The European Union has passed a new law expanding the rules of product quality responsibility to cover digital products, including software and online platforms. This change is designed to make it easier for users to seek compensation for any damage caused by these products.
On October 10, 2024, the EU Council approved the Directive on Responsibility for defective products, now including digital products with the exception of open-source programs. Previously, the regulations only applied to physical objects and electricity.
Under the new rules, importers or EU manufacturer representatives are responsible for any damage caused by products imported from the EU. This responsibility also extends to online platforms, which will now be held to the same standards as other economic operators.
The law now covers operating systems, firmware, applications, and AI systems that can cause harm when used. This includes software accessed locally, through cloud technology, and SaAS models.
Victims seeking compensation will find it easier to access evidence from the manufacturer in court. If proving a defect and its association with damage is challenging, the court may require proof of the likelihood of these events. If a third party alters the product, then the responsibility for defects shifts to them.
The law also outlines procedures for compensating physical harm, property damage, and data loss, as long as restoration comes at a cost. However, data lost can only be compensated if restoration is not free.
The directive excludes data breaches, as these are governed by other regulations. Nevertheless, manufacturers are accountable for the cybersecurity of their products if they fail to meet safety requirements.
Hungary’s Minister of Justice, Benz Tusson, highlighted the benefits of the new law for consumers and manufacturers, providing clear guidelines for digital products and the circular economy models. The directive is already in effect, with EU countries given a two-year timeframe to implement it into national legislation.
On the same day, the EU also approved the Cyber Resilience Act, which tightens security requirements for IoT cameras, IP cameras, smart refrigerators, and robots.