Manufacturers Failing to Address Cybersecurity Vulnerabilities Liable Under New European Rules

Written by

The European Commission has publicized new liability rules on digital products and artificial intelligence (AI) in order to protect consumers from harm, including in cases where cybersecurity vulnerabilities fail to be addressed.

The two proposals the Commission adopted on September 28, 2022 will modernize the existing rules on the strict liability of manufacturers for defective products (from smart technology to pharmaceuticals).

Additionally, the Commission proposes – for the first time, it says – a targeted harmonization of national liability rules for AI, making it easier for victims of AI-related damage to get compensation. This will be adopted in line with the Commission’s 2021 AI Act proposal.

The liability rules allow compensation for damages when products like robots, drones or smart-home systems are made unsafe by software updates, AI or digital services that are needed to operate the product, as well as when manufacturers fail to address cybersecurity vulnerabilities.

Explaining how the new rules shift the focus in such litigations, John Buyers, head of AI at Osborne Clarke explained, “There's a very intentional interplay between the AI Act and the proposed new presumptions on liability, linking non-compliance with the EU's planned regulatory regime with increased exposure to damages actions.

“Instead of having to prove that the AI system caused the harm suffered, claimants that can prove non-compliance with the Act (or certain other regulatory requirements) will benefit from a presumption that their damages is case is proven.  The focus will then shift to the defendant to show that its system is not the cause of the harm suffered.”

However, one challenge Buyers points out is the need for claimants to get hold of defendant's regulatory compliance documentation to inform their claims, this he said may add a tactical layer to how those technical documents are written.

The recent directives will need to be turned into national law. In addition, Buyers said that the AI Act is not expected to become law before late 2023, with a period for compliance after that, likely to be 2 years but this is still being debated.

What’s hot on Infosecurity Magazine?