EU's Direction Towards Secure Software Design: A "Secure by Design" Approach

Examining the New Product Liability Directive, alongside its implementation timeline, reveals the EU's strong push towards embedding security considerations into the very core of software design—a concept known as "secure by design." While the directive doesn't explicitly use this terminology, several provisions strongly suggest this approach is at the forefront of the EU's vision for software development in the future.

Expanding the Definition of Product and Defectiveness

Software as a Product:? The directive significantly expands the definition of "product" to explicitly encompass standalone software, including AI systems. This change recognizes that software, whether operating independently or integrated into other products, plays a pivotal role in product safety and can potentially cause harm.

Cybersecurity Vulnerabilities as Defects: The criteria for assessing product defectiveness now include factors like compliance with "safety-relevant cybersecurity requirements" and whether the product can "continue to learn or acquire new features after it is placed on the market". This inclusion underscores the EU's increasing focus on the importance of cybersecurity and its impact on product safety throughout the entire product lifecycle.

Liability for Lack of Security Updates: The directive states that manufacturers cannot escape liability by simply claiming that a defect arose after the product was placed on the market. This principle applies particularly to situations where the defect stems from "a lack of software updates or upgrades necessary to maintain safety". The directive emphasizes manufacturers' responsibility to address vulnerabilities, especially in response to evolving cybersecurity threats, by providing necessary security updates.

These provisions collectively signify a significant shift in the EU's approach to software design and development. By explicitly considering software as a product and recognizing cybersecurity vulnerabilities as potential defects, the directive incentivizes manufacturers to prioritize security from the initial design phase. It implicitly promotes the concept of "security by design" by making manufacturers responsible for a product's security throughout its entire lifecycle, including post-market updates and upgrades.

Encouraging Proactive Security Measures

The directive's emphasis on the "state of the art" defense further reinforces this push towards proactive security measures. This defense allows manufacturers to avoid liability if they can prove that the product's defect could not have been detected based on the scientific and technical knowledge available at the time of production. However, this defense is subject to certain limitations and Member States can choose to omit it entirely.

The potential for Member States to exclude the "state of the art" defense for specific product categories incentivizes manufacturers to go beyond merely complying with the known state of the art. It encourages them to anticipate potential vulnerabilities, implement robust security measures, and continuously update their products to address evolving threats, even if those threats weren't foreseeable at the time of initial design.

Fostering a Culture of Security Awareness

The directive's focus on disclosure, along with its provisions for rebuttable presumptions of defectiveness, further supports the notion of promoting a culture of security awareness within the software industry.

By requiring manufacturers to disclose relevant evidence to claimants, the directive promotes transparency and accountability. This can encourage manufacturers to proactively identify and address security issues, knowing that they may be compelled to share information about their security practices during legal proceedings.?

The rebuttable presumptions of defectiveness, particularly in cases where the product doesn't comply with mandatory safety requirements or exhibits obvious malfunctions, further underscore the EU's commitment to holding manufacturers accountable for security flaws. These provisions provide a strong incentive for manufacturers to prioritize compliance with relevant security standards and address potential vulnerabilities, knowing that a failure to do so could significantly weaken their legal position.

Conclusion

The New Product Liability Directive marks a significant development in the EU's approach to product safety, particularly regarding software. By extending the scope of the directive to software, recognizing cybersecurity vulnerabilities as potential defects, and emphasizing continuous security updates, the directive implicitly promotes a "secure by design" philosophy. This philosophy encourages manufacturers to integrate security considerations throughout the entire software development process, from initial design to post-market maintenance.

While the directive doesn't mandate specific security measures or explicitly use the term "secure by design," its overall approach clearly reflects a desire to foster a more proactive and security-conscious approach within the software industry. The directive's provisions, coupled with its implementation timeline, suggest that the EU is actively steering the market towards software products and services designed with security as a core principle rather than an afterthought.