Chris Wysopal

The EU Product Liability Directive will take effect Dec 2026. Software, firmware, applications, AI systems, and will now be subject to the same strict liability regime as traditional physical goods. Cybersecurity vulnerabilities will be considered product defects. Analysis by Reed Smith LLP:

Lexology

The new EU Product Liability Directive: Implications for software, digital products, and cybersecurity

The EU has adopted Directive 2024/2853 (the “Product Liability Directive” or “PLD”), which will take effect on December 9, 2026. This new D...

I was told to never plug in any USB devices I find but hey let’s plug this enemy drone into my battlefield computer. https://www.forbes.com/sites/vikrammittal/2025/04/02/russians-capture-ukrainian-drones-which-infect-their-systems-with-malware/

Thrilled to share my BlueHat keynote is now live! 🎤 "A Clash of Cultures Comes Together to Change Software" dives into how early hacker groups like the L0pht began collaborating with tech companies, reshaping software security. Watch here: #BlueHat #Cybersecurity #Infosec #Hackers

Software liability comes to the EU. The new EU liability law extends the definition of “defective products” to include software, holding manufacturers accountable for harm caused by software vulnerabilities. If a software flaw leads to damage, manufacturers can now be held liable, emphasizing the importance of security throughout the product lifecycle. This change encourages companies to prioritize cybersecurity measures and regular updates to protect consumers, shifting some risk from users to software providers. The law also allows easier access to evidence in legal claims, balancing the power dynamics between consumers and manufacturers. There is a carve out for open source software. Importers and the EU representatives of foreign software can be held liable too.