Security-by-Design is now a Legal Requirement in EU: New Rules in EU Product Liability Directive

Wishing everyone a Happy Diwali!

INTRODUCTION:

On 10th October 2024, the EU (European Union) passed a new PLD (Product Liability Directive) that has wide and deep implications for all digital systems in general and Cybersecurity in particular. Other countries may follow suit, hence this is important. The new PLD has thoroughly defined product defect related liabilities and ownership, and aims at upgrading product liability rules for the digital age.

COMPLEMENTARY REGULATIONS:

The EU CRA (Cyber Resilience Act) passed in the same week, provides a comprehensive cybersecurity requirements framework for hardware and software products. To address cyber threats, CRA stipulates mandatory standards for the design, development, production, delivery, and maintenance of digital products released in the EU market. Failure to comply with CRA could attract fines up to EUR 15 million or 2.5% of the annual turnover of an organization. It categorizes products into 3 different classes based on the level of cyber risk.

The EU NIS 2 Directive (January 2023) which addresses the security and resilience of networks and systems used by entities that provide essential or important services, whereas the CRA focuses on the security and certification of products with digital elements released in the market. NIS2 aims at providing a high baseline of cybersecurity across EU.

The EU AI Act (2024) seeks to regulate AI and sets comprehensive rules for AI Technology by taking a risk based approach by assessing the threats posed to the society by different applications and treating them accordingly. Breaches of the EU AI Act may result in penalties of EUR 35 million or 7% of Annual Turnover of the organization, whichever is higher, being imposed on the organization.

The overall consequence of the PLD and CRA is that Security by Design has now gained the status of a legal requirement and is no longer just a best practice.

This article focuses on the new PLD (Product Liability Directive) which deals with liability for defects in products.

DEFINITION OF PRODUCT UNDER NEW PLD:

It is important to understand the new definition. Under the new PLD, all digital systems, including software are now deemed to be a “PRODUCT”, including all the following:

• All Digital Systems, including hardware and software
• All Software Products - incl. Operating Systems, Applications and AI integrated systems, Cloud based, or embedded in devices
• All Software Solutions
• All Software Patches and Configurations including Security Patches
• All AI Systems and AI Software regardless of the complexity and dependencies
• Software Platforms, Sites that provide service, and all related Fulfillment Service Providers
• Digital Manufacturing Files – E.g. production files for 3D Printing, control software.

There is no legal relief for any defects pertaining to AI Systems by explaining away that these systems are too complex. Typical explanations for AI’s unusual complexity and difficulties include learning, unlearning, autonomous behaviour, explainability, predictability, hallucinations, etc.

Regardless of these arguments, all AI systems and software including updates and patches, will now fall under the PRODUCT Category. All Software and AI producers will be strictly liable for all defects in their products.

DEFECTS, LIABILITY AND BURDEN OF PROOF:

All defects (including Security Vulnerabilities) in any PRODUCT are now considered a direct liability of the producer.

Under the new PLD, defects cover faults in product safety, features, presentation and characteristics (including packaging, documentation, instructions), software updates, and cyber vulnerabilities, and machine learning.

The damages caused by product defects range from death, personal injury, material damage, financial loss, damage to property, and destruction or corruption of data. Personal injury includes physical, and mental / psychological aspects also.

The new directive moves away from the “Fault based Liability Regime” to the “No Fault based Liability Regime”. This means that the producers of a product are now responsible for all defects in their product regardless of whether or not the defect is their fault, and regardless of whether it is the manufacturer’s fault or negligence. In the older Fault based liability regime, the burden of proof was on the injured party who was making a claim for damages incurred. The claim was to be made within 3 years of noticing the damage. The liability period was 10 years from release of product into the market, after which the producer would no longer be liable.

Under the old PLD, the injured party needs to prove the existence of incurred damage, prove the fault of the liable party, and causal link between the fault and the damage.

In the new PLD, the injured party only needs to show the product defect, the damage incurred, and the causal link between the two. The liability period has been extended to 15 years, and in case of latent personal injury to 25 years.  

There is considerable reduction now in the burden of proof on the injured party, and there are disclosure obligations on part of the manufacturer. In the new PLD, there is presumption of defect and deemed product defects also, for e.g. if there was a product recall, or if the manufacturer did not disclose defects adequately, or doesn't meet safety standards. There is presumption of causal link if it is too complex for the injured party to prove defectiveness when it is highly likely.

The deeper implication is that the producer is liable for all security vulnerabilities even POST DEPLOYMENT of the software. Hence there could be legal liabilities associated with EVERY security patch and update that is applied.

EXTRA-CONTRACTUAL LIABILITY:

Under the older PLD, consumers and clients could seek compensation through contractual clauses which had the protection of EU Sale of Goods Act, or EU Digital Content and Services Directive, for both normal and digital goods and services. However, the new PLD is applicable regardless of whether there are any contractual clauses or not. Claims for compensation can be made without any dependence on any signed contracts.

Regarding Data, the PLD covers liability for material damages only, whereas GDPR covers liability of controllers and processors for both material and non-material damages. Material damages include concrete measurable loss/corruption of data, financial losses, property damage, etc.

WHO IS HELD LIABLE?

The new PLD has thoroughly defined categories of liable “Economic Operators” pertaining to a Product. These include the Manufacturers, Solution Providers, Service Provider of a service related to the product, Authorized Representative for product sales in EU, Importer of the product in EU, Fulfillment Service Providers (who don’t own the product but who warehouse / package / distribute the product in EU), Distributors (both online and offline), and Online Platforms.  

There are some exemptions from liability provided for the Economic Operators, such as when the product was not yet released into the market, defect did not exist when the product was released, or the know-how to discover the defect did not exist when the product was released. The compensations however will exclude damage to the defective product itself.

But these defenses against liabilities fail if it is proven that providing remedies for the defect was within the control of the manufacturer through software updates, upgrades, services, etc.

CONCLUSIONS:

The new EU Product Liability Directive has serious implications (both immediate and long-term) not only with regard to mandatory adoption of Security-by-Design and Privacy-by-Design (and Privacy-by-Default), and the development and deployment of Products, but also on many other areas such as:

Responsible disclosure of product features, updates, patches, documentation and defects; Incident Response, Cyber Insurance, contracts; the risk and liabilities spanning the supply chain.

Organizations will need to study the new definition of Product, and of Economic Operator as  per the new PLD, understand their liabilities, and will need to review their responsibilities, offerings and processes thoroughly, including cross-border responsibilities.

#Cybersecurity #Privacy #EU #ProductLiabilityDirective #PLD #AI