PRODUCT | Cybersecurity and Product Liability in Technology – Cross perspectives

For many years, product liability was about traditional products, and digitalization was not expressly considered in the applicable regulations. However, the risk associated with the expansion of smart, connected products, also known as the devices that make up the internet of things (IoT), was not zero. To reflect this, as our world has grown more and more connected and digitalized, product regulation has increasingly sought to address data and privacy concerns.

For nearly a decade, we've been monitoring these developments and helping our clients navigate an ever-growing and changing digitalized world. In 2018, when the General Data Protection Regulation (GDPR)¹ was about to come into effect, we anticipated that data and related cyber security issues were to become the “new” product liability in Europe, in particular for IoT devices.² By that time, the coexistence of two sets of regulations – product liability and product safety directives³, on the one hand, and data regulations, on the other hand – was raising lots of questions for the Tech industry, in particular for the producers of smart products. In many cases, IoT product developer were acting as both producers – of the product – and data controllers – of the data collected and processed by said product. Given this dual role, producers were left grappling with questions such as, which liability rules would apply in case of cyber-attacks or data breach? Could data processing and GDPR compliance become a new criterion of defect within the meaning of the applicable product liability and safety rules?

These questions were arising not just in Europe, but also the U.S., where regulators have been considering how to determine liability when IoT products suffered software defects or cybersecurity vulnerabilities. Since then, the IoT has greatly expanded and digitalization has shaped most of the products we use in our daily lives (watches, glasses, scales, health-related apps, to mention only a few), which now incorporate smart features and may process personal or even sensitive data. In light of the increased attack service resulting from the expanding IoT, cyber risk has also skyrocketed and globalized.

According to the 2024 report on the state of cybersecurity published by the European Union agency for cybersecurity, the cyber threat level to the EU between July 2023 and June 2024 was assessed at substantial, the three most common cyber attached being distributed denial-of-service (DDoS) attacks, ransomware and threats against data (e.g., data breaches or data leaks), which account for nearly 86% of the cyber threats.⁴ Another report found that “DDoS traffic volume increased 166% year over year (between June 2023 and June 2024). This growth has been fueled by the proliferation of insecure IoT devices.”⁵

As now formally acknowledged by the EU legislator, “Cybersecurity is one of the key challenges for the Union. The number and variety of connected devices will rise exponentially in the coming years. Cyberattacks represent a matter of public interest as they have a critical impact not only on the Union’s economy, but also on democracy as well as consumer safety and health”.⁶ In the U.S., the previous Chair of the Federal Communications Commission (FCC) warned that “this increased interconnection brings more than just convenience. It brings increased security risk. After all, every device connected to the internet is a point of entry for the kind of cyberattacks that can take our personal data and compromise our safety.”⁷ In addition to the FCC, other federal government agencies have also been vocal about the cyber threats and privacy risks posed by IoT devices.

Considering this context, the legislator started factoring the cyber-risk into its product-related pieces of legislation.

2024 was very prolific in the EU as key products law pieces of legislation specifically addressing cyber risks were either enacted and/or became applicable.

• On 8 December 2024, the revised Product Liability Directive (PLD) was adopted.⁸ Designed to make product liability rules "fit for the digital age"⁹ including for software, AI systems, and AI enabled goods, the PLD expressly tackle cyber risks. Cybersecurity requirements have become a relevant criterion to assess the defectiveness of a product.¹⁰ Besides, “destruction or corruption of data that are not used for professional purpose” would be a compensable damage.¹¹
• On 13 December 2024, the General Product Safety Regulation (GSPR), adopted on 10 May 2023, became applicable.¹² The GSPR also addresses cyber and AI-related risks, making of cybersecurity measures and AI features relevant aspects to assess the safety of a product.¹³

The Cyber Resilience Act (CRA), adopted on 23 October 2024, will be of the utmost relevance to products law when it becomes applicable,¹⁴ as it lays down harmonized cybersecurity requirements for products with digital elements, hardware and software. Compliance with requirements, which cover the full life cycle of these products, from their pre-marketing phase (design, development and production) to their post-marketing management (vulnerability handling processes),¹⁵ will be key in the assessment of a product safety and/or defectiveness. Other EU pieces of legislation, like the EU AI Act, which lays down requirements and obligations regarding specific uses of AI,¹⁶ will also impact the products law landscape.

In the last couple of years, we also saw U.S. developments in IoT cybersecurity. In 2024, the FCC unveiled its new, voluntary IoT labelling program. Wireless consumer IoT products will soon be able to seek to apply for an “Cyber Trust Mark” label, which will help assure customers that the product meets specified cybersecurity standards. The National Institute of Standards and Technology (NIST) also has a published guidance for companies on how to manage cyber risk, including guidance for IoT manufacturers. In addition, the Federal Trade Commission (FTC) issued recommendations for businesses on how to bolster the security of IoT devices—and has pursued enforcement action against IoT producers, including an IoT device seller who failed to “take reasonable software testing and remediation measures” to protect their products against “easily preventable software security flaws.”¹⁷

As for legislation, the Internet of Things Cybersecurity Improvement Act of 2020 established baseline security standards for IoT devices procured and used by the federal government. These requirements track the NIST guidance on secure development and management of IoT devices.

The significant reshape of the global product safety and liability landscapes have shed a light on cyber risks as emerging products law issues. The increased liability risks this has created for economic operators is accentuated by the fact that cross-border representative class actions based on the above-mentioned pieces of EU legislation can now be initiated against economic operators under the Representative Actions Directive.¹⁸

In addition, some of the questions that we had raised in 2018 remain fully relevant. For instance, how will the strict liability regime provided for in the PLD and the fault-based liability regime under the GDPR combine? This may give rise to fierce debates as Article 6 of the PLD suggests that “destruction or corruption of data” is a compensable damage while it is now clear that “the mere infringement of the [GDPR] is not sufficient to confer a right to compensation”.¹⁹

In addition, legislative efforts in the U.S., at the federal and state level, as well as agency activity from the FCC and FTC among others is expected to continue on this important issue.

• Make sure to have one strategy worldwide: a global, forward-looking, and coordinated approach is crucial to a successful defense (from both media and legal perspectives), especially in Tech, a globalized industry sector by nature.
• Record all your compliance steps in a clear and accessible manner: with the burden of proof being facilitated for claimants under the new PLD,²⁰ it is crucial that thorough and clear record of compliance with applicable regulations and standards be kept. Producers who sell in the U.S. will also want to be aware of the applicable NIST standards and document how their products meets these guidelines. Documenting how your company complies may serve as critical evidence to show that due diligence was exercised throughout the product’s lifecycle, and facilitate defense. If you rely on third-party components or data, especially for AI systems, keep clear records of suppliers, contracts, and quality assurances.
• Anticipate and define your crisis management strategy: set up a crisis unit and design a crisis roadmap (alert and emergency processes) to make sure that you will react promptly and in a standardized fashion in case you identify (potential) threats (notification/reporting obligations, corrective measures etc.) and that you will communicate wisely with the relevant stakeholders (regulators, media, potentially affected users etc.). Companies should also be aware of any data breach reporting obligations, whether to law enforcement, government regulators, or consumers themselves.