The Impact of PLD 2024 on Software Companies – and How the Industry Can Prepare

The Hammurabi Codex, composed during the reign of Hammurabi, the sixth king of the Amorite First Dynasty of Babylon in the 18th Century BC, contains the earliest known examples of consumer protection laws. One example stands out: If a person's house collapses on top of them and they die, the codex states, the builder should also be put to death.

To the modern mind, this is extreme. Thankfully, nearly 4,000 years later, consumer protection laws have evolved. But one particular directive introduced by the EU in 2024 is going to have far-reaching implications for many software companies. Those that fall foul of the Product Liability Directive 2024/2853 (PLD 2024) can expect severe consequences, so it’s critical that organisations familiarise themselves with the directive now.

What is PLD 2024?

PLD 2024 replaces PLD 1985, a framework for dealing with defective products. PLD 1985 was intended to protect consumers that had bought any ‘product’, but there was a lack of clarity around whether software fell into the remit of the rules.

PLD 2024 puts an end to this confusion, as it explicitly covers software products. As the International Bar Association (IBA) explains, "software that is placed on the market or put into service, whether standalone or in combination with another product, will be subject to the liability regime". It will align liability law with EU regulations like the Cyber Resilience Act and upcoming AI Act.

As a directive, PLD 2024 forms the basis for laws that have to be introduced into national legislature in each EU member state before 9 December 2026. Software companies that have a Compliance Officer or in-house Legal Counsel should already have PLD 2024 on their radar, but those that don’t must seek professional legal advice on the matter sooner rather than later.

PLD 2024 affects all software companies

Though there are limited exceptions for small enterprises, this legislation affects software companies of all sizes. All software, AI systems and digital services are covered by PLD 2024. Definitions of what is considered a 'defect' have tightened up since PLD 1985 and hinge on reasonable consumer expectations of safety from harms, including those caused by lax cybersecurity or faulty updates.

Data loss and psychological harm are compensable damages, and software companies accused of breaching PLD 2024 will be expected to disclose substantial documentary evidence of their approach to protecting their customers from product defects.

Although PLD 2024’s transposition deadline is 9 December 2026, any software on the market before that date may still fall under the new regime if it undergoes post‐sale modifications (such as updates) that introduce a defect. And it isn't just EU firms that need to be aware of this directive. Non-EU companies are liable if marketing or selling their product into the EU. As well as the originator of the software, liability has been extended to manufacturers, importers and even online marketplaces.

Potential impacts

Financial caps on damages under PLD 2024 have not been set, but companies may face substantial fines for injuries, property damage, or data loss caused by defective software. Claims against a company will mean legal fees, as well as reputational damage that public disclosure of defects will cause. Any company seen as non-compliant may find themselves excluded from marketplaces and dropped by their partners.

These consequences would be damaging for any company and pose a particular threat to small businesses. With a view to supporting small players, PLD 2024 states that "it should be possible for such enterprises to contractually agree with manufacturers that integrate their software into a product that the latter will not seek recourse from the software manufacturer in the event of a defective software component causing harm". So small companies do have some extra protections, but these will need to be agreed in contracts with their partners.

Selling a product that is below expectations will have negative consequences for a business anyway, even before PLD 2024 takes effect. But it’s only right that companies be held legally accountable for shipping bad or harmful software. The challenge lies not in the intent of the law, but how it will be applied.

Well-meaning legislation can produce mixed outcomes: GDPR’s strong privacy protections came with a heavy compliance burden – and some of the worst data practices continue largely unchanged. If PLD 2024 follows a similar path, with patchy enforcement or overly-aggressive penalties, it could raise legal uncertainty, penalise responsible players, and make it harder to run a software business.

The good news is that PLD 2024 is more specific and better scoped than GDPR, which should reduce ambiguity and make compliance more predictable. I only hope the member states transposing PLD 2024 into their legislature do so with care not to damage the very industry they’re trying to improve.

How to prepare

The first step is to seek qualified legal advice. Businesses without in-house legal expertise should engage external counsel to understand how PLD 2024 applies to them. The directive introduces new definitions of defects and liability that may catch teams unaware, particularly in how they apply to software, updates, cybersecurity, and connected services. Legal support is critical to interpret the directive, and to assess contracts, supplier relationships, as well as how responsibility is distributed across the value chain.

Companies must look at their internal quality assurance (QA) processes. Testing is no longer just a technical task - under PLD 2024, it’s a form of risk mitigation and legal protection. A solid QA process ensures software defects are identified and corrected early, and that a clear audit trail exists. This documentation is essential to defend against any claims that arise. Companies must be able to show how the product was tested, what problems were found, how they were addressed, and when updates were issued. In effect, QA becomes part of the compliance function.

Security needs the same level of attention. The directive states that poor cybersecurity can render a product defective, especially if harm results from a failure to issue or apply necessary updates. There should be a documented process for monitoring vulnerabilities, developing and deploying patches, and tracking user adoption of updates. Firms should consider how long they maintain responsibility for software once it is released - particularly in systems that rely on continuous updates, cloud infrastructure, or machine learning.

Finally, companies must build a broader culture of compliance. This includes educating teams, tightening up documentation, and ensuring roles and responsibilities around safety and liability are clearly defined. It may also involve reviewing third-party components, supplier contracts, and distribution channels. If a claim is made, it’s not enough to argue good intentions - courts will expect to see clear policies and records that show how risks were managed in practice.

Software companies must prepare now

Even though the directive is called PLD 2024, the window for companies to prepare is still open. A new focus on QA and cybersecurity are table stakes, but developing longer-term plans to establish a culture of compliance is also a must.

While PLD 2024 may seem onerous, there is also an opportunity for companies to put trust at the centre of their relationship with customers and partners. Upholding the highest standards of compliance, cybersecurity and QA, will help build a reputation that opens new doors. Those that take their responsibilities to customers seriously can play a leading part in creating a digital future where innovation thrives.