The New EU Product Liability from December 2026: What Online Retailers and Manufacturers Need to Know
On 9 December 2026 a new EU Product Liability Directive replaces Germany’s product liability act from 1989. It is the first fundamental modernisation in over 35 years – and it affects more than just classic manufacturers. Anyone who imports goods from outside the EU, who uses or offers fulfilment, who sells software or connected devices: for many online retailers the liability situation changes noticeably. This article explains what is new, who is affected and what you should check before the cut-off date.

When does what apply
Directive (EU) 2024/2853 entered into force on 8 December 2024. Member states must transpose it into national law by 9 December 2026. In Germany a government draft is in place (BT-Drs. 21/4297) to replace the existing product liability act; the parliamentary deliberations are ongoing.
Important in practice: the new rules apply to products placed on the market or put into service after 9 December 2026. For older products the previous law remains decisive. What matters, then, is the point at which a specific product first reaches the market.
What changes
Software and AI now count as products
The most important change is probably the broadened concept of a product. Until now product liability attached to movable goods. In future, software and AI systems are expressly covered too – regardless of whether the software is installed on a device, obtained from the cloud or operated as software-as-a-service. Firmware, operating systems, apps and digital components integrated into devices also fall under it. Manufacturers can thus be liable without fault for damage caused by defective digital products.
The concept of defect focuses on safety – including cybersecurity
Whether a product is defective will in future be measured not primarily by its fitness for use, but by the safety one is entitled to expect. What is new is that cybersecurity requirements expressly count here too. A product can therefore be deemed defective simply because a security vulnerability is exploited. Requirements from frameworks such as the Cyber Resilience Act can thus become liability-relevant at the same time.
More parties can be liable – this affects retailers directly
This is where it gets concrete for retail. The manufacturer can still be liable. If the manufacturer is based outside the EU, the importer is liable. What is new is that, beyond that, the manufacturer’s EU authorised representative and the fulfilment service provider can also be held liable. A fulfilment service provider is anyone who performs at least two services such as warehousing, packaging or shipping. And under certain conditions, distributors and operators of online platforms can be liable too.
In practice this means: anyone who imports goods from a non-EU country and resells them can stand in the front line as an importer – even if they did not manufacture the product themselves. If the manufacturer cannot be reached, the next party in the supply chain moves up. If you source from third countries anyway, it is worth looking in parallel at the customs-side changes we described in €3 customs duty from July 2026 – both topics hit the same group of retailers.
Liability is harder to exclude
The draft restricts the options for exemption. For digital products a manufacturer cannot argue that the defect arose only after the product was placed on the market, as long as it still has control over the product – for example because it can continue to provide updates or security patches. As long as this control exists, exemption remains largely excluded.
Burden of proof: much easier for claimants
Until now the injured person had to prove defect, damage and causation. In future, considerable easing of proof applies. On request, defendants must disclose safety-relevant information if a plausible claim is presented. If a company does not disclose the requested evidence, a product defect can be presumed. A presumption also applies if the damage arose during normal use from an obvious malfunction. For particularly complex technology, a court can even find liability where only a sufficient probability of defect or cause is presented. Trade secrets must be protected in the process, and disclosure must be limited to what is proportionate.
No more liability cap, data damage compensable
The previous liability ceiling and the deductible are abolished. Companies must therefore generally reckon with unlimited liability. In addition, for the first time the destruction or corruption of private data and the costs of restoring it become compensable. Digital risks – for instance from inadequate cybersecurity – thus expressly fall under the compensable damages.
Note: no-fault product liability is aimed primarily at the consumer sphere. Natural persons are entitled to claim; purely professionally used goods and data remain outside. For the B2B sphere the general liability rules continue to apply alongside.
Who is concretely affected?
Three typical constellations from online retail:
First, the retailer who sources electronics or gadgets directly from the Far East and sells them under their own name. They can be directly liable as an importer – one more reason to check suppliers and product documentation carefully.
Second, the seller who outsources their logistics or takes on fulfilment for third parties themselves. Fulfilment service providers newly enter the circle of possible liable parties.
Third, anyone who sells or develops software, apps or connected products. With the broadened concept of a product, the software itself becomes a liability-relevant product – including the duty to keep an eye on security vulnerabilities. Anyone using AI should think about this new liability topic together with the transparency obligations we explained in AI labelling from August 2026.
What you should do now
Four steps that pay off before the cut-off date:
- Clarify your role in the supply chain. Check whether you qualify as a manufacturer, importer, authorised representative, fulfilment service provider or distributor – your liability risk depends on it.
- Strengthen supplier and product documentation. Conformity records, safety information and proof of sourcing should be complete and findable. They are decisive in a dispute.
- Take cybersecurity and updates seriously. Especially for digital and connected products, post-sale maintenance becomes liability-relevant in future.
- Review your insurance cover. With the removal of the liability cap and the expanded types of damage, it is worth looking at existing product liability policies.
We have prepared related obligations in dedicated articles: on product safety in GPSR 2026: how Etsy and eBay sellers avoid listing suspensions, on packaging in PPWR from August 2026 and on protecting your accounts in Cybersecurity 2026 for the self-employed.
Documentation as your best ally
A common thread of the reform is the importance of clean records. The new disclosure duties and presumption rules essentially revolve around one question: in a dispute, can you trace and show where a product came from, who it went to, what safety information was supplied and what updates were provided? Those who can prove this completely stand much better – those who cannot risk a defect simply being presumed.
This is exactly where an orderly data basis helps. In PepperTools Cloud Office you keep customer, supplier and document data in one place: incoming and outgoing documents are linked traceably through the document flow, so the path from order to invoice can be traced seamlessly. Documents created are also archived in an audit-proof and immutable way on S3 object storage. This does not replace legal precaution, but it creates the traceable basis that will matter more for sourcing and supply chains in future – and which you need anyway for bookkeeping and the e-invoicing obligation.
Frequently asked questions (FAQ)
From when does the new product liability apply? To products placed on the market or put into service after 9 December 2026. For older products the previous law remains decisive.
Am I liable as a retailer even though I don’t manufacture anything? Possibly. If you import from a non-EU country, you can be liable as an importer. Fulfilment service providers and, in some circumstances, distributors and platform operators are also possible liable parties.
Does this really apply to software too? Yes. Software and AI systems are expressly products in future – regardless of whether they are installed, obtained from the cloud or operated as SaaS.
Is there still a liability cap? No. The previous ceiling and the deductible are abolished under the draft.
What changes about the burden of proof? Claimants are considerably relieved: through companies’ disclosure duties and statutory presumptions that can assume a product defect if evidence is not disclosed or an obvious malfunction is present.
Conclusion
The new EU product liability widens the circle of liable parties, brings in software and AI, tightens cybersecurity requirements and makes it easier for claimants to enforce claims – while the liability cap falls away at the same time. For online retailers the central question is not “whether” but “in what role” they are affected. Those who know their position in the supply chain, keep their documentation in order and take cybersecurity seriously can face the December 2026 cut-off date well prepared.
Sources
- EUR-Lex – Directive (EU) 2024/2853 on liability for defective products
- German Federal Ministry of Justice – Act to modernise product liability law
- EY Law – Overview of the reform of the new product liability rules
As of June 2026. This article serves general information and does not replace legal advice. The German transposition is still in the legislative process; details may change. For your specific case, please consult a lawyer.
Handle invoices more easily
Easy Invoice combines quotes, invoices and customer management in the cloud.
Try Easy Invoice