InfoSec Opinion Column #7 (July 14, 2025)
Consider it the Axios of what matters in cybersecurity. Or the Hacker News comments section, depending on the day. All hand-curated, no AI involved. This week: cybersecurity liability in the EU.
What: The new EU Product Liability Directive: Implications for software, digital products, and cybersecurity
Why it matters: This is a major shift in how software developers can be held legally responsible for security problems in the software they sell in the EU.
tl;dr:
- "The PLD explicitly includes software, AI, and digital services within the definition of “products” subject to strict liability."
- "Non-compliance with cybersecurity requirements or failure to provide security updates can constitute a product defect."
- "Companies cannot contractually exclude or limit their liability for software or cybersecurity defects."
Matt's view: If they're not already, I suspect companies like Meta and OpenAI will be lobbying furiously for the repeal of this directive. Conceptually, I do think that something like the PRD was inevitable in our software-driven world. That said, the devil is in the details here: what happens with open-source software maintained by a single developer in their spare time? What about predictive algorithms that by definition will never be correct 100% of the time? I suspect (1) there will be a number of exploratory lawsuits as this comes into effect, and (2) the PSIRT function will become more and more critical for SaaS vendors.