Is the “Security by Design ” mantra growing in the EU?

The EU Product Liability Directive, adopted in March 2024 and published on September 25th, 2024, extends to software and AI, aiming to modernise liability rules for the digital age and support a circular economy. It reassesses liability for defective products, now including AI and refurbished items. 

This blog isn’t meant to cover everything coming to the EU in 24 months (more blogs on that to come!), but rather to highlight upcoming changes, especially in software development practices like quality. These changes will benefit everyone, not just those in the EU, as software development is a global industry. Consequently, development, testing, and remediation processes will need to improve to reduce risk for vendors, which will be beneficial worldwide. 

What does the EU Product Liability Directive include? 

The liability change within the directive now introduces no-fault liability for producers, meaning they will become liable for defective products regardless of negligence. It also extends liability to cover cyber security, and the availability or lack thereof for software updates. There is specific wording that addresses devices, such as bring-your-own-device (BYOD) where the individual may be impacted in their personal life for mixed-use property further codifying protection of the individual. 

Free and open-source software developed outside of commercial activity is excluded from this directive. However, “where software is supplied in exchange for a price, or for personal data” used other than for certain purposes is classified as commercial activity and will be within the scope of the directive. This is an interesting nuance and will be useful in the further protection of individual rights. 

How does this impact digital services? 

Section 17 covers the integration of digital services and how the absence of a service will impact the performance of a product. The directive specifically calls out examples such as traffic data for navigation systems, or a voice-assistant services that allows one or more products to be controlled with voice commands. All now explicitly in scope of the directive. 

Recognition for the critical impact of supply chain failure has its own section and calls out the need for member states to enable individuals to obtain compensation through better informed and empowered authorities or bodies. 

What does this mean for individuals? 

To support citizens in proving fault, the directive works to codify what is described as “significant disadvantage” in the “asymmetry of information that can undermine the fair appointment of risk”. It remains to be seen how this will support individuals in the future, but it at least looks to address the imbalance of power within the dynamic of vendor and consumer. 

Over time the implications will become more clearly understood by software vendors, and those providing products across all regions. For now, I wanted to highlight that ‘secure by design’ as a method just became a lot more interesting. 

As always, if you would like guidance, support or advice on how to build your digital strategy, our funded SCC Pathfinders are delivered by a team of experts to help you get started.  

Written by Paul Allen, Practice Director | Cyber Services 

Find out more