Table of Contents
Claire Allen-Addy
|
Head of Product Marketing
March 13, 2025

The EU Product Liability Directive and Threat Modeling

What is the EU Product Liability Directive?

The EU Product Liability Directive (EU) 2024/2853, establishes strict liability for producers of defective products, including software, ensuring consumers can claim compensation without proving fault. 

It entered into force on 8th December 2024, but EU member states have until 9th December 2026 to implement it. The Directive will apply to products placed on the market after the 2026 date.

What software is impacted? 

Manufacturers in the EU are directly liable for the following areas:

  • AI models
  • Embedded software
  • End-user software
  • SaaS applications
  • Software accessed via network connections
  • Software required to operate hardware 

Who is considered a manufacturer of software?

The Directive states, “A developer or producer of software, including AI system providers within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council,

should be treated as a manufacturer.” Information however is not included, for example digital files or source code of software is not considered a ‘product’. 

What about free or open source software?

In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity…”

This directive only applies to software which is part of a commercial activity or if the software is exchanged for a fee. However, if personal data from free software is used for anything other than improving the security, interoperability etc. of the software, then this would mean the Directive does apply. 

Does this Directive apply to businesses inside of the EU only?

No, this affects companies selling into the EU as well, even if they are based outside of Europe.

Under the EU Product Liability Directive, manufacturers within the EU are directly liable for defects. For companies outside the EU, responsibility shifts to importers, authorized representatives, or fulfillment service providers. Liability waivers, such as disclaimers for software defects or security vulnerabilities, are no longer valid, making robust security practices essential across the supply chain.

Businesses selling into the EU, even if based elsewhere, must comply with the directive to mitigate legal and financial risks. This includes auditing third-party components and ensuring strict security standards to meet regulatory requirements. Importers and fulfillment providers must also ensure compliance when supplying software or software-driven products to the EU market.

What steps are recommended?

There are four crucial steps that organizations should aim to follow, to be compliant with the directive, and to develop secure software:

  1. Evaluate liability exposure: Consult legal counsel to identify potential liabilities, including cybersecurity risks, even for unintentional sales within the EU.
  2. Enhance software update practices: Secure update mechanisms and assess distribution channels to prevent unauthorized modifications.
  3. Invest in advanced testing: Conduct "state of the art" testing for vulnerabilities, including penetration testing and automated scans.
  4. Implement comprehensive cybersecurity frameworks: Employ encryption, multifactor authentication, and secure SDLC practices. Regular code reviews, threat modeling, and developer training on secure coding should be integral to these frameworks.

How can threat modeling help with the Product Liability Directive? 

There are several ways threat modeling can support the Directive, for both enhancing security and improving software practices. Here are a selection of benefits:

  • Identify vulnerabilities before the software is in production - meaning products safely go to market without weaknesses, so vulnerabilities don’t become exploitable defects 
  • Enhance secure by design practices - integrating robust security from the design stage which provides benefits across the entire SDLC and conforms with the Directive 
  • Strengthens the supply chain - threat modeling can evaluate risk in third party components and supports compliance across the entirety of the product ecosystem 
  • Provides an audit trail and record - useful for demonstrating implemented security controls, including a full history of the evolution and improvement of each product 

Conclusion 

The EU Product Liability Directive is on its way. Threat modeling plays a crucial role in identifying vulnerabilities, enhancing secure development, and strengthening supply chain security. All of which relate back to the four identified steps of the Directive to achieve compliance and enhanced product security. Learn more about threat modeling here: https://www.iriusrisk.com/threat-modeling-platform

References 

  1. Dark Reading https://www.darkreading.com/cybersecurity-operations/eus-new-product-liability-directive-cybersecurity-impact
  2. European Parliament and of the Council, Directive of the https://data.consilium.europa.eu/doc/document/PE-7-2024-INIT/en/pdf 
  3. European Union http://data.europa.eu/eli/reg/2024/1689/oj 

FAQs

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down

keyboard_arrow_down