explicitly a product, whether it is embedded in a device, sold on its own, or delivered as a service. Firmware and AI systems fall inside the same scope.

The liability standard is no-fault, also called strict liability. In plain terms, a person who suffers harm has to show that the product was defective and that the defect caused the harm. They do not have to prove that your company was careless. That is a different and lower bar than most owners are used to, and it shifts the burden of avoiding the claim onto the maker before the product ever goes out the door.

Two details that catch digital businesses

Two specifics in the Directive deserve a slow read. First, the recoverable harm expressly includes the destruction or corruption of data that is not used for professional purposes. A failed update, a bad sync, or a corrupted backup that wipes a customer's personal files is now the kind of damage the regime is built to compensate, not an edge case you can wave away. Second, the Directive contemplates defects that arise as a product continues to learn or change after it is placed on the market, which is the everyday behaviour of an AI system that keeps training in production.

The third detail is the one that closes the usual escape route. You cannot contract out of this liability through your terms of service or an end-user agreement. A clause that disclaims responsibility for software defects or security faults does not hold against an injured person under this regime. The protection you may have leaned on in your standard terms is, for this purpose, off the table.

What to check in the next six months

National transpositions are not landing as one uniform text. A June 2026 member-state progress report found that a substantial number of countries had not yet taken meaningful public steps toward transposition with roughly six months left, and that the drafts which do exist diverge on points such as defences and thresholds. That means the law that actually applies to you may differ by the country where the harm occurs, so a single pan-European template is unlikely to be enough, and you will want to confirm the position market by market with a qualified adviser.

A practical starting list, to discuss with your own counsel rather than act on alone: inventory every piece of software, firmware, AI or SaaS your business places on the market; map which national laws apply to your customers; review your terms of service for disclaimers that will no longer bind; check what your product, professional indemnity and cyber insurance actually cover for data loss and AI behaviour; and tighten your records of testing, updates and post-deployment monitoring, because under a no-fault regime the evidence you can produce about a defect matters more than ever.